One of the greatest mistakes we see companies making is assuming that as long as their own privacy program is compliant with the governing laws, they're safe. But in fact, under various privacy laws, companies are also responsible for the choices their vendors are making with the data shared with them.
A story in the Privacy Insider this week illustrates the importance of understanding this and the risks companies face if they don't take vendor-risk management seriously.
Recently, the US Federal Trade Commission settled with a financial institution over allegations they violated the Gramm-Leach Bliley Rule, which regulates such institutions. The FTC alleged the organization shared data with a third-party vendor that "performed text recognition scanning on mortgage documents" that it stored on the cloud in plain text without proper protections.
It may seem unfair to get dinged by the U.S. privacy regulator over something you yourself didn't do, but that's not only the rule for financial institutions under Gramm-Leach-Bliley. Responsibly managing your third-party vendors is required broadly under laws that continue to proliferate, as well as under California's Consumer Privacy Act and the EU General Data Protection Regulation.
It's a reminder to thoroughly vet your third-party vendors before entering into relationships with them. Not only that, it's important to continue to monitor your vendor's privacy practices over time to ensure that you don't find yourself under the FTC's watchful eye.
Stay safe and warm over the new year, and we hope you enjoy this week's edition. See you in 2021!
Here are the top stories you might have missed:
FTC settles with financial institution who didn’t properly manage its vendor
The U.S. Federal Trade Commission announced a settlement Dec. 15 with a financial institution that the agency said “claimed to oversee the data security practices of one of its service providers as required under the Gramm-Leach Bliley Act’s Safeguards Rule. “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”
2. Health experts say COVID vaccination data collection is risky
Plans in California to collect personal information in the name of thwarting COVID-19’s spread are raising privacy concerns. While experts say collecting names, addresses and birth dates is essential to tracking the efficacy of nearly created vaccines, some health experts say that kind of data collection could prevent vulnerable populations, such as illegal workers in the U.S., from seeking vaccination, the Los Angeles Times reports.
3. Is 2021 the year the US will pass a privacy law?
Business Insider predicts that U.S. Congress will pass a federal privacy law in 2021. The impetus just might be the proliferation of state and global data protection and privacy laws in recent years, including California’s Consumer Privacy Act (soon to be replaced by the California Privacy Rights Act) and the EU’s General Data Protection Regulation. “The 116th Congress has put forth at least 20 proposed privacy bills or drafts,” but it remains to be seen which will get enough bipartisan consensus to pass.
4. EU-UK agreement is good news for data flows
National Law Review reports on the “EU-UK Trade and Cooperation Agreement,” signed Dec. 24, and its effects on post-Brexit data flows. The agreement provides “transitionary provisions stating that transfers of personal data from the EU to the U.K will not be considered transfers of personal data to a third country during the Specified Period, and, as such, will not be prohibited by the GDPR.” That’s good news for the U.K., which has worried about being deemed an “adequate” third country for the sake of data transfers from the EU to the U.K.
5. EU regulators starting to align on GDPR
BankInfoSecurity reports that there’s starting to be some consensus among EU data protection regulators over violations of the General Data Protection Regulation. “But in some respects, it's like a meal,” says attorney Jonathan Armstrong in the report. “It is easier to say when you've had a bad meal rather than what are the essential ingredients for a good one. … So proving that you had good technical and organizational measures in place will always be a high bar, because something has happened despite the measures you had to stop it."
6. China’s privacy law will set the stage for facial recognition
China’s new data privacy law will determine the future of facial recognition surveillance in the country, OODA Loop reports. The Personal Information Protection law, a draft of which was released in mid-October, will “clarify when facial biometrics can be used,” according to the report.
7. Remote schooling’s impact on student privacy
The onslaught of changes that COVID-19 brought didn’t spare schools. In a story for Marketplace Tech, the Future of Privacy Forum’s Amelia Vance discusses the state of student privacy in the U.S. While there are plenty of laws regulating what can and can’t be done with student data, not everyone knows about them. Said Vance, “There was a great survey that Common Sense Media did a couple of years ago, that said only 25% of teachers had been trained on student privacy, and many of the laws that have passed aren’t necessarily passed down tot he school districts who are supposed to enforce them.”
8. Using vehicle data to solve crimes isn’t without risks
NBC News reports on law enforcement’s increasing use of vehicle data to solve crimes. “"It helps convict people, and it can help prove they are innocent," Berla founder Ben LeMere said. "Children's bodies have been found. Families have had closure." But privacy advocates say collecting vehicle information has privacy implications, partly because the data collected to solve crimes “can also be used to commit them,” the report states.