Privacy And Data Security: Significant Compliance Issues

Tuesday, January 1, 2008 - 01:00

Editor: Why were you attracted to the West Coast as a venue in which to practice law?

Forsheit: Although I attended Duke University and the University of Pennsylvania Law School in the East, my roots are on the West Coast. I grew up here and my family is here. In addition, California law continues to evolve in dramatic ways. Therefore, it seemed logical that I should return to practice in this stimulating environment.

Editor: How would you describe your own practice?

Forsheit: My practice is split between commercial litigation and privacy and data security compliance and counseling. I handle all kinds of civil commercial litigation with particular emphasis on soft IP matters, including copyright and trademark. In addition, I am a member of Proskauer's Privacy and Data Security Group. In the last five years or so, California has been on the forefront of passing legislation designed to protect the private information of consumers and employees.

Editor: The whole area of privacy with regard to data sharing has become a major practice area. What are the historic reasons for the development of this area of the law?

Forsheit: Recent developments in technology have resulted in companies and public entities holding massive stores of electronic data. These changes have driven the development of privacy and data security legislation. Individuals are more aware of and concerned about personal privacy, whether it be freedom from unwanted advertising, freedom from government intrusion into one's personal life, or a general desire to be left alone. The law has tried to adapt to protect those interests. However, we still do not have a comprehensive legal framework for privacy in this country. We tend to refer to a patchwork quilt of regulation which is focused on particular industries and areas. For example, financial services are regulated under the Gramm-Leach-Bliley Act; health care providers are regulated under the Health Insurance Portability and Accountability Act (HIPAA); and children's privacy online is closely regulated under the Children's Online Privacy Protection Act (COPPA). Therefore, unlike Europe, a comprehensive scheme to protect individuals' privacy rights does not exist in the U.S.

Editor: Which of your clients is most intimately involved with compliance in the area of privacy?

Forsheit: Today, almost every company is affected by privacy and data security regulations and laws. For example, any company with a website visited by California residents must comply with California privacy laws. The California Online Privacy Protection Act is the only law that requires companies in all fields to post a privacy policy on their website. The policy has to advise website visitors about the kinds of information collected from them, how this information is used, and to whom it is disclosed, among other things.

The same is true for practically any company that has suffered a security breach, whether as a result of an intentional malicious act, or simply something like a lost laptop. Any company that suffers such an incident must send a notice to every individual affected - customers and employees. In California and many other states, individuals must be informed of the breach even if it did not result in identity theft or any compromise of the data. California was the first to implement this law in 2002. Thirty-seven states have followed suit with laws affecting private entities and one state, Oklahoma, has a law that affects only public agencies. So to answer your question succinctly - it does not matter who you are anymore, you must be aware of these privacy laws and compliance obligations.

Editor: How do you go about counseling your clients to observe all the privacy compliance procedures?

Forsheit: At Proskauer, we work with clients to review their privacy practices both with respect to employee data and customer data. We review practices, draft and revise internal and public-facing policies, and make recommendations regarding compliance with applicable laws and best practices. For example, if you are a financial institution, you must put in place safeguards for information pursuant to Gramm-Leach-Bliley; in other industries, while perhaps not always strictly mandated by federal or state law, best practice may be to implement similar safeguards. The FTC has filed a number of enforcement actions in situations where, for example, a company makes misrepresentations regarding how it secures information and the safeguards that it uses. The FTC has also taken action in cases when a company doesn't sufficiently safeguard information. In egregious situations, the FTC invokes its authority under Section 5 of the FTCA, which declares unlawful "unfair or deceptive acts or practices in or affecting commerce."

In summary, we work with clients to review and put in place policies and practices that are in compliance with applicable law and are also best practices for keeping that information secure.

Editor: Another phenomenon which seems to run counter to our national policy on privacy is the operation of the Internet. With such exposure as posed by Facebook and other Internet services, it would seem that nothing about a person's personal life is off limits. How do we reconcile the two schools of thinking in terms of protecting communications?

Forsheit: Social networking allows people to create communities in ways never before envisioned. However, consumers and the government are starting to look at the privacy implications more carefully, and the FTC recently held a series of meetings to explore related online advertising issues. It is an area where we can expect to see new developments in the next months and maybe even years.

Editor: How do you address with clients who have overseas offices the more rigid requirements of data protection required by the EU?

Forsheit: We work with multinational clients who have offices, employees and customers in the EU. As you are probably aware, the EU has a regulatory scheme that restricts storage and transfer of data, among other things, in a much more comprehensive way than we do here. We work with companies to develop model contracts and other mechanisms to facilitate the legal transfer of data to the United States under the EU Data Protection Directive and under the particular laws of the member states.

Editor: Please describe the content of the Proskauer Privacy Law Blog. How are our readers able to access it?

Forsheit: The blog can be found in a couple of ways - through Proskauer's general website, , or at . Its main objective is to keep our clients, friends, and the online community up to date and aware of recent developments in privacy and data security law. We have created, and keep updated, a list of the currently existing data security breach laws of the 38 states that regulate private entities, mentioned earlier. We also report on recent court cases and legislation and other related developments. We reported on Governor Schwarzenegger's veto in October of California's AB 779 which would have resulted in fairly significant changes to California's breach notification law. The proposed legislation was in reaction to the very massive TJX data breach and would have imposed strict disposal requirements with respect to certain credit card data. Simply put, companies would not have been able to keep card payment data beyond a certain period of time after authorizing the transaction. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner of the information for the reimbursement of reasonable and actual costs of providing notice to consumers and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system.

Editor: What do you see in the future for Proskauer in terms of expanding its practices on the West Coast?

Forsheit: There are now more than 70 attorneys resident in our LA office. Our litigation group has grown over the years, our corporate group has grown, and our real estate group has expanded significantly just in the last year. We as an office continue to grow significantly.

Please email the interviewee at with questions about this interview.