At a recent annual meeting of The Sedona Conference Working Group on Data Security and Privacy Liability, one key theme seemed to be on everyone’s mind. During the sessions, which covered breach notification laws, litigation, and other current issues impacting data privacy and security, the topic of data minimization came up again and again. While the practice of data minimization isn’t exactly new, we’re now seeing it resonate and discussed at the forefront of the legal industry for the first time.
The reason is that companies have never faced greater risk with respect to their data than they do today. The landscape is only growing more challenging and complex. Across the globe, stringent data protection laws have emerged, and several U.S. states are implementing legislation to introduce new regulations for how governments and businesses are permitted to handle personal data. Multinational corporations must navigate compliance requirements for the General Data Protection Regulation, China’s Information Security Technology–Personal Information Security Specification and Cybersecurity Law, Brazil’s General Data Privacy Law, the California Consumer Privacy Act, U.S. state-based breach notification laws and dozens of others.
The vector of risks introduced by data privacy laws grows exponentially when combined with cybersecurity threats, insider threats, and potential theft of intellectual property and trade secrets. Since it’s clear that the waters of data risk are going to be rough for the foreseeable future, corporations must start acting now to take steps that will narrow the scope of information they store. Data minimization is a critical strategy in that effort.
Date: September 24, 2019
Source: Winston & Strawn LLP