Excerpt From an Interview of Helen Dixon, Commissioner, Data Protection Commission of Ireland:
Has your office given some deference to companies, given the pandemic, with everybody trying to work from home?
Dixon: No, I don’t think we’ve taken a particular stance across the board in terms of any kind of softening of approach. And it very much is case by case. If a particular organization – for example, a hospital made a case to us that they were going to be delayed in responding to an individual’s attempt to access a copy of their personal data. They laid out legitimate reasons why; they had redeployed staff during the pandemic.
We would certainly give it due consideration, but not across the board. And particularly with the bigger tech companies that we regulate. They have the resources and capability just as we do as a data protection authority to implement systems, to work from home, and to remain productive. And we’ve considered any reasonable request to us that some kind of an extension or a derogation needs to be applied, but it’s not our starting point. And it hasn’t really been an issue.
Excerpt From the Preparing for Privacy Enforcement and Litigation Risks Panel Discussion:
Doug Meal, partner, Orrick: I’ll emphasize two don’ts, and they’re really at either side of the spectrum. Number one, particularly in the cybersecurity context, what we see a lot is companies going into a regulatory investigation – this wouldn’t just be FTC, this would be broader than that – from the perspective that “we are a victim of a crime here, we suffered a cybersecurity attack. The way we should be thinking about dealing with the regulator is that we’re a victim, and we’re happy to tell you everything that occurred here, and we’ll be very, very, totally forthcoming, and not worry about it. Because, after all, it’s the criminal who perpetrated the attack, who was the real bad guy.”
Have you played a role in any of the following? (select all that apply)
Based on polling data during the Bloomberg Law Leadership Forum in June 2020.
240 responses / 149 respondents
That is a very big don’t, whether it’s the FTC, or state AG, or really any regulator in the space – you have to come into the investigation with the perspective that you’re a target, not a victim, and the regulator is potentially looking to build a case against you and hold you responsible for the crime that was committed against you.
And we see, repeatedly, companies – particularly in the early stages of the investigation – not appreciating that fact, and as a result of that, making big mistakes. On the other side of the spectrum, we see companies approach regulatory investigations in the space, almost from a surrender mentality.
The idea is, or thinking is, “look, we’re never going to be able to persuade the regulator that we didn’t do anything wrong, so we should just settle, and wrap it up, and be done with it, and move on.” I think that’s also a big mistake. First of all, settlements in this space, even apart from the fine exposure that may exist, can be very onerous, very expensive in terms of the injunctive relief that the regulators were looking to achieve.
Bloomberg Law 2020 – Business & Industry
This report offers an evaluation of the state of the economy and the impact across business and industry as it relates to key topics, from corporate governance and litigation to privacy compliance and regulation.
And secondly, the reality is that whether it’s a cybersecurity violation or a privacy violation, these cases are very, very difficult to prove, whether you’re a regulator or a private litigant, number one. And the company that suffered the event will frequently have very, very strong defenses against the claims that the regulator is considering.
We find, as a result of that, that having an advocacy approach in the context of a regulatory investigation, you can frequently persuade the regulator to drop the investigation by demonstrating to the regulator that your defenses are very, very strong. We feel that too often, companies elect not to mount an aggressive defense either in the pre-litigation stage or in the litigation itself, and instead look to settle, when actually there would be potential either to persuade the regulator not to move forward before litigation or to win the litigation, if litigation were to go forward.
Those are my two don’ts, and the do is to stay in the middle. Be aware that you’re a target, be aware that the regulator is your adversary, and then be prepared to defend yourself aggressively and effectively.