LITIGATION SUPPORT TIP OF THE NIGHT

In 2018, Ohio enacted the its Data Protection Act under which companies can get safe harbor from tort claims by compiling with one of below cyber security programs:

1. The NIST Cybersecurity Framework.

2. NIST Special Publication 800-171, or 800-53 and 800-53a.

3. The FedRAMP Security Assessment Framework.

4. The CIS (Center for Internet Security) Controls.

5. ISO 27000 Security Management Standards

Businesses that have sites on which financial transactions can be made, must also comply with Payment Card Industry’s Data Security Standards (PCI-DSS). A safe harbor affirmative defense is also available to businesses that meet the security requirements of HIPAA, and the Gramm -Leach-Bliley Act.

Today Brazil's new data protection law, the Lei Geral de Proteção de Dados, became effective. Keep in mind these key points about the LGPD:

1. It covers the processing of personal data by both private entities and the government.

2. The burden of proof is on the data controller to show that it has the consent of an individual to use their data.

3. A detailed response to a request for access to personal data is expected within 15 days.

4. Data breaches must be reported to effected individuals and to the National Authority for Data Protection (ANPD).

5. A case-by-case assessment is needed for transfers of data outside of Brazil, and transfers may only be made to countries deemed to be adequate by the data protection authority.

6. Data controllers and processors that do not comply with the LGPD can be fined up to 2% of their revenue in Brazil, with a maximum fine of 50 million reais.

7. While the LGPD has fewer requirements than the GDPR, it also places some duties on data controllers and processors which are not imposed by the GDPR. So, a GDPR compliant organization will not necessarily comply with the LGPD.

This month the Swiss Federal Data Protection and Information Commissioner concluded that the Swiss-U.S. Privacy Shield as not providing an adequate level of protection under the Switzerland's Federal Act on Data Protection (FADP). See the policy paper posted here.

"The FDPIC considers that this lack of transparency and the resulting absence of guarantees concerning the interference of US authorities with privacy and informational self-determination of persons concerned in Switzerland is irreconcilable with: . . . the principles of the lawful processing of personal data."

United States laws on data surveillance may impact of the privacy of Swiss citizens' data in way does not honor the protections of the FADP. It will ultimately be up to Swiss courts to invalidate the privacy shield.