French Insider Podcast Ep. 38
Securing the Future: Cybersecurity & Data Privacy in the Trump Era
Thank you for downloading this transcript.
Listen to the podcast released January 15, 2025 here:
https://www.sheppardmullin.com/multimedia-618
In this episode of French Insider, Sheppard Mullin partners Jonathan Meyer, Liisa Thomas and Carolyn Metnick join host and French Desk Co-Chair, Valérie Demont, to explore the evolving landscape of cybersecurity and privacy under a new Trump administration, including regulation and enforcement.
About Jonathan Meyer
As a partner in Sheppard Mullin’s Governmental Practice Group and leader of the firm’s National Security team, Jonathan E. Meyer counsels clients on their interactions with federal and state government, as well as national and homeland security, Congressional oversight, cybersecurity, AI, high tech, and transportation security, among other issues.
Prior to returning to Sheppard Mullin, Jon served as the Sixth General Counsel of the U.S. Department of Homeland Security from 2021 to 2024. His decades of experience in Congress, the Justice Department and DHS position him to bring an insider’s perspective to interactions between private companies and the government. He has defended scores of Congressional investigations and has prepared witnesses for over 100 hearings, including Supreme Court nomination hearings, impeachment hearings, oversight hearings, high tech and antitrust investigations, and civil rights investigations, among others. He has also represented defendants and witnesses in high-stakes Justice Department criminal investigations.
The media – including CBS News, NPR, The Wall Street Journal, The New York Times, The Washington Post and Politico – regularly turn to Jon for insight into issues regarding national security, homeland security, government investigations, cybersecurity, immigration, politics and Congress. He has twice been honored with the Secretary of Homeland Security’s Outstanding Service Medal, the highest civilian award bestowed by DHS, among numerous other prestigious accolades recognizing his exceptional service.
About Liisa Thomas
Liisa M. Thomas, a partner in Sheppard Mullin's Chicago and London offices, serves as the Leader of the firm's Privacy and Cybersecurity Team and as the Office Managing Partner for Chicago. As a member of the Intellectual Property Practice, she focuses on privacy, advertising, and unfair competition law.
Liisa frequently coordinates global privacy, data security and digital advertising matters for her clients. They value her global insights and familiarity with business systems outside the U.S. With Liisa’s assistance, her clients – including major consumer brands, advertising agencies and consumer research companies – are able to navigate thorny data breach disclosure issues, use emerging interactive advertising techniques and create compliant security programs, all while effectively managing their legal risks. Clients praise Liisa’s ability to add real value to their businesses, and describe her as "keeping [clients] one step ahead of where [they] need to be."
Liisa is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data, praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law." Recognized as an industry leader in privacy, data security and advertising law, she has been honored by Best Lawyers in America, Leading Lawyers Network, Chambers, Super Lawyers, and The Legal 500, for her "broad depth of privacy knowledge."
About Carolyn Metnick
Carolyn V. Metnick is a partner in Sheppard Mullin’s Corporate Practice Group in the firm's Chicago office and a member of the Healthcare and Privacy & Cybersecurity Teams. She represents a range of healthcare industry clients, including hospitals and health systems, physician organizations and digital health companies.
Carolyn’s practice focuses on healthcare regulatory and transactional matters, with an emphasis on health information privacy and security. In addition to providing guidance on various privacy and security laws, including HIPAA and the California Consumer Privacy Act (CCPA), she also counsels businesses in data breach investigations and compliance with federal and state breach notification laws. Carolyn also advises healthcare clients on issues related to AI, including governance, contractual matters, and data related issues. Additionally, she represents healthcare industry clients in transactional matters, including joint ventures, mergers and acquisitions. Her background as a former litigator helps inform her transactional work.
Carolyn is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E). She is also the founder and leader of Sheppard Mullin Healthy AI, an initiative focused on legal issues related to the use of AI in healthcare.
About Valérie Demont
Based in the firm’s New York office, Valérie Demont is a partner in Sheppard Mullin’s Corporate Practice Group, where she focuses primarily on U.S. and cross-border mergers and acquisitions and corporate governance matters. As a leader of the firm’s French Desk team, she advises foreign companies on the establishment and growth of their operations in the United States, acting as de facto "outside general counsel" for non-U.S. companies in the United States.
Valérie has been involved in numerous mergers, acquisitions, joint ventures and dispositions for corporations and private equity funds in the U.S., Europe (including France) and Asia (including India).
Not only is she a frequent speaker at events focused on cross-border trade, but she is also an outside pro bono counsel to Girls Who Invest, a nonprofit organization dedicated to increasing the number of women in portfolio management and executive leadership in the asset management industry.
Transcript:
Valérie Demont:
Welcome et bienvenue à French Insider, the Sheppard Mullin French Desk monthly podcast dedicated to French investors and companies investing and doing business in the United States. Each episode features conversations with thought leaders and experts in various industries on the business environment and challenges in investing and successfully growing in the US. And now for the inside look.
Bonjour. I am Valérie Demont, a corporate partner at Sheppard Mullin's based in our New York office. Thank you for tuning in today's episode of the French Insider, focused on Cybersecurity and Privacy: What to Expect Under the New Trump Administration. I am delighted today to welcome with me my partners, Jonathan Meyer, Liisa Thomas, and Carolyn Metnick. All three of them are veterans of the show and I thank them for being here.
Jonathan is a former general counsel of the Department of Homeland Security, has just spent 20 years in public service, just joined us back from his stint at the government, and was actually a host in our podcast recently on what to expect from the new Trump administration. And with him today I'm delighted to welcome my partners, Liisa and Carolyn. Liisa is a leader of Sheppard Mullin's and its privacy and cybersecurity team. She's also the office managing partner of our Chicago office, and Carolyn is also a member of Sheppard Mullin's Privacy and Cybersecurity team, as well as a member of our Healthcare team, also based in our Chicago office. Jonathan, Liisa, Carolyn, welcome to the show.
Jonathan Meyer:
Thank you. It's great to be here again
Valérie Demont:
And it's nice to be here. Bonjour, tout le monde. Today I'd like to start probably with you, Jonathan. We've heard you before about the new Trump administration, but what I'd like to do in today's episode is really focus a little bit more on cybersecurity. The Department of Homeland Security is particularly focused on cybersecurity through CISA. I'd love to hear a little bit more from you what CISA's role is, what the Department of Homeland Security's role is with respect to cybersecurity, and how do we expect things to unfold with respect to cybersecurity under the new Trump administration?
Jonathan Meyer:
Yeah, so quickly, CISA is the Cybersecurity and Infrastructure Security Agency. It is an agency devoted primarily to cybersecurity and it is viewed among the different parts of the US government that deal with cybersecurity as sort of more public-facing. It tries to help the private sector in its cybersecurity efforts. It is focused on infrastructure, protecting critical infrastructure.
So to turn to what we can expect on cyber from the Trump administration, one thing that is quite possible is that the Trump administration will look to cut CISA, its budget and its activities, because in addition to the cybersecurity, the pure cybersecurity work that it does, CISA has been involved in the past and some of the work trying to fight misinformation and disinformation, and the Trump administration and their allies were not happy with that. So we'll see what happens. CISA does some critical work, including work that I think the Trump administration does favor, but it is not good to be in disfavor.
More broadly, what we can expect in terms of cybersecurity from the Trump administration, first of all, is less regulation. As most people know, generally Republicans are less fond of regulation. Democrats are more so. Republicans like fewer federal dictates. And so in particular on industries like the tech industry and other places where cybersecurity is important and where the Biden administration was looking to regulate, we may see a looser regime, which is not to say they won't ignore it, but they may focus more on attempts to collaborate rather than dictate with the private sector.
One important regulation that is in process from CISA is referred to as CIRCIA regulation. CIRCIA is a statute that relates to cybersecurity incident response reporting. There is what's called a notice of proposed rulemaking out there with regard to the CIRCIA regulation. It is pretty robust, but the final regulation will come out in October of 2025. It will be interesting to see if the Trump administration tries to walk back some of that regulation.
So in that sense, in those areas we will see the Trump administration being a little less aggressive, I think. But in other places it may be more so, and particularly with regard to engagement with foreign entities on cybersecurity. During the first Trump administration, they implemented a philosophy known as "defending forward", which was sort of about taking the fight to our foreign adversaries and particularly the entities, the state-sponsored entities, that like to try to take advantage of weak security in the United States and create breaches. They began sort of, if you will, to go on offense rather than just defense doing things like disrupting internet access for some of the Russian entities that are known to attack US systems, spamming them to overwhelm them so that they have more difficulty doing that. I think that's likely to come back and force over the next four years.
And then there are a lot of new issues that are affecting cybersecurity. Chief among those is artificial intelligence, AI, and I think everyone, Republican and Democrat, is focused on AI right now, though they take different approaches. President Biden issued an executive order on AI last year, which is pretty aggressive and pretty active. I think we will see some of that being pulled back by the Trump administration. In fact, president Trump has said he will withdraw President Biden's executive order on AI. But my guess is, on a number of issues that are contained in it, they will do similar things. Some of them are just common sense in terms of national security and protecting the work that the United States is doing on AI.
Valérie Demont:
So should we expect greater enforcement? Less regulation, but more enforcement,
Jonathan Meyer:
I think we'll see a greater enforcement against foreign entities, certainly, to the extent we can. And as I was talking about with the "defending forward", I'm not sure we'll see as much enforcement domestically because the Trump administration in many ways, like many Republican administrations, is more or less, say, fair about enforcement and regulation. But in some areas that I think they deem critical, we may see it. Also, where it involves industries that a Trump administration is not friendly to, like, say, clean energy industry. We may see more enforcement.
Valérie Demont:
Staying on the topic of cyber. With respect to cyber attacks and private ransomware, do you expect any more stringent regulation? We hear a lot about the desire to free crypto and allow crypto to expand further, but we know that crypto has been used for ransomware purposes and particularly in the context of cyber attacks on private companies. Do you expect the administration to take an interest in this, regulate this, enforce greater enforcement in this area?
Jonathan Meyer:
I think, at least initially, because the Trump administration is quite friendly to crypto, I don't see them trying to go after crypto. There may be places, I think at least in the long run, they will end up focused on AI and protecting AI, and so we may see more enforcement there. But this brings up another thing, an important caveat that we should all have in mind. In discussing the Trump administration. More than most administrations, it is difficult to predict what this administration will do. President Trump enjoys being unpredictable. He enjoys surprising people. And so while he has made lots of predictions and there is a lot for us to digest in having these conversations, he's also more likely than any other president in recent memory to change his mind. So we should all keep that in mind as we think about what's coming over the next few years.
Valérie Demont:
It's going to be interesting for sure. Turning a little bit from cyber to privacy. Obviously the US landscape for privacy regulation has become increasingly complex and sophisticated. Maybe, Liisa, Carolyn, do you want to talk a little bit about where are we today in the general landscape on privacy and where do we think we're headed in particular in the area of enforcement?
Liisa Thomas:
I can start that. From my perspective with where are we, and the US is kind of complex, and I think this is one great example, is our approach to privacy laws. And so there were some areas where in the United States we said, "We should have a specific law about this," And those fall into three buckets and I'll talk a little bit about those buckets. Based on your activity, what you're doing, based on the type of individual you are, or the industry in which you operate.
Valérie Demont:
Well, that's a very nice landscape, Liisa. It sounds like it is indeed a patchwork and you have to look at the issue in its totality, both at a federal level, but also at a state level, focused on your industry, focused on, as you said, the activity or the type of person who you're looking at and the type of data that you're looking at. Is there any central regulator at the federal level or at the state level in the various states that administers those laws?
Liisa Thomas:
Oh, no. And that's what makes this so difficult and complicated and what makes my job really fun and interesting, and I feel like I'm always learning something every day, because there are so many different agencies and so many different, both at a federal and a state level. There are ones that lead the charge. So at a federal level, we have the FTC, but it is certainly not the only federal agency that focuses on privacy and consumer privacy. At a state level, we have state attorneys general who are focused on protecting consumers' and individuals' privacy, but they are certainly not the only entity or agency that worries about these things, enforces them.
Valérie Demont:
And then you mentioned that some of these laws vary from industry to industry, so let's talk a little bit about the healthcare industry. Since, Carolyn, you're an expert in that space. In the healthcare industry, are you seeing a similar pattern? And in the healthcare industry, is there a healthcare regulator that administers the regulatory environment?
Carolyn Metnick:
That's a great question, Valérie. Certainly states have their own health information privacy laws, and they vary, but there are a lot of consistent themes. But in the US, the Office for Civil Rights, which is part of the Department of Health and Human Services, enforces HIPAA, which is the federal Health Information Privacy Act that regulates covered entities and business associates. That's the primary law here. And what we've seen most recently is we have seen some developments in this area. HIPAA has been pretty stagnant since 2013 when the final rule came out, final omnibus rule. But we have seen some recent guidance around tracking technologies and then there was a lawsuit and that was kind of gutted a little bit, although we're still doing a lot of work there, and we can talk more about that in a few minutes.
But what's really interesting right now are these changes around reproductive healthcare laws that HIPAA, there was a final change to the privacy rule that impacted reproductive healthcare and we'll likely continue to see attention to reproductive healthcare issues, continued attention in 2025, with certain states trying to protect it and other states trying to regulate it, which is consistent with what we've seen since Roe was overturned. But that is what really precipitated the recent changes in the privacy rule around reproductive health rights.
So on the HIPAA front, HIPAA, again, being the federal health information privacy law in the US, there have been a couple of developments that I want to highlight. One is this recent change around reproductive healthcare issues. In April of 2024, the OCR, again, the agency that enforces HIPAA, announced its final rule to strengthen privacy protections for medical records and health information for individuals relating to reproductive healthcare. And the rule created, it's important because it created a new definition of reproductive healthcare, which is very broad and relates to matters relating to the reproductive system and its functions and processes. So it arguably covers gender changes, abortion, it's extremely broad and it was intended to be broad to cover a range of matters, and the rule prohibits the user disclosure of PHI to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, or facilitating the acquisition of this reproductive healthcare information. And where such healthcare is lawful under the circumstances in which it was provided, it needs to be protected.
So the prohibition applies where the activity is in connection with the person who's seeking this information, and the regulated entity receives a request for this information and has reasonably determined that a couple of things exist. One, that the reproductive healthcare is lawful under the state in which it was provided, under the circumstances provided, two, that the care is protected, required or authorized under federal law under the circumstances, or three, that a presumption applies. And this presumption is that reproductive healthcare provided by a person other than the entity that's receiving the request is presumed to be lawful unless the entity receiving the request has actual knowledge that it was not lawful. So additionally regulated entities need to obtain an attestation when there's a request for this information around reproductive healthcare.
The bottom line is that there are heightened protections being taken now at the federal level that were taken over the past administration to protect reproductive healthcare information given that Roe was overturned. These laws, this change to HIPAA is going to go into place. In addition to the need for an attestation and this change to the privacy rule, more recently, 42 CFR Part 2 was updated, and this is a substance use disorder rule and it's a federal rule. These changes were made under separate rulemaking to reflect protections around substance use disorder treatment records. I don't expect these changes to be... I guess I expect them that they will go forward. It's too difficult to kind of unwind them. So regulated entities, covered entities, healthcare providers that are subject to HIPAA or 42 CFR Part 2 should take note and continue to prepare for compliance and enforcement.
I will note, and again, this goes back to Liisa's comment about state attorneys general becoming more active and our expectation that we'll see more enforcement in that area, recently, the Texas Attorney General, this was just in October, filed a lawsuit against the HHS secretary and the OCR director relating to these privacy rule changes, asking that the rule be vacated and that the agency be enjoined from enforcing it. Texas is a red state. We'll have to see how that lawsuit unfolds.
At the end of December 2024, the OCR released its notice of proposed rulemaking for changes to the security rule. This was greatly anticipated and came between Christmas Day and New Year's Eve, and it's now been published and we are within the 60-day comment. There's a lot in there and I think the rule will be helpful to the extent that it's implemented in ensuring that healthcare providers take appropriate steps to mitigate cybersecurity issues. And while the new administration may scrutinize the comments and the rules, given the importance of cybersecurity and the number of breaches, significant breaches that we have seen in the healthcare industry, I expect that this rule will be finalized.
Valérie Demont:
As you said, I think there's a lot of uncertainties, I think Jonathan made the case earlier, around the new administration and some of their positions, so your guidance here is very valuable, Carolyn, because I think that's the question that a lot of people have in mind, which is, there's all these regulations that are being rolled out. Are they going to carry on? Are they going to be repelled? Are they going to be blocked? Are they going to be amended? I have a question on that front with respect to the various regulators.
Jonathan Meyer:
Can I just jump in on one quick point on the regulations, which is another thing that people should be aware of, particularly with recently enacted, recently promulgated regulations, which is something called the Congressional Review Act, CRA? Under that act, Congress, within a certain period after a regulation becomes final, can undo it out through legislation. And then, of course, the president needs to sign the legislation. That is something I will tell you, because I was part of it, that the Biden administration was very focused on trying to get regulations done ahead of that window so that they wouldn't be subject to the CRA when the new Congress and the new president took office. But, as is always the case, there are regulations that come into effect toward the end of an administration. So that is another way that, to the extent they want to, the Trump administration can undo regulations that the Biden administration put into effect, and relatively easily.
Valérie Demont:
Right. And we all know that there has been, clearly, a lot of activity around reproductive rights and we know where the Republican position is on that front. So let's see where things fall out. That is a very good point, Jonathan. Thank you. With respect, going back to the various regulators, I hear that there's the Department of Homeland Security, there's the Federal Trade Commission, there's the State Attorney Generals, the Office of Civil Rights. How much do these various regulators talk? Work in tandem? Is there coordination among them with respect to the enforcement priorities? Actions they're going to take? Or is everybody, you're really acting independently to achieve them?
Jonathan Meyer:
There are certainly efforts to coordinate. So as general counsel at DHS, one of my jobs was overseeing all the regulations at DHS, and we would often hear from the Department of Justice or occasionally HHS or whoever saying, "Hey, we hear you're working on this reg. We want to give you our thoughts on it and would like to coordinate with you." So that happens. But to a great extent, regulations, they're issued by agencies, not by the entire administration. So Carolyn was talking about HHS regs, I was talking about a DHS reg, the CIRCIA reg on cybersecurity, and ultimately they have their own responsibility, so they don't always harmonize each other, though there are efforts to do that. I had lots of conversations along those lines when I was in office.
Carolyn Metnick:
I was just going to say, from a health information privacy perspective, from a HIPAA perspective, the OCR will often coordinate, well, not often, and hopefully not often, but occasionally coordinates with the DOJ where there is something that is criminal or particularly egregious, they can refer matters to the DOJ. I would also say we've also seen a lot of state attorneys general coordinating and getting together in different pieces of litigation. It's just easier, particularly where there are significant data breaches involved or similar issues. We find that they will not just pair up, but they'll really come together to prosecute something.
Jonathan Meyer:
As part of the actual formal process of issue of regulation before it gets sent out for comment to the public, it gets distributed to every department in government, and they have an opportunity to comment on it. So there is that coordination. But then it's a question of whether the issuing regulator will accommodate those comments or not or whether there will be disagreements.
Liisa Thomas:
Yeah, and I think there's two pieces, Valerie, that we're sort of talking about that matter for the coordination piece. One is the creation of the regulations and the other is the enforcement side. And I would say you see more coordination on the enforcement side when the activity is viewed as particularly egregious, or it is a hot-button defendant. So you get a lot of the National Association of Attorneys General work together, so they come together and will bring enforcement actions. Often if it's a company that deals directly with consumers, you'll see. So viewed as egregious behavior, there was a huge data breach, for example, and then you'll have an FTC. If the company falls under the FTC's jurisdiction, you'll see a settlement with the FTC and then you will also see a settlement, and it's often a large group of attorneys general. And I don't know, Jonathan, if you saw behind the scenes on those, but it's always interesting from an outsider's perspective to see the one or two AGs and the one or two states that decide not to participate in the group settlement.
Jonathan Meyer:
Well, I interacted with a number of AGs at DHS. In fact, Carolyn, you mentioned Ken Paxton, the Texas AG. I came to refer to him as my pen pal because he was constantly writing me, usually not in a particularly friendly tone, because Texas, as you may know, and DHS and Biden administration generally were at loggerheads over immigration issues. But yes, there's a lot of coordination among AGs. The NAG is a very active organization and you see them working together. When it's a particularly divisive issue, you'll see the Republican AGs working together on one side and the democratic AGs working together on another side. But when it's not a partisan issue, where it's a good government issue, they will come together and advocate on behalf of the states, as they should.
Valérie Demont:
And so where have the enforcement actions been taken in recent time? What are recent trends that people might want to hear about and focus, really, on as they run their businesses? We understand that all the regulations are extremely complex, but are there specific focus points right now of the various regulators?
Liisa Thomas:
Okay, no more than five. Well, I think this goes back to what Jonathan and Carolyn were talking about earlier, which is it's the things that are viewed as a concern, and it's generally viewed as a concern by regulators, by class action attorneys, you're going to see enforcement from many different places. And I would say one that's been getting a lot of publicity in different forms under different laws, but I kind of see it as kind of all coming back to the same basic concept, and that's this idea of collecting, passively, information about individuals. We have different ways, because, of course, we have that patchwork that we talked about, so there's different definitions of personally-identifiable information under different laws. So if we set aside the legal definition of personally-identifiable information, what you're seeing are different versions of lawsuits or enforcement actions being brought under different theories.
For example, I'll take passive collection for cookies on a website. So your website passively tracks user behavior so that you can serve targeted or customized advertising. So we're seeing enforcement, we're seeing lots of things. Going back to my basics. There's lots of different laws, but the basics are, generally, that we're telling people that this information is being collected and we're giving them some sort of choice. Some of the laws say, "Have people opt in to this activity happening." Some of the laws say, "Let people opt out of this activity happening.", So whatever sort of the legal basis for this is, what we're seeing is more laws around it, and I think we'll see moving forward, more laws at a state level and possibly at a blue state level in this space, we see class action enforcement, and then we see existing regulatory enforcement and guidance, which I think is really interesting, the guidance piece under concepts often of unfairness and deceptive trade practices.
Valérie Demont:
If you had to pick just another one, then which one would it be that people really need to be focused on and address in connection with either their websites, their commercial practices, or otherwise
Liisa Thomas:
If something goes wrong, will your privacy program be viewed or your privacy and data security program be viewed as sufficient? So will you be viewed because of the structure of your program because, arguably, it was underfunded or you hadn't done enough to have contributed to the problem that occurred in a data security space? So I think that's one. And the other is, are you going to be on the hook for the problems that are suffered by your vendors? So those are my two. I'm happy to talk about either one or we could worry about the healthcare space.
Valérie Demont:
Well, it sounds like Carolyn, you have your own worries too.
Carolyn Metnick:
Yeah. Well, I would just say that we continue to see a lot of activity in the tracking technology space, and while the OCR guidance has changed, there was a bulletin that put out and then there was litigation that I referred to, we're still seeing a lot of activity there. And the class action risk I think is huge. The class actions are expensive to defend, they can go on for a long time, and it's really easy for plaintiff's lawyers to find out what tracking technologies are on your website. And I think the risk is greater for healthcare organizations that are HIPAA-regulated because people are really worried about their health information. So certainly it's easy to find out what tracking technologies are on a website, anyone can download this software and see them. And tracking technologies are useful, but there's risk under various privacy frameworks and theories anyway, but the risk is heightened when there's potentially HIPAA-regulated information. So I think we'll continue to see activity there. We continue to work with clients on investigations and trying to figure out what's appropriate and what's not, and it makes sense of the guidance.
Valérie Demont:
So talking a little bit about the class actions and the investigations, the enforcement, but just to give level set with people in terms of the penalties, generally speaking, is any of this activity of a criminal nature? Are any of these activities going to really subject officers, directors, the people running the business to jail sentences and other criminal liability? Or are we talking more about civil settlements, penalties, things of that nature? What are we looking at?
Liisa Thomas:
I think, for the most part, we're worried more about financial penalties and injunctive penalties. So being told, for example, that you have to stop the behavior or... We began all of this by talking about personally identifiable information. A lot of the settlements required deletion of all of the information that was collected. I think the thing that those who are running companies in the US should keep in mind is that some of the settlements, especially with the Federal Trade Commission, are going to be not only against the company but against the officers and directors individually because there's a fear on the Federal Trade Commission ,from their perspective, there's a fear that if the settlement was with the company, then the officers and directors will merely disband the company, start a new company that isn't subject to the settlement, and engage in the same behavior.
And a lot of these settlements, the consent decrees can last for 20 years. So that's long time to be having to live up to whatever's within the settlement. A lot of the consent decrees will require going in annually or every six months reporting to the Federal Trade Commission on your activities and your behaviors. Those are not fun things to have to deal with when you're running a business.
Jonathan Meyer:
I think another important point to make, and I think, Liisa, you touched on it earlier, is the degree of the penalties, the pain imposed by the penalties will vary in part based on how much the company has tried to prevent this. So if a company was breached, but it can show that it had a diligent and consistent program in place to try and prevent it, but someone got around it, the penalty is going to be far less severe than if they just sort of said, "Oh, we don't care about cybersecurity. We'll deal with a breach if and when it comes." It will be more of a penalizing approach, frankly, fairly so. And-so it's not just about preventing the breach, it's also about creating the record to be able to show to a regulator if and when the breach happens.
Valérie Demont:
And that's, I think, very good advice that is not just limited to the privacy in the cybersecurity context, but really can be used also in connection with any kind of governmental investigation, governmental proceedings against companies doing business in the US. If you have a track record that you can demonstrate of having tried to identify, fix the issue, you will be in much better stead in your dealings with the government than if you have not.
Now, that being said, we talked a little bit about class action, and I'd like to dig in this a little bit more, because class action is associated in people's mind with very, very hefty costs, and I think, Carolyn, you mentioned that as well. Who normally would start a class action? What are the categories of people who could be starting class actions and what's the dynamic there and what are you seeing?
Carolyn Metnick:
Yeah, and I'm sure Liisa's seeing slightly different versions of this, but in the healthcare space, we're seeing disgruntled patients or patients who are concerned that their health information has been inappropriately used or disclosed to a technology company or tracking technologies vendor. And we all know that there are beacons and pixels and these tracking technologies on websites. They help optimize the websites and make them easier to use, and they do great things that are helpful and useful in many ways. But when it comes to the health information privacy, people are very concerned and people, I think, have greater understanding of the privacy laws now and this is real low-hanging fruit for plaintiffs’ lawyers, quite frankly. So we've seen litigation, it's on the news against large health systems regularly. It just keeps happening. So I think we'll continue to see more there. Liisa, I'm sure you're seeing different kind of versions of this, not just in the healthcare space. It's happening everywhere in other industries too.
Liisa Thomas:
Yeah, I think we talked about the cookies, passive tracking, and I was looking back and I was sort of thinking about what are potential other areas where we'll see similar arguments. I think fingerprint, face print, so biometric information collection. That is definitely viewed as sensitive information. And sometimes I will joke, "We can come up with a new password, but we only have 10 fingers, so there's only 10 fingerprints we have to give. We only have one face to give, just different glasses."
I think another thing that really is a focus is to what extent is a company going to be faced with significant monetary penalties, damages, held to account if there's been a data breach, whether it's the company's own data breach? And this goes back, Jonathan, to what you were talking about in the cyber area. So even if it isn't personally identifiable information, we have some sort of security incident, and there's a lot of harm caused, the company is a victim, but to what extent will it be held to account or will the officers and directors to be held to account for the fact that the problem occurred?
I think we've seen over the past 20 years, probably, more and more and more a focus on holding corporations accountable for the behaviors of the vendors that they select. Federal level, that may not happen under the Trump administration, but I do think we'll continue to see this from class action attorneys and at a state level.
Valérie Demont:
So what would be your parting word of advice for business owners who are managing their businesses in this very complex environment? Lots of different levels of regulations, multiple regulators. It sounds like there is a focus in specific areas. But what should they be doing? What should they be thinking? Could we expect that there might be a regulatory pullback, at least that's what we hear, and it sounds like there might be tools, regulatory tools, for Congress to act in some of these regulatory areas and maybe pullback regulation? But that being said, with the body of regulation that are in place and the rules to follow and with the activism of the plaintiff's bar with respect to class actions, what should people be doing in terms of prioritizing what they do on the cybersecurity and privacy front?
Jonathan Meyer:
Well, I'll start. Look, I think it is a good practice, both as a legal matter and as, frankly, a good governance matter, to remain vigilant and to do everything you can to inoculate yourself against charges of lax security on your systems, whether or not the regulatory environment is currently aggressive. There's always risk out there. The world continues to get more sophisticated and specifically more technologically sophisticated, and so it's important to keep up and for executives to have open lines of communication with their technology and especially their information security professionals, because an ever-changing landscape. There's the old commercial in the United States that people remember, "You can pay me now or you can pay me later," which is just a way of saying... Or the other saying is, "An ounce of prevention is worth a pound of," What's it? I don't even remember what it is. But anyway, you'd much rather deal with an issue now when it's easier than deal with the fallout, and so people should remain vigilant.
Liisa Thomas:
So remain vigilant. I'll add, be realistic. I think we can borrow from change management and think about how can we get things done within our organization and what can we get done? There's a lot of amazing research that's been done on change management, and so there's one thing that I would encourage everyone who's in running compliance programs or worrying about legal compliance, privacy, cybersecurity, is to read up on change management and understand that it's all not going to happen all at once. And that if you don't take the steps, build an army of people that support you, get that strong coalition, celebrate small wins, continue to work on the change, know that it isn't going to happen overnight. If you don't do that, it won't work.
Jonathan Meyer:
I would add an important clarification too, which is that not all the most important things to do are the most difficult things to do. There are a lot of easy things that companies can do to protect themselves, and that is the low-hanging fruit. And so folks should be looking at that and thinking about that because there's a lot of stuff that does not take a huge investment, does not take a lot of time or even a lot of expertise, but that's out there, and a surprising number of companies just don't do because they haven't focused on it.
Carolyn Metnick:
That's a great point, Jonathan. I was going to mention that. In healthcare, we have seen huge data breaches this year that they're increasing every year. They're becoming extremely costly, and I think it was an IBM report that showed that the two issues, the big greatest issues, are ransomware with respect to healthcare and social engineering. And to your point, Jonathan, training goes a long way. Having a cybersecurity program goes a long way. If you're a HIPAA-regulated entity, do a security risk analysis. You're required to, but these are the basics. But I would say training can go a long way, and it can really inform people and help them understand these social-engineered emails that you clicked on and that suddenly there's a ransomware attack on your organization.
Valérie Demont:
Well, I think we could have carried on for a very long time, but I wanted to thank you, Jonathan, Liisa, and Carolyn, for your very, very useful insights, and thank you to all our listeners for tuning into this episode of French Insider. We look forward to having you on the show for future episodes.
Carolyn Metnick:
Merci bien!
Jonathan Meyer:
Merci beaucoup.
Liisa Thomas:
Merci beaucoup.
Valérie Demont:
This podcast is recorded monthly and available on Spotify, Apple Podcasts, Stitcher, and Amazon Music, as well as on our website sheppardfrenchdesk.com. We want to help you and welcome your feedback and suggestions of topics.
Contact Information
* * *
Thank you for listening! Don’t forget to FOLLOW the show to receive every new episode delivered straight to your podcast player every week.
If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show in Apple Podcasts, Amazon Music, Stitcher, Deezer or Spotify. It helps other listeners find this show.
Be sure to connect with us and reach out with any questions/concerns:
This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.