Happy Cyber-New Year! 2017 Privacy Obligations and Resolutions



As 2016 comes to a close, it’s time to reflect on the past year. More important is setting goals for the new year: eat healthier, exercise more, go to bed earlier, stop weekend-long Netflix binges and . . . practice better digital hygiene so I don’t get hacked! 2017 also brings new obligations, and for some privacy and security professionals, these obligations come in the form of new laws and regulations that go into effect on Jan. 1, 2017. 

Privacy and security pros will want to check the new laws coming online in local jurisdictions where they have clients doing business. And if they are attorneys practicing in New York they are facing their own new compliance obligations in 2017.

After the ball drops in Times Square and Kathy Griffin strips down to her underwear on live TV, law firms in New York must be more proactive about preventing leaks and theft of their clients’ confidential data under rule amendments going into effect Jan. 1. The amendments modernize the ethics rule on client confidentiality in light of technology’s impact on the practice of law. For example, the update requires New York attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” protected information.

Three hours after the Empire State celebrates the coming of 2017, California will have new rules regulating the release of deceased person’s digital assets, including e-mails and social media accounts, to a fiduciary. The new law sets the order of priority for a decedent’s wishes regarding a fiduciary’s access to the assets.

By the time the Golden State kicks off 2017, across the Pacific Ocean, South Korea will have an updated data protection law. Amendments to the nation’s overarching legal framework on personal information protection, the Personal Information Protection Act, require that data processors holding less than 1 million Resident Registration Numbers (RRN)—similar to Social Security numbers in the U.S.—must encrypt all such numbers by Jan. 1, 2017. Data processors holding 1 million or more RRNs must finish encryption by Jan. 1, 2018.

Meanwhile, in Norway, companies that process data will have eased data processing notification requirements. Starting on Jan. 1, companies won’t need to notify the nation’s data protection authority for a wide range of activities, including creating client data registries and tracking company vehicles.

There are still few days left in 2016. Let’s hope they’re not very eventful.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.