Is an inability to come to an agreement on the definition of personally identifiable information (PII) a problem for the privacy profession? Click on the following link for a discussion: The Problem At the Heart of the Privacy Profession.
Another problem, I believe, is that from a liability perspective, in instances where a computer data breach is caused or accomplished by the intentional or negligent act of a third-party, what standard of care do you use to determine whether the entity’s whose computer system was hacked was legally negligent in safeguarding or protecting its system from being hacked? What is the applicable standard of care that should be applied? Do different standards of care apply for different industries, for different entities, in different geographic locations? And what if you are on a board, or a risk or audit committee, overseeing management’s integrity of the entity’s computer system, what standard of care do you use to satisfy that oversight or to at least negate possible red flags? We have a lot of important questions to discuss in this area of law.
Dave Tate, Esq., San Francisco and California.