Mitzi Hill With Taylor English

Intro: [00:00:04] Broadcasting live from the Business RadioX Studios in Atlanta, Georgia. It’s time for Atlanta Business Radio. Brought to you by on pay. Atlanta’s New standard in payroll. Now, here’s your host.

Lee Kantor: [00:00:24] Lee Kantor here another episode of Atlanta Business Radio, and this is going to be a good one. But before we get started, it’s important to recognize our sponsor, Onpay. Without them, we couldn’t be sharing these important stories. Today on Atlanta Business Radio, we have Mitzi Hill, and she is the founder of Taylor English’s Data Security and Privacy Practice. Welcome, Mitzi.

Mitzi Hill: [00:00:46] Thanks, Lee. It’s great to be here.

Lee Kantor: [00:00:47] Well, before we get too far into things, do you mind defining some terms? What is data security and what is a privacy practice practitioner do?

Mitzi Hill: [00:00:57] Well, Taylor English is a full service law firm here in Atlanta. And what we do for clients in the data security and privacy area is sort of a full range of services. A lot of what I do is compliance advice. So monitoring the changes in consumer privacy laws that are popping up around the country and that restrict or govern what companies can do with information that they collect about their customers, in some cases their employees and in some cases their business contacts, and helping them figure out how their data can be kept confidential and secure so that it meets all of those privacy law requirements.

Lee Kantor: [00:01:40] Now, is this specific to certain industries or is this something that all businesses should be paying attention to?

Mitzi Hill: [00:01:46] I think it’s gotten to the point that all businesses should be paying attention to it. It used to be that privacy was really only the realm of certain industries. It got a little broader starting about ten years ago and and covered a lot of consumer facing industries. And what we are seeing now is that the laws that are coming out and the compliance measures that are required really apply to both B2C and increasingly to B2B kinds of companies.

Lee Kantor: [00:02:19] And then early on it was like kind of fintech health care concern and now it’s trickling into, you know, even mom and pop businesses, anybody who has, I would imagine, credit card information or things like that.

Mitzi Hill: [00:02:31] That is exactly right. Credit card information, website, interactive, anything, technology services provider’s other services providers that may have electronic communications or deliverables, all of those can be affected.

Lee Kantor: [00:02:46] And so what’s your backstory? How’d you get involved in this line of work?

Mitzi Hill: [00:02:49] Well, I’ve been in practice for about 29 years in Atlanta, and I have spent my whole career in the technology area. When I started practicing, it was generally referred to as, quote, computer law. It has evolved as consumer, and commercial technology has evolved. But I started I was in house for 15 years at a very large media company and worked in the early days there on some privacy related issues. And as privacy and security started getting to be broader concerns across all industry verticals a few years ago, about ten years or so ago, I got more and more involved in those areas as a complement to what I already did on the technology side.

Lee Kantor: [00:03:38] Now, it sounds like this is just the evolution of technology, right? At one point, you know, tech was its own thing and now every business is pretty much a tech company in some form or fashion.

Mitzi Hill: [00:03:50] That’s exactly right. And that is exactly why regulators have started to get interested in this area. It used to be that not only tech was its own thing, but it really wasn’t collecting any significant amounts of data from anybody, from users or from consumers or from employees. And now we all have devices everywhere we go. We have a phone. Our cars generally are connected. There are public Wi-Fi networks everywhere we go. We conduct our banking online. We conduct our commercial communications online. We stream the video that comes into our homes. All of those things are in the background, collecting and processing and analyzing data about us. And so that’s what has made regulators in the last ten years or so say, wait a minute, is this okay with us? And should there be any ground rules for collection and use of data about people?

Lee Kantor: [00:04:54] Now, when you’re working with clients, is this something that when you’re informing them about this, is it something that the industries in general are kind of voluntarily trying to stay ahead of this? Or is this something that people are just going to wait for the government to make rules and then adjust?

Mitzi Hill: [00:05:10] It’s a little of both. I think historically and by historically, I mean all of about 20 years ago when these issues really started to emerge, most industries and most companies. He’s tried to be ahead of privacy concerns, largely through the use of the kinds of privacy policies that you see. If you ever scroll to the very bottom of anybody’s website and look in the footer links starting 8 or 8, seven, or eight years ago. The regulators in the European Union decided in part because of the ubiquity of devices and the power of social media and big tech, and in part because of some surveillance and government intelligence rules in various countries around the world, that they wanted to put some limits specifically on how data are gathered and used. And so for companies that had a business presence in the EU, they could no longer really stay ahead of it because they were then faced with a comprehensive privacy rule here in the States. We do not yet have a comprehensive national privacy rule. But what we do and so many companies are that have tried to stay ahead of it, are now in the position of they must comply with the EU rules or rules in another international jurisdiction and or there are now privacy rules either enacted or pending in roughly a dozen states that are going to be coming online in the next two years. And I think that is really going to be the point at which most companies throw their hands up and say, I can’t get ahead of it. I’m just going to do what the government tells me to do.

Lee Kantor: [00:06:51] So how does the government stay on top of something that moves so rapidly and government historically isn’t that nimble? You know, you know, now we have a whole AI conversation occurring. You know, when people see, you know, or played around with Chatgpt, even though they’ve been talking to their Amazon for years and haven’t connected the dots, that that similar thing was happening there. But how does a government regulate something without impeding any of the progress?

Mitzi Hill: [00:07:24] Well, it’s a really good question, and I think that question is in part why the US does not have a national privacy law, because the regulators have not in Washington have not been able to to agree on a framework that would that they all think would sufficiently protect consumer privacy without unduly impinging on business innovation and technological freedom. I think the EU took the calculated position that privacy is. To to give prime privacy the position of primacy, if that makes sense, and to bet that it would not substantially inhibit inhibit economic progress. It just would mean that companies had to learn to adapt to a new framework of rules.

Lee Kantor: [00:08:16] So has that been the case?

Mitzi Hill: [00:08:19] I think it has. You know, we now they are fighting all the time with big tech. If anybody who pays attention to this has probably worn out the buttons on their calculator, trying to add up the fines that Facebook and Google and their ilk have incurred in the EU over the last couple of years. I think the last running figure was something like a billion and a half dollars and that was before some some penalties that were announced last week. And so there is, as always, when there are significant new regulations in any area, there are some lawsuits and some regulatory skirmishes going on to try to help business figure out exactly what the parameters and limitations of government authority in this area are. And I suspect what happens in Europe will will continue to inform what state legislators and potentially our federal legislators enact in the US.

Lee Kantor: [00:09:17] But it sounds like whatever’s happening there is going to be it’s just a matter of time here.

Mitzi Hill: [00:09:25] I think to a certain extent that is going to be true in part because most businesses have. There is there is almost no such thing anymore as a purely local business. Most companies have suppliers or customers or employees who are in other jurisdictions than where the business has its headquarters. And because of all the electronic communications and because of all the data gathering, I think I think we can expect that privacy and regulation of privacy is going to increase in importance. There has been, however, a difference in the way US regulators have approached privacy. That I think is pretty important and pretty distinct from how the Europeans approached it. The Europeans start with the rule that you cannot collect anything. Personal data about anyone unless you have a legal basis. So a defined kind of justification for it. For the most part, in the US, we are not seeing that sort of threshold requirement. Instead, in the US it tends to be you can continue to collect and use what you need for your business, but there are going to be rules about how. Carefully you disclose it and about potentially what you can do with it once you’ve got it inside your shop.

Lee Kantor: [00:10:52] And that’s really at the heart of it, at least here in the US, right? People have lost, I guess, either the will to care about how much data is being collected. They’re not aware of how much data is being collected. But I’m sure as an individual, if you saw clearly what a website or whatever app you’re using was doing with the data you had and how it was monetizing it and what they were getting for it, you might not sign up as quickly to certain things.

Mitzi Hill: [00:11:24] I think that’s exactly the the the view that many regulators have. I think increasingly that’s the view that a lot of companies have. You know, many, many companies in the big tech area are actually supportive of the idea of the federal government passing some national privacy legislation that would make the rules a little clearer and a little more uniform across the country. And you mentioned I earlier, we’ve had the head of Google calling for regulation of AI. And we’re we’re seeing both Congress and EU take steps in that area.

Lee Kantor: [00:12:03] But it always makes small business people a little nervous when the biggest players are for some sort of regulation that could kneecap the smaller players that are trying to do something different.

Mitzi Hill: [00:12:15] That is exactly right. And at least in the privacy area, at least in many of the US states that have looked at it, there is some threshold size requirement before the laws apply to you. That is not true in every single state that has enacted a privacy law. But in California, which is sort of the platinum standard for the US state privacy efforts in terms of how comprehensive and how developed it is, there is a size threshold. So if your business is under, for example, $25 dollars in revenue every year, the law might not apply to you.

Lee Kantor: [00:12:52] So now when you’re dealing with clients on this issue, how are you like, what are those conversations like? Are they coming to you with something to triage or are they just want to be informed, You know, what are those initial conversations look like?

Mitzi Hill: [00:13:09] It depends on what’s going on in the client’s business. A lot of times, particularly with small and medium companies, what they’re doing is coming in and saying, Hey, I provide services to much larger companies, to the Fortune 100, Fortune five hundreds, whatever it is. And increasingly my customers agreements form agreements require that I sign up for all kinds of data processing and data security commitments. Can you help me figure out whether, in fact I have to sign up for these and and how much of my resources I have to commit to some sort of privacy or security compliance? So we talk about it in that respect. We also, particularly with companies that are consumer facing, many of them are aware either generally of these trends in the privacy area and they come in and essentially want to check up. You know, they say, do we need a privacy policy? Should we have other policies? Should we be looking at other documents like our customer agreements or our supplier agreements to make sure that everybody up and down our supply chain is, you know, compliant the way they need to be? Should we be talking to our employees about this and delivering any training so we can do that? And then the third sort of general bucket when people come to me is either they’re not aware of these rules or they have deferred their efforts to comply with them. And they in the meantime, either they or one of their suppliers suffers a data security breach or a data security incident that needs to be responded to. And then we can address forward going compliance once the incident is managed.

Lee Kantor: [00:14:51] Is that like obviously there are certain things that that move this to the top of the priority list. I’m sure a breach of of their firm or an industry, you know, maybe competitor or complementary business is a wake up call that people need. But are there other kind of red flags that are, hey, this needs to be really more important in our to do list than it is right now. It’s not something that we can afford to wait. So can you share some of those red flags?

Mitzi Hill: [00:15:22] Sure. I would say based on the regulatory trends for 2023, anybody who is deploying an AI tool within their business probably ought to be having a privacy and general technology compliance conversation with their lawyer. I would say anybody who is using tracking technology on their website or in connection with their online advertising should definitely be having a conversation with their lawyer. The same for companies that use content. Or applications that may come from third party providers like a map insert that is pulling identifying data from users or using behind the scenes services like Google Analytics or Facebook to power your checkout and your cart. Those third party providers are frequently tracking your users and we are seeing not regulation to stop it, but we are seeing some lawsuits that are trying to crack down on those kinds of efforts. And a lawsuit obviously is hugely disruptive and expensive to deal with. And so talking with your lawyer about any of the any of the tracking that you yourself do or any of the tracking that your third party providers may do is important. The other sort of red flag, I would say, is any company that is dealing in health information or other sensitive information, financial or it relates to children, to minors online, or it has to do with biometric data, similar kinds of categories to those that would that would also be a flag to have a conversation with your lawyer about what you collect and why you’re using it.

Lee Kantor: [00:17:13] And in health care, isn’t it right that even if you’re not dealing directly with a patient or something, but you are working within the health care industry, you have to be compliant to a lot of rules in order to work in health care in pretty much any form or fashion, right?

Mitzi Hill: [00:17:33] Yes. So the scope of health care privacy is really complex. And in general, medical providers and medical payers, like insurance companies, have very specific rules they have to comply with, but so do their suppliers. So if you are providing a benefit to employees that of a hospital, you may you or to patients of a hospital, you may have a compliance issue that you weren’t aware of. And and the other thing that we are seeing is that a lot of. Entities that are not directly in the health care space, but provide some kind of a wellness tool or a wellness app and are collecting, you know, quasi medical information about people may also get sucked into not the formal health care rules under our HIPAA laws, which are the ones that govern your doctors. But those may start increasingly being covered by the state privacy laws that are coming out. They’re tending to classify some of that data in a way that means you have to protect it even if you’re not a HIPAA entity.

Lee Kantor: [00:18:47] Now, if you were advising clients, how often should you be talking to an attorney about these issues? Is it something you have like an annual check in or is it something that the attorney is going to tell you when something changes? Like what is that kind of back and forth look like?

Mitzi Hill: [00:19:04] Most of my clients, if they’re not consumer facing and if they’re not in a sensitive industry or collecting sensitive information, I tell them that we probably ought to check in about annually right now because there are so many state laws coming into effect over the next few years and we expect more and more states to pass privacy laws. And so just checking in to make sure that their current privacy policy and their behind the scenes privacy practices remain compliant is important. Anybody who’s in a who gathers sensitive kinds of data is in a health care or wellness space, deals with children, deals with biometric information, or is doing a lot of consumer facing targeting and tracking. I would probably suggest right now that we talk about every six months.

Lee Kantor: [00:19:55] Now, if if a firm says, you know what, I can’t keep up with this. Is it easier for them to just adapt, like what’s happening at the EU, at their level of privacy and then say, look, that should cover me for a while.

Mitzi Hill: [00:20:10] I think for smaller and medium sized American companies, probably the better standard is California. California’s law is largely modeled on the EU, but it’s got some particular tweaks in it that in many ways it is less onerous than the EU’s laws. But in some ways it has higher requirements. And because most of the states in the US that are now passing privacy laws tend to look at California’s as the model because it was first and it has been in effect the longest. That is probably the standard to which most companies that would probably be the baseline standard.

Lee Kantor: [00:20:52] Well, if somebody wants to learn more, have a more substantive conversation with you or somebody on your team, how do they get a hold of you?

Mitzi Hill: [00:20:59] I am. We have a fully, fully interactive website. My email address is M Hill at Taylor english.com that’s important.

Lee Kantor: [00:21:10] It’s Taylor english.com. If you go there is there some information on this topic somewhere on the website?

Mitzi Hill: [00:21:17] They can yes. We publish a lot. I publish a lot of blog posts on this. You can find them insights. Taylor english.com. You can also follow me on Twitter or on LinkedIn to see those.

Lee Kantor: [00:21:31] Right But if they go to Taylor english.com they can find information on data security and privacy I’m sure. Yes, they can.

Mitzi Hill: [00:21:39] Yes, they.

Lee Kantor: [00:21:39] Can. Good stuff. Well, Mitzi, thank you so much for sharing your story, doing such important work. And we appreciate you.

Mitzi Hill: [00:21:45] Thank you. I appreciate the opportunity to chat with your audience.

Lee Kantor: [00:21:48] All right. This is Lee Kantor. We’ll see y’all next time on Atlanta Business Radio.