Just as spring flipped over into summer last year, another significant changeover was taking place in the legal sector: the implementation of the General Data Protection Regulation, or GDPR, which governed the safekeeping of electronic records. And while it became law in the European Union (EU), its ripples immediately spread throughout the world – including in sports events here in the U.S. Now, as winter turns to spring here, it's time to examine the trickle-down.
The impact stateside has been twofold: the introduction of new laws and the tightening of existing laws, regarding electronic records containing personal information. The protections, in many cases, mirror what was introduced as part of the GDPR, and have the same intention: to provide individuals with a measure of control when it comes to the safeguarding and release of their records.
While GDPR faces the European Union as a whole, such laws in the U.S. are being enacted state by state. Therefore, it is incumbent upon event owners and rights holders to get familiar not only with their own state laws, but others as well.
The challenge: the legal landscape concerning data privacy is in flux. Between 2016 and 2018, there was an enormous uptick in the number of states enacting privacy laws for data held at various levels. A chart showing the two-year change can be found here – but it should be noted the information shown was only current at the time of publication. Event owners should seek expert advice on their own state laws as well and should find out whether they will need to be cognizant of data laws in states where their event is traveling – and whether the home states of individual athletes will have laws that come into play as well.
Event owners and rights holders also need to understand state laws concerning consumer notification if data has been compromised. According to the National Conference of State Legislatures, in 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. These new and amended state data breach laws expand the definition of personal information and specifically mandate that certain information security requirements are implemented.
In addition to the laws that appear on the link above, many states also have other data security laws that apply to state agencies or other governmental entities – something that will be vitally important to sports event owners at those levels.
Event owners, rights holders and others who collect data of athletes, sponsors, volunteers, officials and any other participants will need to be aware of laws concerning the disposal of that information. According to the linked information, at least 35 states and Puerto Rico have enacted laws that require either private or governmental entities or both to destroy, dispose, or otherwise make personal information unreadable or undecipherable.
Additionally, it should be noted that the Federal Trade Commission's Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The rule applies to consumer reports or information derived from consumer reports. HIPAA also has disposal requirements for electronic protected health information.
Cyber liability insurance is offered, notes Lorena Hatfield of K&K Insurance Company, in a recent issue of Sports Destination Management. This, she notes, is an evolving field, and event owners should contact their insurance provider to ascertain what is covered and what information is needed.