Photo of Scot Ganow

Scot is Senior Counsel in Taft’s Dayton office, and co-chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

Well, if Star Wars (May 4) and doughnuts (first Friday in June) can have their own day, you would hope a day might be dedicated to reminding us all about the importance of privacy and increasing awareness of ways we can empower ourselves and our clients to better use and protect personal information. Data Privacy Day began as Data Protection Day in Europe. The day commemorates the signing of Convention 108, the first legally binding international treaty dealing with privacy
Continue Reading

As you put together your resolutions and plans for the new business year, it is important to remember that the European Union’s (“E.U.”) General Data Protection Regulation (“GDPR”) will go into effect on May 25, 2018. The impact that it could have on U.S. companies will depend on whether a company processes the personal data of E.U. citizens (note: the definition of “personal data” under the GDPR is quite broad). If you think this doesn’t apply to your company, think again – even without a physical presence in the E.U., the internet makes it easier than ever to collect personal data from E.U. residents while operating solely in the U.S. So, whether it’s the information of your customers, the customers of your clients, or even the personal data of your own employees, it is important to be aware of your obligations under GDPR and the ways by which you can comply.

As we introduced last year, underpinning the GDPR is the view that privacy is a fundamental human right. Accordingly, the GDPR takes a comprehensive approach to privacy law – much more so than the sectoral approach used here in the U.S. In the U.S., privacy tends to be regulated based on the category of information collected (e.g., protected health information under HIPAA). Under the GDPR, as well as its predecessor, the Data Protection Directive 95/46/EC, the focus is on personal data in all sectors of industry. And we should take a moment to remind everyone that stringent regulations on transferring personal data from the E.U. to the U.S. are not something new. U.S. companies should have been complying with the Data Protection Directive since 1995. Indeed, many companies are just now starting to do what they should have been doing for a long while. In truth, in some part, this lack of compliance or sufficient protection of personal data is why the GDPR has come to be.


Continue Reading

With this year’s high profile breach at a large consumer reporting agency and credit cards ringing up balances during this holiday season, I have been fielding numerous calls from people in both a professional and personal capacity on what they should be doing to “truly” protect their identity and their credit accounts. I often find myself reiterating some of the basics of the laws in place to protect you and to empower you to safeguard your credit information. So, I thought a quick post sharing that information might be timely, helpful and possibly buy you some peace of mind.

  1. No one will care more about your privacy and security than you. Let me begin by reiterating a common mantra of mine: No one will care more about your privacy and security than you. While the law can provide a remedy and some protections, it will never move faster than you, nor will it know as much about your individual situation as you do. In truth, the law is your last remedy when dealing with information security-related issues. That said, there are protections and tools available to you at the federal and state level of which you might be able to avail yourself.
  2. Federal and state law. At the federal level, the privacy and security of your information stored by consumer reporting agencies (“CRAs”) is regulated under the Fair Credit Reporting Act (“FCRA”). The FCRA regulates the use of consumer report information, or any information that might be used to determine your eligibility for something, such as a loan, apartment rental, job, license, etc. As this information includes sensitive details such as your social security number, date of birth, as well as details of your financial and professional history, the FCRA assigns many duties and obligations to CRAs and users of consumer reports. On top of that, many states have their own version of a fair credit reporting act that mirrors the federal law. In some cases, the state act provides more restrictions and protection on the use of personal information than the federal version.


Continue Reading

As we gather at this time of year to express our gratitude for those people and things most important in our lives, perhaps one of the things on that list at work is that you have not suffered through a security incident or breach this past year, or ever. Indeed, this is reason to be thankful! However, when it comes to privacy and security incidents, it is not a matter of IF but WHEN. So be grateful for your good
Continue Reading

Ohio is poised to lead the nation by incentivizing businesses to implement certain cybersecurity controls, which can be an affirmative defense to a data breach claim based on negligence. Under the proposed legislation, if a business is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the business can assert its compliance with the cybersecurity control as an affirmative defense at trial.

For years we have counseled our clients to implement a comprehensive data
Continue Reading