US privacy law doesn’t come up often in US investigations—but that doesn’t mean you can ignore it. Well-known laws like HIPAA arise in healthcare investigations all the time. Gramm-Leach-Bliley comes up in many investigations into financial services companies—and often others as well. And emerging state privacy laws like the CCPA will have implications for investigations in companies regardless of sector. Not to mention laws governing the recording of conversations or access to private emails and messages. Cutting through these laws isn’t always simple, which is why we’re pleased to announce that Peter Jaffe, Jillian Simons, and Allie Bian have authored the US chapter for Global Investigations Review's (GIR) know-how resource Data Privacy & Transfer in Investigations.
The challenge for US investigations is that the US privacy laws can be highly reticulated and unforgivingly rigid, especially compared to their foreign counterparts. There’s no “legitimate interests” balancing and there are few safety valves. Exceptions for conducting purely internal investigations tend to be limited where they exist at all. Exceptions for complying with law enforcement or regulatory requests tend to be narrow. The exceptions privilege US law enforcement and regulators over foreign ones. They often don’t apply to an authority’s informal inquiries. And sometimes, responding to a request requires you to jump through burdensome hoops (especially under HIPAA). So if you’re a global investigations practitioner, the usual investigation/compliance exceptions won’t always get you where you need to go.
The solution, therefore, tends to be (1) justifying why the privacy law doesn’t apply in the first place, or (2) complying with the law’s requirements. Luckily, most US privacy laws are focused on individual human consumers rather than, say, employees of a company or even counterparty employees. That entirely removes some investigations from the scope of key privacy laws. The US privacy laws are also still fragmented, and depending on your clients’ industry and where they do business, the laws might not even come into play. Even when the laws apply, companies can usually conduct investigations without too much trouble by providing the proper notices—and often, companies will have done so already in their existing privacy notices.
Our chapter in GIR’s Data Privacy & Transfer in Investigations walks you step-by-step through 17 common privacy questions that arise in investigations. From the right way to hire document vendors to the best ways to justify productions to regulators, we get you and your clients where you need to go.
