The author here argues that every contract a family office enters that involves (or that could involve) the vendor collecting, receiving, accessing, or using personal data (think family member or employee data) should, and often must per law, address data privacy and security. 

The following article is from William Roberts (pictured), who is a co-chair of the Data Privacy, Protection and Litigation practice, at Day Pitney, an East Coast law firm. (More on Roberts and the firm below.) The article contains observations made at a recent conference hosted by the publisher of this website.

This is the seventh in a series of articles that also appears in a 24-page publication by Family Wealth Report: Family Office Cybersecurity and AI Summit. The document contains the work of a range of authors who examine topics covering AI, security, cyber threats and more. The editors of this news service are pleased to share this material; the usual editorial disclaimers apply. Email tom.burroughes@wealthbriefing.com if you wish to respond.

Family offices are faced with an ever-increasing number and variety of cybersecurity threats and tools to lessen the risk or severity of these threats. Family office principals have a plethora of choices from a variety of vendors deploying cutting-edge tools, and what tools make sense for a particular office will vary depending upon the office’s size, risk profile, budget, and operations. While all of this is important, family office principals and managers should not lose sight of the basics that underpin all of this – compliance with data privacy laws and implementation of a data privacy program. 

Data privacy laws address how organizations may collect, use, and disclose personal data and such laws apply to all sorts of entities and operations, including family offices. These laws may touch upon, and impose legal requirements on family offices in a variety of contexts:

(1) the personal data of family members, employees, and former employees; (2) sharing personal data with vendors, service providers, and advisors; and (3) joint ventures, affiliations, and investments. In each, a family office may be subject to a variety of data privacy laws, each with their own requirements and penalties for non-compliance. These laws may include, for example, the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), state laws requiring a privacy program to be in place, and data breach laws found in all 50 states. 

Compliance with data privacy laws requires a data privacy program to be in place. Such a program should be set forth in writing, such as through a policy, which addresses the program’s structure, leadership, data handling practices, and approach to complying with applicable law. Whether an individual or a committee, program leadership should ensure that the office is aware of the laws that apply to it, understands what it must do to ensure compliance, and develops the policies and procedures necessary to demonstrate compliance and ensure the proper handling of data and response to data breaches. 

Program leadership should also ensure that it is addressing data privacy risks and legal compliance through its collection of personal data from family members, employees, and others. Such collection may require, at times, notices of collection that explain the purpose of the collection and the family office’s data handling practices. These notices also require the family office to assess if it is selling family member data or sharing family member data for another entity’s private purposes. 

A focus of the presentation was the importance of data privacy law in the context of contracting with vendors. Every contract a family office enters that involves (or that could involve) the vendor collecting, receiving, accessing, or using personal data (think family member or employee data) should, and often must per law, address data privacy and security. 

About the author
William Roberts is a co-chair of the Data Privacy, Protection and Litigation practice. He focuses his practice on advising businesses, family offices, and high net worth individuals on protecting their privacy, complying with relevant law, and responding to data breaches and government investigations. He has received numerous accolades for this work advising family offices across the country on data privacy and cybersecurity matters.

About the firm
Day Pitney, an East Coast-based law firm with national and international reach, has more than 300 attorneys in 13 offices in Boston, Connecticut, Florida, New Jersey, New York, Providence, and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations, as well as emerging and middle-market companies.