IT Privacy.

 

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

 

Data privacy and cybersecurity are easily the hot button issues of the decade. For many organizations, preparing to comply with the EU's General Data Protection Regulation (GDPR), effective as of May 25, 2018, was a herculean feat and those efforts continue as new guidance is released and companies look to improve their data privacy governance and compliance programs. The most significant overhaul to the EU's data privacy policies in over 20 years, with extraterritorial reach, the new regime forced American businesses to remediate, and in some cases, overhaul their data privacy governance programs.

But the GPDR was just the beginning. Not long after its implementation, the California Consumer Privacy Act of 2018 (CCPA) — which has provisions similar to, but not identical to the GDPR — was ratified to come into effect as of Jan. 1, 2020, with enforcement deferred until July 1, 2020. Since the CCPA's enactment, all 50 states have either introduced their own data privacy legislation or amended their data breach notification laws. Organizations seeking compliance with the growing number of data privacy regulations will need to remain vigilant, especially for organizations that rely heavily on personal data.

The End of the Beginning

In California's wake, South Carolina and Vermont are the latest U.S. states to enact their own unique data protection legislation, taking an industry-centric approach — an approach other states are expected to emulate in the very near future.

South Carolina is the first state to adopt breach notification and cybersecurity requirements based on the National Association of Insurance Commissioners Model Law, applicable to all insurers, agents and other licensed entities authorized to operate under the state's insurance laws. Vermont's new law, effective as of February 2019, is applicable to companies in the "data broker" industry and requires minimum security standards, annual registration and a host of other obligations.

Meanwhile, in June 2018, Alabama became the 50th and final state to adopt a data breach notification law, introducing a 45-day written notification deadline for all breaches affecting over 1,000 Alabama residents.

While the U.S.'s data privacy regime has begun to take shape in a piecemeal, state-by-state fashion, national legislation isn't outside the realm of possibility. Democratic senator Ron Wyden, one of Congress's best-known privacy hawks, has begun circulating a draft bill that would expand the FTC's powers. The bill would establish privacy and cybersecurity standards, while giving the FTC the power to fine companies for their first offense.

Brian Schatz, the senior senator from Hawaii, introduced his own bill, co-authored with 14 other Democrats, in December. The Data Care Act of 2018 would require companies to "reasonably secure" identifying information and vow not to use it in harmful ways.

The Unique Compliance Challenges Facing Middle Market Firms

Despite last year's GDPR deadline, many organizations are still struggling to implement all the data privacy compliance standards required of them. Several large companies have already faced substantial fines from the European Commission for failing to adequately protect personal data from breaches and/or properly disclose how their consumer data was being collected or used. Others have been fortunate to avoid penalties thus far, but any lingering leniency has come to an end.

Companies of all sizes face unique challenges when it comes to ramping up their privacy governance and compliance programs. While larger organizations might have the budget, companies of all sizes are strapped for resources to support the heavier compliance burden.

Then, there's the fact that there are still some organizations that haven't taken the GDPR as seriously as required — or are operating under the false assumption (or hope) that they fall outside its jurisdiction. According to BDO's 2019 Inside E-Discovery & Beyond Survey of corporate counsel, just 2% of respondents believe the GDPR doesn't apply to them. Those 2%—and any other late adopters — have a much steeper hill to climb to get into compliance with the CCPA and other U.S. legislation.

Efficiency and expediency are therefore key: Organizations need to harmonize disparate rules and regulations to avoid redundancy and streamline compliance efforts. Automating data discovery and individual data request responses can also yield significant efficiencies. And in some cases, outsourcing data privacy and protection management can be more cost-effective and less time-intensive than hiring or retraining internal employees.

Implications of Data Privacy Regulations

If there was any doubt, it's now abundantly clear: data privacy regulation comes with real teeth. Companies that violate the GDPR are potentially on the hook for up to 4% of their gross annual turnover — and fines upward of $200 million have already been levied. With the growing number of Data Protection Commissions staff in the EU growing, companies can only expect greater scrutiny and enforcement in the GDPR's second year. The CCPA's fine of $7,500 per violation might seem relatively small in comparison, but if you consider a tech company with 1 million+ users, the potential for a minimum statutory damage of $100 up to $750 per affected California resident adds up pretty quickly. Throw in a class action lawsuit, claimed damages could lead to exorbitant costs for companies.

Even if an organization evades regulatory action, the reputational impact and loss of trust can be just as damaging. In the wake of a privacy breach, customers may pull their dollars and move to a competitor. They may even launch public campaigns against those organizations that failed to protect customer's personal information (PI).

By putting individuals in the driver's seat, the GDPR, CCPA and other emerging data privacy regulations have dramatically changed company-customer relationships — and how businesses view customer engagement. Because individuals now have the right to withdraw consent at any time, as well as demand disclosure of how their data is being collected, processed and shared, the burden falls to companies to prove and record how an individual agreed to certain actions.

Consequently, there are far-reaching implications for every business department. Sales and marketing teams will need to reevaluate the way they prospect and manage their marketing campaigns (especially those that are digital). Legal departments will have to continuously review all existing and forthcoming privacy regulations to update necessary disclosures and ensure program compliance. IT will be on the constant lookout for new cyber threats and will be on the hook for insufficient training or company negligence.

However, the growing compliance burden is not without blessings. Organizations that take data privacy seriously will be able to build up trust and loyalty with their customers and in their brand. It will also level the playing field: All things being equal, customers will opt to entrust their data to firms with strong, documented privacy and cybersecurity practices.

Improving Data Privacy & Security: The Road Forward

With all this in mind, how can companies prepare to face the numerous data privacy regulations ahead?

If they haven't yet, they should start or continue to:

  • Interview the teams primarily responsible for interacting with particular types of data, as well as relevant service providers;
  • Identify and map their data sources, whether it's in-house or external to their operations;
  • Operationalize their privacy policies to drive employee compliance and enforce non-compliance;
  • Gather documentation to update and maintain data registers, logging information about processes and systems that store personal and sensitive information;
  • Train employees regarding their responsibility to protect personal information (and continue to do this on a regular basis);
  • Restructure data retention and classification capabilities by updating records retention schedules, developing more stringent data disposition practices and developing and updating data classification programs; and,
  • Ensure that their online privacy policies and notices match their actual practices.

Companies seem to be taking a less aggressive approach in their CCPA preparations than they did with the GDPR. Nevertheless, those affected by the former — including organizations that operate in California and collect personal information of California residents, their households or electronic devices — need to be aware that being GDPR-compliant does not necessarily prepare them for also being CCPA-compliant.

But there is a way forward. Those that are affected by the CCPA but have not yet instituted a GDPR individual rights response program should now establish a CCPA consumer rights management program and integrate the two. To do this, they will first need to consider the teams currently in place who manage customer requests or provide help desk support; the necessary infrastructure may reside within those teams. Then, they should consider the staff and whether they have the capacity or ability to respond to and track consumer requests. If not, they should consider adding resources, both technology and customer service.

Finally, companies should begin documenting their processes now. With a 12 month "look back" requiring companies to catalog, preserve and be prepared to disclose PI dating back 12 months before the CCPA's effective date, organizations will need to have current information about how they use and share data.

 

Karen A. Schuler is a Principal, Governance, Risk & Compliance National Leader at BDO USA. As founder of one of the first digital forensics consulting firms in the 90's, she quickly became a thought leader in the areas of e-discovery and digital forensics and focused on intellectual property, securities and insider trading investigations. Over the years she has authored wide-ranging information governance, data protection and e-discovery books and articles and has provided expert testimony for several high stakes litigations, among being named an expert in more than 100 cases over the last 15 years.