GDPR and CCPA Are Just the Beginning for the Middle Market
Organizations seeking compliance with the growing number of data privacy regulations will need to remain vigilant, especially for organizations that rely heavily on personal data.
September 16, 2019 at 07:00 AM
9 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Data privacy and cybersecurity are easily the hot button issues of the decade. For many organizations, preparing to comply with the EU's General Data Protection Regulation (GDPR), effective as of May 25, 2018, was a herculean feat and those efforts continue as new guidance is released and companies look to improve their data privacy governance and compliance programs. The most significant overhaul to the EU's data privacy policies in over 20 years, with extraterritorial reach, the new regime forced American businesses to remediate, and in some cases, overhaul their data privacy governance programs.
But the GPDR was just the beginning. Not long after its implementation, the California Consumer Privacy Act of 2018 (CCPA) — which has provisions similar to, but not identical to the GDPR — was ratified to come into effect as of Jan. 1, 2020, with enforcement deferred until July 1, 2020. Since the CCPA's enactment, all 50 states have either introduced their own data privacy legislation or amended their data breach notification laws. Organizations seeking compliance with the growing number of data privacy regulations will need to remain vigilant, especially for organizations that rely heavily on personal data.
|The End of the Beginning
In California's wake, South Carolina and Vermont are the latest U.S. states to enact their own unique data protection legislation, taking an industry-centric approach — an approach other states are expected to emulate in the very near future.
South Carolina is the first state to adopt breach notification and cybersecurity requirements based on the National Association of Insurance Commissioners Model Law, applicable to all insurers, agents and other licensed entities authorized to operate under the state's insurance laws. Vermont's new law, effective as of February 2019, is applicable to companies in the "data broker" industry and requires minimum security standards, annual registration and a host of other obligations.
Meanwhile, in June 2018, Alabama became the 50th and final state to adopt a data breach notification law, introducing a 45-day written notification deadline for all breaches affecting over 1,000 Alabama residents.
While the U.S.'s data privacy regime has begun to take shape in a piecemeal, state-by-state fashion, national legislation isn't outside the realm of possibility. Democratic senator Ron Wyden, one of Congress's best-known privacy hawks, has begun circulating a draft bill that would expand the FTC's powers. The bill would establish privacy and cybersecurity standards, while giving the FTC the power to fine companies for their first offense.
Brian Schatz, the senior senator from Hawaii, introduced his own bill, co-authored with 14 other Democrats, in December. The Data Care Act of 2018 would require companies to "reasonably secure" identifying information and vow not to use it in harmful ways.
|The Unique Compliance Challenges Facing Middle Market Firms
Despite last year's GDPR deadline, many organizations are still struggling to implement all the data privacy compliance standards required of them. Several large companies have already faced substantial fines from the European Commission for failing to adequately protect personal data from breaches and/or properly disclose how their consumer data was being collected or used. Others have been fortunate to avoid penalties thus far, but any lingering leniency has come to an end.
Companies of all sizes face unique challenges when it comes to ramping up their privacy governance and compliance programs. While larger organizations might have the budget, companies of all sizes are strapped for resources to support the heavier compliance burden.
Then, there's the fact that there are still some organizations that haven't taken the GDPR as seriously as required — or are operating under the false assumption (or hope) that they fall outside its jurisdiction. According to BDO's 2019 Inside E-Discovery & Beyond Survey of corporate counsel, just 2% of respondents believe the GDPR doesn't apply to them. Those 2%—and any other late adopters — have a much steeper hill to climb to get into compliance with the CCPA and other U.S. legislation.
Efficiency and expediency are therefore key: Organizations need to harmonize disparate rules and regulations to avoid redundancy and streamline compliance efforts. Automating data discovery and individual data request responses can also yield significant efficiencies. And in some cases, outsourcing data privacy and protection management can be more cost-effective and less time-intensive than hiring or retraining internal employees.
|Implications of Data Privacy Regulations
If there was any doubt, it's now abundantly clear: data privacy regulation comes with real teeth. Companies that violate the GDPR are potentially on the hook for up to 4% of their gross annual turnover — and fines upward of $200 million have already been levied. With the growing number of Data Protection Commissions staff in the EU growing, companies can only expect greater scrutiny and enforcement in the GDPR's second year. The CCPA's fine of $7,500 per violation might seem relatively small in comparison, but if you consider a tech company with 1 million+ users, the potential for a minimum statutory damage of $100 up to $750 per affected California resident adds up pretty quickly. Throw in a class action lawsuit, claimed damages could lead to exorbitant costs for companies.
Even if an organization evades regulatory action, the reputational impact and loss of trust can be just as damaging. In the wake of a privacy breach, customers may pull their dollars and move to a competitor. They may even launch public campaigns against those organizations that failed to protect customer's personal information (PI).
By putting individuals in the driver's seat, the GDPR, CCPA and other emerging data privacy regulations have dramatically changed company-customer relationships — and how businesses view customer engagement. Because individuals now have the right to withdraw consent at any time, as well as demand disclosure of how their data is being collected, processed and shared, the burden falls to companies to prove and record how an individual agreed to certain actions.
Consequently, there are far-reaching implications for every business department. Sales and marketing teams will need to reevaluate the way they prospect and manage their marketing campaigns (especially those that are digital). Legal departments will have to continuously review all existing and forthcoming privacy regulations to update necessary disclosures and ensure program compliance. IT will be on the constant lookout for new cyber threats and will be on the hook for insufficient training or company negligence.
However, the growing compliance burden is not without blessings. Organizations that take data privacy seriously will be able to build up trust and loyalty with their customers and in their brand. It will also level the playing field: All things being equal, customers will opt to entrust their data to firms with strong, documented privacy and cybersecurity practices.
|Improving Data Privacy & Security: The Road Forward
With all this in mind, how can companies prepare to face the numerous data privacy regulations ahead?
If they haven't yet, they should start or continue to:
- Interview the teams primarily responsible for interacting with particular types of data, as well as relevant service providers;
- Identify and map their data sources, whether it's in-house or external to their operations;
- Operationalize their privacy policies to drive employee compliance and enforce non-compliance;
- Gather documentation to update and maintain data registers, logging information about processes and systems that store personal and sensitive information;
- Train employees regarding their responsibility to protect personal information (and continue to do this on a regular basis);
- Restructure data retention and classification capabilities by updating records retention schedules, developing more stringent data disposition practices and developing and updating data classification programs; and,
- Ensure that their online privacy policies and notices match their actual practices.
Companies seem to be taking a less aggressive approach in their CCPA preparations than they did with the GDPR. Nevertheless, those affected by the former — including organizations that operate in California and collect personal information of California residents, their households or electronic devices — need to be aware that being GDPR-compliant does not necessarily prepare them for also being CCPA-compliant.
But there is a way forward. Those that are affected by the CCPA but have not yet instituted a GDPR individual rights response program should now establish a CCPA consumer rights management program and integrate the two. To do this, they will first need to consider the teams currently in place who manage customer requests or provide help desk support; the necessary infrastructure may reside within those teams. Then, they should consider the staff and whether they have the capacity or ability to respond to and track consumer requests. If not, they should consider adding resources, both technology and customer service.
Finally, companies should begin documenting their processes now. With a 12 month "look back" requiring companies to catalog, preserve and be prepared to disclose PI dating back 12 months before the CCPA's effective date, organizations will need to have current information about how they use and share data.
Karen A. Schuler is a Principal, Governance, Risk & Compliance National Leader at BDO USA. As founder of one of the first digital forensics consulting firms in the 90's, she quickly became a thought leader in the areas of e-discovery and digital forensics and focused on intellectual property, securities and insider trading investigations. Over the years she has authored wide-ranging information governance, data protection and e-discovery books and articles and has provided expert testimony for several high stakes litigations, among being named an expert in more than 100 cases over the last 15 years.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250