It has become very costly to avoid data privacy compliance. While fines and penalties have existed for years in various amounts from multiple regulators, the European Union’s new General Data Protection Regulation (GDPR), effective May 25, 2018, raises the stakes. It specifies fines up to 20 million Euros or 4% of a company’s prior-year global revenue, whichever is higher, dependent on the “nature, gravity, and duration” of the violation and the “categories of personal data affected.”
Privacy is inherently important to all of us. Privacy is power – the power over self. Ever since the advent of the internet, most of our lives are purposefully conducted online, and that makes the concept of privacy even more important. The “special categories” created by GDPR’s Article 9 recognize the sensitivity of certain areas of our lives, which may have a greater impact if made public. These categories include race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and data related to a person’s sex life or sexual orientation.
Global Privacy Trends
This concept is taking different shape quite differently around the globe. The E.U. is moving towards recognizing digital privacy as a fundamental human right, and other countries are following suit with local laws to provide similar protections. At this point, the U.S. is the lone holdout for general privacy rights, but even here, we’ve provided enhanced protections for personal health information (PHI) privacy through HIPAA since 1999.
For the first time, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands now have breach notification laws. While these are often ignored, these laws typically require private entities to notify affected users and the attorney general of any security breach or unauthorized disclosure involving personally identifiable information (PII).
These laws are focused on data attributes like social security and driver’s license numbers, birth date and place, age, marital status, race, salary, phone number, and other demographic or financial information. Based on recent headlines and most individuals’ experiences handling the aftermath of persistent credit card and large-scale PII data breaches (e.g. Equifax), it is easy to understand the importance of keeping this private information out of the public eye.
The Cost of a Breach
Recent privacy breaches have led to executives being dragged before Congress, fines in the millions, and remediation and litigation costs in the hundreds of millions.
- Equifax (2017) – PII of 146m people: Estimated to be $439m to $600m
- Anthem PHI Breach (2015) – PHI of 80m people: $260m in remediation; fines are still being litigated
- Target Credit Card Breach (2013) – PII of 70m people: $372m in fines, penalties, and remediation
According to a 2017 study sponsored by IBM, the average costs of a data breach across businesses of all sizes globally is $3.62m or $141 per record. Recently the New Jersey Attorney General fined a medical practice $418,000 or about $260 per patient record when their third-party service provider actually caused a data breach. The Ponemon Institute, the firm that actually performed the IBM study, estimates that even one employee’s lost or stolen laptop may cost as much $50,000 after all the required legal notifications are made.
Every federal and state body with privacy enforcement authority imposes higher fines for willful and uncorrected violations. Some basic steps to prevent, identify, and mitigate a privacy compliance failure include:
- Develop and maintain a comprehensive information security policy and program
- Classify sensitive or critical data and separate it from the rest of the computer network
- Ensure all systems are securely configured and regularly patched
- Implement encryption technologies to safeguard sensitive and critical data
- Restrict access to the absolute minimum necessary
- Implement comprehensive logging, monitoring, and alerting for critical events that could indicate a breach
- Develop a robust incident response and breach notification process
- Conduct regular independent third-party security assessments
What to do Next
While remediation and notification are costly, ignoring privacy compliance can be much more expensive. Prevention is more affordable than remediation, and preparation is better than litigation. The growing privacy compliance obligations can be burdensome to understand and difficult to implement. It is prudent to seek outside counsel when in doubt. Furthermore, establishing or administering information security and data privacy assessments through legal counsel may provide the defense of legal privilege if litigation is ever required.
GDPR and NIST 800-171 are two critical compliance standards affecting many businesses. These requirements are best achieved when addressed by an effective management program to ensure effective implementation and continued compliance. I have been helping clients implement and monitor control frameworks, data privacy, and information security programs for 15 years.
My practice focuses on improving business processes to meet legal requirements – not forcing new laws on the business without proper preparation. I offer privacy and data security consulting, program development, process improvement, executive/board reporting, and traditional in-house counsel services.