Organizations (big and small) that rely on and process the personal data of individuals can no longer afford to overlook the ever-expanding collection of data privacy and security laws. Historically, U.S. companies have collected, used, and disclosed vast amounts of personal data with few restrictions and little oversight, with the exception of companies subject to sector-specific rules such as HIPAA. However, the days of unhindered collection and processing of personal information are rapidly fading. The EU’s General Data Protection Regulation (GDPR), a stringent law that protects individuals in the EEA whose data is collected and processed by organizations, introduced a shift in data privacy and a new world order when it came into effect in May 2018. Shortly thereafter, California passed the California Consumer Privacy Act (CCPA), now hailed as the strictest privacy law in the U.S. Though not the focus here, some states have even broader rules making their way through their legislatures, and other countries have comprehensive privacy laws on the books (or in the pipeline). Greater regulation means greater exposure on several fronts for organizations that do not comply with their privacy and security obligations.
Individual Rights and Actions
With new legislation come new rights. Under both GDPR and CCPA, individuals whose personal information is processed have the right to know what data companies collect, process and disclose (or sell). Companies have renewed obligations to be transparent, a requirement already included in §5 of the Federal Trade Commission Act (which applies to most companies). Along with transparency, GDPR and CCPA require companies to respond within a definitive time frame to access and deletion requests, among other rights. CCPA also requires opt-out (or -in, for minors) from the “sale” of information. Failure to do so can result in investigations, fines and, in some cases, lawsuits.
Protecting and securing personal data is also a key requirement of both GDPR and CCPA. Under GDPR, fines of up to 2% of global revenue or €10 million (whichever is higher) may be imposed in the most egregious of circumstances where an organization fails to implement appropriate security measures, plus the possibility of individual lawsuits. Although CCPA makes little mention of data security and contains no new requirements to secure personal data, it includes a private right of action in connection with security incidents: statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. In practical terms, one incident affecting just 20,000 individuals could cost a company at least $2 million. This private right of action is triggered by an unauthorized access or disclosure of a consumer’s non-encrypted personal information stemming from a covered business’ failure to implement and maintain reasonable security procedures and practices.
Whether in Europe or the U.S., enforcement actions are on the rise. EU “supervisory authorities,” as well as the FTC and state attorneys general in the U.S., have been ramping up their enforcement efforts. Below is a brief sampling of some recent fines in the U.S. and the EEA:
- United States: Bank of America was fined $1.9 million for failing to report that it was recording phone calls when customers called in to the bank’s locations.
- United States: Oath agreed to pay $5 million to settle charges of the New York State Attorney General that it conducted billions of auctions for ad space on hundreds of websites known to be directed to children, and collected, used and disclosed personal information from the websites in violation of the Children’s Online Privacy Protection Act.
- Denmark: A company was found to have more than nine million unnecessary personal records stored, and fined €1.6 million for failure to delete unused contact information.
- France: Google was fined €50 million for lack of transparency, inadequate information and lack of valid consent to process users’ personal data, particularly for ad personalization purposes.
- United Kingdom: The UK’s Information Commissioner’s Office announced plans to fine British Airways a record £183 million over the airline’s “poor security arrangements” that led to the breach of personal data concerning around 500,000 customers.
Shareholder Derivative Suits
Perhaps less critical but worth noting is the fact that organizations also have accountability to their shareholders. The dismissal of a Home Depot derivative action in 2016 ended a string of high-profile derivative suits stemming from large-scale corporate data breaches. This followed earlier dismissals of derivative actions stemming from data breaches at Wyndham Worldwide Corporation and Target Corporation. The burden on a derivative suit plaintiff to plead a valid claim against a board is and remains onerous. Despite these dismissals, however, boards should continue to make a good faith effort to implement and monitor an oversight system with respect to privacy and security, or face increased scrutiny from shareholders as compliance requirements in data privacy and security increase and the financial risks (and costs) of failing to do so add up. Case in point: although deemed by many privacy advocates a mere slap on the wrist, Facebook’s recent settlement with the FTC imposes specific oversight and reporting responsibilities on its CEO, and requires the company’s board to establish an “independent privacy committee” that will designate expert compliance officers to implement and maintain Facebook’s privacy program. Even a brief review of existing and proposed legislation around the world reveals a slow (but steadily growing) movement in favor of holding corporate officials accountable in some way.
Finally, of course, the cost for vendors of overlooking privacy and security when personal data is at stake can be extremely high. As privacy regulations tighten and cyber attacks increase, organizations will not hesitate to discontinue their vendor relationship or even take the vendor to court if the vendor fails to comply with applicable privacy laws or does not implement and maintain appropriate security measures, especially where a data breach occurs. Companies increasingly rely on interconnected systems and third-party products, but security incidents stemming from third-party vendors systems have multiplied. In fact, a staggering number of breaches – including recent high-profile incidents – often involve a third-party vendor. It goes without saying that customers should always carry out appropriate due diligence before engaging vendors or using third-party products that involve data, and vendors should ensure that they are complying with privacy rules and maintaining reasonable security.
For more information on our data privacy and security practice, or if you need assistance with privacy assessments, data mapping or stakeholder training, please contact Céline Guillou or Chiara Portner.