In its Global Risks Report 2018 at the beginning of the year, the World Economic Forum ranked data fraud or theft as the fourth-highest risk in terms of likelihood, citing exponential increases in recorded data breaches and their financial toll. As predicted in the “2018 Cyberrisk Landscape” from Risk Management’s January/February issue, between the implementation of several major regulations and developments in new or evolving measures, 2018 has been a key year for cyberrisk regulation, particularly with regard to data security and privacy.
Worldwide, several significant anticipated regulations went into force this year, including the EU’s General Data Protection Regulation (GDPR) and Australia’s Privacy Amendment (Notifiable Data Breaches) Act.
A number of countries have also either passed or are in various stages of considering data localization laws requiring any enterprise that processes or stores their citizens’ data to have a physical location in the country and host that data locally. Vietnam passed such a law, which will go into effect in January, and localization is one of the top issues in India’s ambitious Draft Personal Data Protection Bill, which has likely been sidelined until sometime in 2019 but is already drawing considerable concern. China’s Cybersecurity Law, which took effect in 2017 but included a grace period for most companies until December 2018, focuses on a wide range of cybersecurity issues, but one of its most notable provisions for foreign entities pertains to data localization. Under the regulation, certain organizations have to keep personal information collected in mainland China within mainland China and must conduct a security impact assessment to evaluate and justify cross-border data transfer. In the rest of the Asia-Pacific region, several nations have been implementing relatively recent regulations, many of which have focused on regulating cryptocurrency and on broader cybersecurity issues rather than data protection specifically.
Given both the volume and the range of regulations governing cyberrisk and, specifically, data privacy and security, compliance is becoming even more complex and costly. In the largest economies alone, the wide variation in requirements creates profound uncertainty and inconsistency in both the rights of consumers and the obligations of enterprises. Now that such sweeping regulation as GDPR has gone into effect for any entities that do business in, with or regarding the EU and its citizens, regulators in other jurisdictions are stepping up to implement compatible standards to continue doing business, assert similar individual rights and regulatory authority and, in some cases, start levying their own fines.
As more breaches lead consumers to demand protection, regulators are beginning to quicken the pace of response, and as more authorities draft different, complex requirements, some businesses may be increasingly open to regulatory developments for the sake of efficiency in ensuring compliance across different markets. Some authorities also appear to be recognizing the possible advantage of ensuring companies can compete in markets where having compatible practices is increasingly a requirement to do business.
Companies are already seeing signs of this now that GDPR has gone into force. Complying is clearly costly. In the recent annual privacy governance report from the International Association of Privacy Professionals, companies reported spending an average of $1.3 million on GDPR compliance efforts and expect to spend an additional $1.8 million. But that investment may pay real dividends going forward: Acquiring and maintaining business relationships was cited as a key driver in working to comply, and 25% of respondents said they had changed vendors in response to GDPR, while 30% are considering such vendor changes in the future.
Here are some of the year’s most significant developments in data privacy and security regulation worldwide:
Passed this summer, some are colloquially referring to the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) as “Brazilian GDPR” and, for the most part, it earns that moniker. This regulation significantly increases the country’s data protection regime, strengthening its posture to demonstrate adequacy under the EU’s data transfer standards and making the BRIC nation one of the few countries to provide comparable data privacy protections for its residents. As with GDPR, the law asserts an extremely broad scope, claiming extraterritorial jurisdiction on data processing activities conducted not only in the country, but also any associated with goods or services offered in the country, involving individuals in the country, or using personal data collected in the country. Additionally, LGPD may be applied to activities that are conducted completely outside of Brazil but that target or affect its citizens. As with its European predecessor, the regulation requires notifying and getting consent from consumers and then taking a risk-based approach to collecting, processing and storing data, highlighting the need for businesses to prioritize data minimization, storage limitations and data security. Fines under the regulation are similar to but not quite as severe as those under GDPR, with maximum penalties reaching up to 2% of the company’s global revenue from the previous year (compared to 4% in the EU) or up to 50 million reals per infringement (almost $13 million).
Some of the other key distinctions between the measures establish more rigorous requirements in Brazil than in the EU. Like in the EU, the LGPD introduces principles like the right to data portability, the right to erasure, and the right to access personal data, but while GDPR requires that controllers comply with data subject requests within 30 days, Brazil has cut that to 15, and requires mandatory breach notification on a tighter timeline. In risky situations and when requested by authorities, entities will also need to perform risk-mapping and regulatory compliance reports in the form of preparing a data protection impact assessment that identifies risks to subjects and mitigation measures in place. As currently drafted, the law also broadens the requirement for companies to appoint a data protection official (DPO) to oversee data processing activities, and does not exempt small businesses or small-scale processing, though this may evolve as the country irons out actual implementation.
The law’s restrictions on cross-border transfer of personal data should also be of note to businesses, whether they are directly impacted by the regulations or not. In addition to those facilitated through sufficiently rigorous contractual requirements or guarantees, data transfers are only allowed to countries that the data protection authority considers to have an adequate level of data protection—criteria that relatively few nation-wide laws currently meet and that may come up more often as other countries adopt similar regulation. This policy aims to protect citizens, but it also directly impacts where Brazilian companies can do business as well as what companies can do business in Brazil. Authorities and the companies they regulate may all increasingly look to gain a business advantage from adopting compatible data governance policies.
A provision of the bill that would have established an independent data protection authority to police those requirements was ultimately vetoed by then-President Michel Temer. Temer said this was due to procedural issues, not—as some were concerned—efforts to reduce the measure’s data privacy protections and he said his office would initiate the process for creation of such a regulatory authority. This and other practical considerations of implementation will now fall to his successor, Jair Bolsonaro, the far-right candidate elected in October.
Currently, LGPD is slated to go into force in February 2020, giving companies 18 months from its official passage to ensure compliance.
Three years after the Digital Privacy Act was passed, these amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect on November 1. This update to the nation’s privacy law for the private sector most notably institutes mandatory breach notification requirements. Organizations are now required to notify the Office of the Privacy Commissioner of Canada (OPC) and any affected individuals when there is a “breach of security safeguards” regarding personal information under the enterprise’s control if it is reasonable to believe this poses “real risk of significant harm to individuals.” The guidance defines “significant harm” relatively broadly as bodily harm, humiliation, reputation or relationship damage, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property. It is worth noting that the law does not stipulate any minimum number of records that must be impacted to trigger the notification requirement—indeed, official guidance released by the OPC specifically states that a covered breach related to a single individual would still require reporting and notification.
According to the Breach of Security Standards Regulations, the regulation’s objective is four-fold:
- Ensure that all Canadians receive consistent information about data breaches that pose a risk of significant harm to them.
- Ensure that data breach notifications contain sufficient information to enable individuals to understand the breach’s significance and potential impact.
- Ensure that the commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.
- Ensure that the commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the commissioner.
PIPEDA offers a valuable—or rather, costly—reminder of the direct risks companies face from the data security practices of any third parties with which they do business. Third-party service providers are responsible for a tremendous number of breaches today, and they may need to report an incident as well, but the OPC considers the company that controls the data to be ultimately responsible for reporting and notification, even if the breach occurred with the data processor.
While they are certainly fundamental parts of any organization’s approach to data security and crisis response, risk assessment and incident response planning will be particularly critical in PIPEDA compliance. As the requirement to report hinges not on the volume of records but on the potential risk posed to individuals, organizations will need to understand in detail the data they collect, store, process or transfer, and evaluate the threat posed by different breach scenarios affecting various data sets. Regulators specified that these risk assessments must consider the sensitivity of the information involved and the probability that the information will be misused. Enterprises will be expected to make these assessments and notify consumers accordingly—or be prepared to explain exactly why they determined the incident did not pose sufficient risk to trigger reporting.
Released in April, the Breach of Security Standards Regulations specifically outline the contents required for appropriately reporting an incident to regulators and issuing appropriate notification to the public. Reports must include standard information like the circumstances and time period of the event, the nature of the data potentially impacted, the number of people impacted, and the specific individual within the organization who can and will speak on the company’s behalf with OPC during an investigation. In both the report to OPC and notification to the public, the enterprise must also report the specific steps it has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm. For consumers, it also requires companies to advise victims on specific action they can take to reduce or mitigate potential risk of harm from the incident.
Companies must also maintain records of any breach of security safeguards for at least two years after the date the organization determined the breach occurred. OPC initially recommended a five-year retention policy, but this was considered too much of a burden for regulated entities as it applies to all breaches, regardless of potential risk. This could include evidence from any forensic investigation, documentation related to the notification process, and anything else that would help the OPC verify full compliance with the law.
Failure to report a breach or maintain records as required can result in fines of up to $100,000 CAN (over $75,000) for each time an individual is affected by a breach, if the federal government decides to prosecute. The current setup, however, hamstrings enforcement a bit, and it is unclear if or how much this will impact pursuing cases against companies that violate PIPEDA. Already given limited powers under the act, Privacy Commissioner Daniel Therrien told the Canadian Press that his office is notably underfunded and would likely need more staffers just to review the flood of reports expected to start coming in. He has asked for additional investigation and enforcement powers, but for the moment, his office can currently only review and advise companies, while fines would result from the Justice Department, if it decides to prosecute.
Between implementation of strict regulations like GDPR in key markets and the never-ending onslaught of data breaches, pressure is increasing on U.S. lawmakers to pass federal legislation and, in the process, not only regulate businesses, but codify the privacy rights of citizens. As U.S.-based companies work to comply with the EU’s regulations, they may prove more willing to negotiate about data collection and protection regulations in the United States and may benefit from more uniform laws across jurisdictions.
Particularly in the wake of this year’s Facebook/Cambridge Analytica scandal, momentum to pass legislation may be building on both sides of the aisle, though consensus on the substance of any such rules remains another issue. “The question is no longer whether we need a national law to protect consumers’ privacy,” Senate Commerce Committee Chairman John Thune (R-S.D.) said in a September op-ed. “The question is what shape that law should take.”
While national legislation remains uncertain, 2018 has seen some notable progress on the state level. After South Dakota and Alabama passed laws this spring, every state in the union now has its own data breach notification law. Alabama’s law may have been the last to pass, but it is hardly the least—indeed, it immediately became one of the most stringent in the United States. Alabama became one of 15 states to establish statutory obligations to maintain reasonable security measures, and went farther by outlining factors that must go into such assessment. In an effort to address the rising cyberrisk posed by third parties, the law also applies not only to covered entities, but to service providers as well. But even in just these two states, regulatory requirements with regard to key issues like breach notification vary significantly, highlighting that, while this is positive progress in promoting cybersecurity efforts and protecting consumers, the complex patchwork of provisions also presents more regulatory risk and demands more serious compliance efforts.
Regulators have been busy implementing or adding requirements for the broader cybersecurity practices of publicly traded companies. The SEC’s extensive new guidance, for example, details responsibilities for boards with regard to planning for and responding to cybersecurity threats and data breach incidents, including the need for greater cyberrisk oversight and disclosure of material breach incidents.
As federal and state regulators continue piecemeal efforts at regulating businesses and protecting consumers, many states are rolling out interesting and, in some cases, notably demanding new measures. Some of particular note from this year include:
As on many other issues, California is taking one of the country’s most aggressive approaches to regulating data privacy, with the California Consumer Privacy Act (CCPA) designed to institute GDPR-type governance. While many of the terms are still actively undergoing revision and negotiation, it clearly promises to be the most far-reaching data privacy law for American consumers. State legislators passed SB 1121 in August, and the governor signed this first round of revisions into law in September, including a delay for implementation and enforcement by the attorney general’s office to July 1, 2020.
The CCPA defines personal information quite broadly as any data element that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” Upon request, companies will have to report to consumers what personal information of theirs has been collected, why it was collected, whether it is being sold and to whom. It also gives individuals the right to access their personal information, to request such information be deleted, and to opt-out of the sale of their data. Additionally, children under 16 must actively opt-in for their information to be sold.
Under the current terms being pushed forward, companies will get 30 days to rectify any violations after notice of noncompliance from the state attorney general. Noncompliance can then result in costly penalties, though these are much lower than under GDPR. The CCPA permits consumers to recover up to $750 per violation or their actual damages, whichever is greater, and the attorney general can recover a penalty of up to $7,500 per violation in cases where the business intentionally violated the statue.
While many states are examining wide-ranging standards and requirements to boost cybersecurity postures, others are evaluating ways to incentivize more rigorous cyberrisk management and data security practices. Ohio’s SB 220 is an example of one such effort. Signed in August, the law establishes a liability safe harbor for covered entities that design, implement and maintain certain specified cybersecurity practices but still experience a data breach.
A company can avoid tort liability for claims of negligence or invasion of privacy, for example, if it can prove that its security program meets standards outlined in the law. At the time of the breach, the company must have both established and adequately maintained a cybersecurity program that includes administrative, technical and physical safeguards for the protection of personal information, including a written security plan, and reasonably conforms to one of several specified cybersecurity frameworks. Many companies may already be some or all of the way to satisfying the requirements for a written security plan if they follow certain existing regulations like the Gramm-Leach-Bliley Act or guidelines like the NIST Cybersecurity Framework.
Although the law is intended to incentivize entities, experts are not yet sure how significant the protections or incentives will actually prove when it comes to implementing security best practices. The safe harbor would not come into play in the early stages of potential litigation and companies could still face suits either under other legal bases or in other states. So soon after the law was passed, it is also hard to say how difficult it will be to meet the standards to assert an affirmative defense on this basis or how much money a company stands to spend or lose on both compliance and litigation.
Last year, the National Association of Insurance Commissioners passed the NAIC Insurance Data Security Model Law, outlining rules for insurers, agents and other licensed entities regarding data security, incident investigation and breach notification. This legal framework is only a guideline, however, until individual states adopt their own iteration.
In May, South Carolina became the first state to adopt the model law to regulate entities throughout the insurance industry operating or domiciled in the state, and the South Carolina Department of Insurance Data Security Act will be effective Jan. 1, 2019. The law holds South Carolina licensees responsible for protecting policyholders’ personal information, establishing data security standards to mitigate the potential damage of a breach, overseeing the security practices of third-party service providers, and promptly investigating data breaches or other cybersecurity events within their ecosystem. If such an event affects at least 250 people and presents a “reasonable impact” on South Carolinians, the law also requires that a licensee report it to the department within 72 hours of occurrence.
With the exception of independent contractors and firms with 10 or fewer employees, any insurance entity operating in the state must develop, implement and maintain a comprehensive written information security program based on ongoing risk assessment and report it to the South Carolina Department of Insurance by July 1, 2019. Going forward, all covered entities will be required to submit annual statements regarding these data breach response plans. Further, recognizing the critical cyberrisks related to third parties, regulated entities must require their service providers to implement and maintain security measures regarding information systems and personal data by July 1, 2020.