The importance of privacy issues has never been greater. 2020 has been a turbulent year for everyone, especially as many businesses moved to a largely remote workforce. New privacy issues have arisen, and the number of governments around the world implementing regulations to counter these issues increased. As we push forward in the new year, here are the top four privacy lessons learned from 2020 and how to apply these lessons moving forward.
The privacy regulatory landscape continued to evolve rapidly.
In 2018, any business with customers in the European Union spent much of the year preparing for the General Data Protection Regulation (GDPR). Then in 2019, any company with customers in the State of California spent significant resources ramping up for the new requirements of the California Consumer Protection Act (CCPA). 2020 has shown us that the continual tidal wave of new privacy regulations will not subside for the foreseeable future. Here are a few of the regulations we continue to track closely:
California Privacy Rights Act (CPRA)
In November, this ballot initiative passed. As we discussed in a previous blog post, the new regulation creates a new enforcement agency with the sole purpose of enforcing California’s privacy requirements. This organization will ultimately be funded by the fines it imposes and is expected to quickly ramp up to the size of the Federal Trade Commission’s privacy enforcement team. We expect the agency will start off with more aggressive enforcement with industry to make its mark and allow it to more rapidly gather funding to enable this growth.
Brazil’s Lei Geral de Proteção de Dados (LGPD)
In many respects, the Brazil’s LGPD follows the blueprint of GDPR with a few key and noteworthy differences. The EU’s general data protection law has a maximum penalty of 4% of annual revenue while LGPD has a maximum penalty of 2%. GDPR requires breach notification within 72 hours while LGPD requires notification within a “reasonable timeframe.” Within the first 18 months that GDPR went into effect, there were over 160,000 breach notifications. Although the GDP of South America is not as large as Europe, we may see a similar increase in volume of breach notifications in Brazil.
Singapore’s amendments to its Personal Data Protection Act (PDPA)
Amendments to Singapore’s PDPA were passed by its parliament in November. Among several changes to the existing privacy law, PDPA requires notification within 3 calendar days and penalties for noncompliance can reach an eye-popping 10% of revenue. It will be interesting to see if Singapore brings a full 10% of revenue penalty in the early days of enforcement to set an example. The EU has chosen to take a more gradual path in bringing larger fines.
India’s Personal Data Protection Bill
India’s new privacy regulation was expected to pass in 2020, but due to the COVID-19 pandemic, it was pushed to 2021. In 2017, India’s Supreme Court declared privacy to be a fundamental human right, and most expect its new regulation to closely mirror GDPR. Many see this regulation as an essential prerequisite for India’s digital economy growth which is expected to reach $1 trillion by 2025.
China’s Personal Information Protection Law (PIPL)
In October, China released PIPL for public consultation. The draft regulation requires that breach notification is provided “immediately.” The fines at stake are up to 5% of the previous year’s revenue. The comment period for this draft regulation ended in November, which could lead to this new regulation going into effect as early as 2022. In 2018, Mark Zuckerberg referenced China’s more lax approach to privacy issues as a competitive advantage in the development of facial recognition technology. However, with the passage of PIPL and India’s law, there are fewer and fewer examples of countries without significant privacy regulation.
The COVID-19 Pandemic created new privacy considerations for all types of businesses.
Over the last ten years there has been an increasing number of privacy regulations implemented across the globe. Generally, the companies that have needed to pay close attention to these regulations mostly consisted of those that are either highly regulated or those businesses that collect, store, or process consumer data.
The pandemic has forced practically all companies to address the new privacy issues associated with their employees. First, due to employee safety concerns, employers had to start tracking employee health information. If an employee catches COVID-19, the employer needs to know exactly which other employees might have been exposed to that employee. Then the employer needs to determine whether to notify specific individuals or the office as whole.
Now that so many employees are working remotely, there are endless potential exposures of personal and private information of the employees. In addition, the more prevalent use of video conferencing and collaboration software as well as cloud computing has increased the risk of potential exposure of information to third parties. Finally, by allowing employees to work from home, that attack surface for hackers has now expanded to every employee’s personal home network—which is almost universally less secure than a corporate network and thus more vulnerable to a potential cyber attack.
Schrems II forced companies to reevaluate how to compliantly transfer data between the EU and US.
As our world has become more interconnected, it has brought an increasingly more difficult challenge for organizations to utilize data practices that meet the standards within different countries. The EU-US Privacy Shield is a framework for data practices that was created to facilitate the transfer of data for companies between the European Union and the United States. In July, the Court of Justice of the European Union ruled in Shrems II that this framework was no longer adequate—largely due to their view of the US Government’s purported surveillance practices.
There are other mechanisms that companies can use to support the transfer of data between the EU and the US, namely Standard Contractual Clauses (SCCs), but the invalidation of Privacy Shield means that over 5,000 organizations that rely upon it must reassess how they can compliantly share data from the EU to the US. The Court did not set a deadline for companies that have been relying on the EU-US Privacy Shield framework, but companies could face significant fines from the EU if they were to ignore the ruling.
The long tail of data breaches and their cost continued to increase.
The Ponemon Institute’s annual study on the cost of a data breach revealed that for breaches of less than 100,000 records, US companies spend $8.64M per incident, which is more than a 23% increase in the average cost over just five years ago. It is important to recognize that this is the average cost for relatively smaller breaches, and excludes the mega breaches you read about in the news. For example, Equifax has spent nearly $2B (yes, two billion dollars) on its security breach in the past 3 years. The continued fallout from the Equifax breach is emblematic of the larger trend that the long tail of data breaches has lengthened grown in cost.
How to apply the privacy lessons of 2020?
Cybersecurity threats and privacy requirements are evolving at such a dizzying pace that organizations can no longer rely on a reactive or a check-the-box mentality when it comes to privacy incident response. The minimum standard required today will very likely be outdated by next year, if not sooner. Prudent organizations need to accept this reality and build a dynamic privacy program that stays ahead of this ever-changing environment.
The BreachRx platform is designed to operate in this dynamic environment. We operationalize privacy incident response for your organization so that you can sleep better at night knowing that you will be ready for whatever incident you face next.