Since today is Data Privacy Day, what better time than today to step back and look ahead to how privacy is evolving in 2021 and beyond. Here are our top four predictions for the privacy landscape in 2021:
Regulations will expand to cover nearly half the world’s population.
One thing that you can count on as being constant when it comes to privacy and data protection regulations is that they will always be changing. According to the Westin Research Center, which tracks state-level privacy regulations across the United States, from 2018 to 2020, twelve different states proposed bills that would change their approach to privacy. Three of those states—California, Maine, and Nevada—have already signed those bills into law, and California has done it twice.
As we discussed in our last post, India and China are both expected to put new data privacy regulations into place in 2021, which would mean that an additional 35% of the world’s population may be covered by new privacy requirements once those laws go into effect. Gartner predicts that by 2024, more than 80% of organizations worldwide will be subject to privacy and data protection regulations.
Staying on top of the shifting regulatory landscape is a tall order for all companies, and those that take a check-the-box mentality when it comes to privacy and data compliance will end up feeling like the goal posts keep moving. A more proactive and strategic approach is vital to avoid falling behind. Here are some important questions to consider:
- Do your customers fully understand and consent to the processing, storing, and sharing of the data you collect from them?
- Do you understand the full life cycle of your data and the who, what, when, where, why, and how of that data throughout that life cycle?
- Is privacy a consideration from the beginning in the design of your product or service offering?
- What physical and cybersecurity protections do you have in place to prevent your customer data from being accessed or exposed by parties that are not authorized to see it or use it?
- What plans and processes have you put in place to quickly handle the inevitable privacy and cybersecurity threats that all organizations will face?
Consumers and regulators all over the world view privacy and control of personal data as a human right, and when a company does not take that right seriously, they can expect to see real consequences.
No surprise, given remote work and cloud transformation data breaches will be more frequent.
According to a 2020 study by BCG, 80% of senior executives across a range of industries indicated they the plan to accelerate their digital transformation efforts. This is no surprise as many organizations have been forced to move to a largely remote workforce, especially given the COVID-19 pandemic has accelerated the digital transformation in companies across the world. Employees being remote inherently requires businesses to be more connected digitally than ever before. It remains to be seen how much of every company’s workforce will stay remote or move to a hybrid model in a post-pandemic world, but there is no question that the remote connectivity will continue to increase for all organizations. There are many benefits associated with being able to carry out work as needed from home, but one drawback is that now every employee’s home environment is a potential attack vector for a cyberattack. It is challenging enough to protect the security of a commercial office but expanding the perimeter to your employee’s homes is exponentially more challenging.
In addition, the continued pace of cloud transformation is moving more business operations and technologies outside of the traditional security boundary. The speed and affordability of cloud technologies has made it both convenient and economic for many companies to engage quickly. While cloud was heralded as being more secure, many experts in the cybersecurity world have found believe that cloud technologies are not necessarily more secure than on-premises solutions and turn out are vulnerable simply through a bad configuration.
Companies must make sure that their remote and cloud environments are set up correctly and properly updated, which is a challenge given the pace and ease of shifting to the cloud typically outstripping the capacity and knowledge of those moving operations to it—the result of which having been seen in several recent large breaches.
We expect this new dynamic—both a more remote workforce and greater reliance on the cloud—will continue to make it easy for attackers who will likely create breaches at organizations that have never experienced them before. To be ready for this situation, companies need to establish incident response plans and procedures with the remote and cloud environments in mind to be prepared when the inevitable incident does occur. By implementing a cloud-based solution like BreachRx, you can expedite your company’s response to remote attacks and ensure that your incident response team will be able to effectively manage incidents no matter where the team members are located.
The collective potential fines for privacy breaches will reach 25% of an organization’s annual revenue.
GDPR went into effect in May of 2018. According to the international law firm CMS, as of January 2021 there have been 489 GDPR fines. The largest fine under GDPR thus far was a $57M fine assessed to Google which was recently upheld on appeal. This is nowhere near the maximum penalty of 4% of annual revenue for Google, but prior to the pandemic many expected the fines to increase because the regulators would have more time to fully build out their investigative teams and resources.
This trend seems to have played out in 2020 as the EU saw 39% increase in the value of GDPR fines. In addition, to put this in a more macro perspective, PwC’s Jay Cline has been tracking privacy enforcement actions over the last 20 years and found that of the 1400+ actions, 50% of them have occurred in the last two years, and of the $9B in penalties assessed, 95% of fines and settlements occur in the US.
Article 83 lays out the subjective factors that determine the size of a fine that an organization will face for violating GDPR. There are 11 factors listed, but most of it comes down to the character of the infringement (good faith, negligent, intentional, etc.), the impact on the data subjects, the actions the company took in response to the infringement, and the level of cooperation with the supervisory authority. Each of these point toward organizations facing smaller fines by demonstrating the use of best practices.
It won’t be long before multiple countries all fine a blatantly unprepared organization for a data breach. It’s easy to imagine a scenario where an organization runs afoul of incident response requirements for the EU, Canada, Brazil, and Singapore. If all those regulators were to bring maximum fines, a company could be on the hook for as much as 21% of annual revenue!
It is critical to reduce this potential impact and get an incident response solution in place that simplifies the complex web of incident response requirements. The BreachRx platform delivers the ultimate in incident response best practices, enabling your organization to be proactively prepared for incidents and able to respond quickly and effectively. It allows your team to be organized in a way that facilitates maximum cooperation and transparency with regulators which ultimately drives down data breach costs.
A new Federal Data Privacy Regulation will come to fruition in the United States.
Those of us that have been in the privacy world for a long time are optimistic every year that this will finally be the year that a federal privacy law comes to fruition, something that has not yet come to pass. We are going to lean in aggressively and say 2021 will be the year.
In September of 2019, 51 company CEOs sent an open letter to the US Congress to pass a federal privacy regulation that would preempt the patchwork of state regulations. Shortly thereafter, Senate Democrats released a federal privacy bill. Then fast-forward to September 2020 and Senate Republicans introduced their own privacy bill. There appears to be political will on both sides of the aisle and business community support to pass a federal privacy regulation. However, there still seems to be strong differences of opinion around two key aspects—preemption and a private right of action.
Preemption will ease the burden on businesses to keep up with so many competing state regulations, but it takes away states’ rights protect the privacy rights of its citizens, particularly when some states may seek more strict requirements than what could likely pass in Congress.
Private right of action allows citizens to sue companies that do not meet regulatory obligations. Proponents of a private right of action argue that this will allow citizens to hold companies accountable for the harm they experience from privacy-related infractions. Opponents of a private right of action point to the enormous liability this creates for businesses and the ongoing costs to constantly defend new lawsuits.
There is a big spotlight on Big Tech right now for several issues: antitrust, disinformation, nation state hacking and cybersecurity, and privacy. Overall, we think a new federal privacy regulation is more likely than ever before. That said, based on the seemingly strong political divide within the Congress, it is unlikely that a federal privacy regulation will end up being the panacea that each side seeks. Instead, it seems more doable to see something pass that either avoids the biggest points of contention and solely covers many of the data privacy issues that have bi-partisan support, or a compromise is reached where preemption is included in exchange for providing citizens a private right of action. We’re leaning toward the latter but not quite ready to make that our call.
The BreachRx platform is dynamic, so your incident and data breach response plans will be kept continuously up to date regardless of these or other changes in the regulatory environment.
2021 promises to be an exciting year when it comes to privacy and data security. The breakneck pace of change does not appear to be letting up anytime soon. Check-the-box and reactive approaches will not be sustainable or scalable. To keep pace, companies must take a proactive approach that reduces their risk and prepares them for the future.