English poet Thomas Gray may have coined the phrase “ignorance is bliss,” in 1747 but most assuredly he wasn’t looking down the barrel at a hefty monetary fine for data privacy noncompliance in 2022.
Depending on your revenue, the fines can simply be a nuisance or sound a death knell for business. Your brand, too, could take a hit as customers and even employees scurry to competitors for security.
The largest fine issued on record for violations of the European Union’s General Data Protection Regulation (GDPR) came in July 2021 against Amazon. The decision came three years after the original complaint filed a collective legal action led by a French privacy group. The planet’s largest online retailer filed an appeal three months later in October on the grounds it didn’t violate the GDPR. Improper processing of customer data is at the core of this legal battle.
At $865 million (746 million euros), Amazon’s fine falls closer to the latter within the maximum GDPR fine of 20 million euro or 4% of annual global revenue.
If you’re doing global business, you need to sharpen your pencils and stay abreast of the latest rules and regulations around the world that may impact your operations. While 4% may be a nuisance for a tech giant, it can be a major blow to a mid-sized enterprise.
As whispers of new legislation grow it can still take years to pass and even more years to become effective. The GDPR, first proposed in 2010, was passed in 2016 and became effective in 2018. This window of time is typically allowed to give businesses time to “catch up” and be operating within the new regulations. As technology grows at lightning speed compared to the legislative process, the 2016 GDPR will likely be due for a reboot.
Other key privacy laws to consider:
China: There has been a lot of attention paid to China’s first Personal Information Protection Law (PIPL), as it was passed into law in August 2021 and became effective just 10 weeks later November 1 (see related story in this issue).
United States: The Federal Trade Commission (FTC) generally oversees enforcement of national privacy laws on the books pertaining to data privacy and security. The FTC Act dates to 1914 as the first record of note to empower the FTC to prevent deceptive acts in the commerce realm, levy fines and other penalties, direct regulatory measures, track information and present findings publicly and before Congress.
Other agencies and various legislative acts cover a variety of sectors on what information can be used or disclosed including:
Health Insurance Portability and Accountability Act (HIPPA, 2003) — Regarding patient information disclosure, patient’s right to see records and request changes.
The Office for Civil Rights within the Health and Human Services Department is tasked with investigating and enforcing HIPPA violation complaints. Fines for violations are $100 to $50,000 and depend on the negligence level found; in more severe instances, a maximum fine of $1.5 million and criminal charges is possible.
The Gramm-Leach-Bliley Act (GLBA, 1999) — Covering financial institutions and requiring the financial entity protect sensitive data and disclose to customers explanations of information-sharing protocol. Institutions are required to share with customers they have a right to opt out of having their personal data shared with a third-party.
Continued compliance means that the organization notify each customer annually of this information, a business process that can be addressed with appropriate automation measures put into action. In addition, a written policy addressing the measures in place to safeguard data is required.
Cybercriminals posing as the customer often target data center representatives and may offer just enough information to convince the representative to share account details. This gives the thief an access point to either enter the system or steal from the customer.
Possible financial institution fines can go as high as $100,000 per violation along with up to 1% of company assets. Employees are not exempt and can be fined up to $10,000 per violation. In extreme cases, they could get a $1 million fine and a prison sentence between 5 and 12 years.
Along with HIPPA and GLBA, the U.S. has other sector-related regulations including the Fair Credit Reporting Act (FCRA, 1970) and the U.S. Privacy Act of 1974.
As these separate and complex data standards and security measures are developed at the national level, enterprises also have state-level and state-specific data compliance standards. In some cases, the national and state levels have banded together, with a 2020 HIPPA violation resulting in a $39.5 million settlement against a health insurer for comprised health records of more than 79 million individuals.
Notably, California, Virginia, and Colorado have instated consumer data privacy laws. Sixteen states and the District of Columbia have no laws, nor any laws being explored in the legislature; Hawaii and Louisiana enacted tasks forces in place of a law. The remaining states have data privacy in some level of exploration at the legislative level.
How can businesses help themselves to be in a position of compliance?
In the U.S. at the national level, businesses can look to the FTC and HHS for guidance by examining summaries of enforcement instances and top compliance issues. At the state level, attorney general’s offices would provide similar resources.
For businesses with a global reach, understanding the specific local rules and building an infrastructure that can manage the intrinsic details is complex. Michael Loggins is the global vice president, Information Technology, for SMC Corporation of America, a pneumatic technology manufacturer, has a global presence that includes production facilities in 30 countries and a sales network throughout 83 countries. Its largest revenue markets are Japan and China.
How data is classified changes across the globe and mobile phones offer a very specific example for enterprises to pay close attention.
“Data classification is unique. In the U.S., cell phone data is not identifiable information. In China, it is identifiable,” Loggins said. “WeChat and WePay mechanisms are your identifier for payments; phones have credit cards, identity numbers, and addresses. Phone numbers have a much higher value to keep protected than in U.S. and Europe.
“There are similarities to some laws, but they are not the same,” Loggins said. “What China, EU, and California think are important are not the same. You can’t design to the overlap; you must design to the specifics of the law. And you can’t put a big net over it all because the same data doesn’t exist.”
He offers for example SMC’s approach to the PIPL, which is different from the already-in-place cybersecurity laws in China.
“With China security laws, we put some in place for cybersecurity. Now there are more stringent privacy requirements. Our architecture from an infrastructure and application standpoint was too rigid to be modified to support the privacy laws.”
In-country disaster recovery and business continuity
Loggins recommends enterprises maintain data compliance by re-examining disaster recovery and business continuity plans. He advises businesses to specifically make in-country disaster recovery plans rather than leveraging one plan for multiple use cases.
He also calls for breaking up application design to make sure it’s data and context aware and instituting synchronization capabilities to keep in-country data where it should be. Customer relationship management (CRM) packages might allow a global organization to glean data from China in violation of the cross-border data exchange.
Governance risk and compliance strategy
Loggins said he agrees with the need to protect citizens’ data sets and anticipates more stringent privacy laws to grow, both in individual U.S. states and other countries including Russia. Businesses would be wise to stay alert, but not make changes while in legislative draft form.
Making good use of a governance risk and compliance group can help enterprises navigate these murky waters to maintain and IT compliant framework. Loggins said his GRC team is currently supporting 12 jurisdictions and 97 privacy laws, with 15 pending laws globally.
Enterprises’ responsibility for data security and compliance
With all the laws to consider around the globe regarding data privacy on the shoulders for enterprises to comply with, employees and employers should hold themselves to a high standard, says Steve Cobb, CISO for OneSource.
“Organizations need a culture of wanting to protect their clients and data. They should ask, ‘What do the inputs into our planning, revenue, and bottom line look like? We need to respect and plan for policies and tools and staff to protect the data.’
“Enterprises aren’t considering this. When you look at regulations and a compromise or breech, that’s the first hurdle all businesses need to get over. You have data and are using it to generate revenue. You’re responsible to keep it private.
“Understand what data you have. The data you collect or create through intellectual property, not to mention what you gather — understanding and classifying should have effort and focus. It’s an awareness discussion to grasp the impact both to your reputation and financially if a data breech was to be realized against your company. Don’t have good policies in place for data discussion? It starts here by asking the right questions, like ‘Can we get rid of data. Does it harm my business or increase risk by removing or keeping?’”
Cobb said he has heard cases where some individuals are now considering personal liability insurance outside of the organization.
“That is a talking point beginning to come about. It’s startling and puts one more thing to take for people inside an enterprise to what their liability is and what their risks are outside the organization.”