2018 Trends Overview: Compliance, Privacy and Security Family Tree
In 2019, regulations and laws will continue to define how businesses collect and use consumer data, and their obligations to protect this data from misuse, theft or exposure to unauthorized parties.
February 08, 2019 at 12:25 PM
8 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
In 2018, global privacy and data breach laws took control across Europe in the form of the General Data Protection Regulations (GDPR), in Canada, as the Canadian Breach of Security Safeguards Regulations of the Personal Information Protection and Electronic Documents Act (PIPEDA), and in the United States, with the California Consumer Privacy Act 2018 (CCPA). In 2019, each set of regulations and laws will continue to define how businesses collect and use consumer data, and their obligations to protect this data from misuse, theft or exposure to unauthorized parties.
There are subtle but important differences between compliance, privacy and security. All three are related and overlap to some extent, but each has a specific purpose. Compliance regulations are guard rails that serve to protect the public interest from unethical, negligent or illegal activity within a corporate function or given industry. Think Sarbanes-Oxley rules to oversee and standardize corporate financial reporting, or Security Exchange Commission (SEC) rules around trading on public markets. Privacy regulations, on the other hand, are about keeping non-public information from exposure and protecting assumed rights around an individual to purchase products and services without their information — be it financial, political or demographic — from misuse or exposure to criminal elements that can leverage this information to their financial gain at the expense of the affected consumer. Compliance and privacy are perhaps fraternal twins; whereas, security is their cousin. Security regulations are designed to detect misuse at the hands of insider practitioners, and to keep outsiders, such as criminals, from infiltrating business environments and stealing or manipulating privileged information.
There are of course the settlements issued by the Office of Civil Rights (OCR) for infractions of the Health Insurance Portability and Accountability Act (HIPAA) and other data breach violations, including Uber, that paid $148 million in a settlement to the state of New York. But let's focus on a few of the marquee compliance, privacy and security regulations.
|The SEC
In early 2018, the SEC updated their regulations to include rules that define how funds disclose cybersecurity risks to investors. The new guidelines also include provisions for the notification of senior management to determine if a data breach is material, and whether investors should be notified. And perhaps more importantly, the new rules created a blackout window following the discovery of a cybersecurity event to prevent insider trading. These updates came on the heels of the Equifax data breach, and the discovery that three executives had traded large volumes of stock shortly before the public notification, but after the company was aware of the breach.
Also in the realm of financial services, the New York Department of Financial Services (DFS) continues to roll out their Cybersecurity Regulations (NYCRR500). Perhaps the gold standard in prescriptive security regulations, January 2018 introduced the first round of annual written compliance notification to the DFS superintendent and the 72-hour cybersecurity event notification requirement. Both rules are designed to create transparency in the event of a material data breach, and through legal attestation, to hold officers of the company legally accountable for the security posture of the firm, and for reporting security events that could harm their clients. The rules go further and tighten board reporting mechanisms, annual security testing and other security protocols designed to harden financial cyber defenses. The last traunch of DFS cybersecurity rules green light this year.
|The GDPR
The greatest tectonic shift in compliance and privacy rules came in May when the European Union General Data Protection Regulations (GDPR) came into effect. GDPR imposes strict obligations on data controllers (those that collect and determine the use of data) and data processors (those that store or manipulate data on behalf of data controllers), while simultaneously offering more guidance on appropriate security standards. GDPR also mandates a 72-hour breach notification guideline, which is more stringent than most state-level notification clauses that use terms like “reasonable and timely.” Moreover, these rules provide rights to consumers to know what information is collected, for what purpose and the right to be forgotten. Failure to comply with GDPR regulations brings the heftiest fines of up to 4% of a non-compliant firm's worldwide revenue.
Commitment to compliance in Europe and other countries that control European citizen data is questionable with no census and is yet to be tested in the courts. Perhaps the recent Marriott breach discovered in September yet not reported until the end of November, will surely test these rules and EU privacy commissioners' resolve to enforce the 72-hour notification articles.
|Canada
In November, the Canadian Breach of Security Safeguards Regulations of the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force, mandating notification requirements triggered by the discovery of a significant data breach. Under the new regulations, organizations that experience a data breach must conduct a risk assessment to determine if the breach poses a real risk of significant harm to any individuals whose information was exposed, and then notify “as soon as feasible” the Privacy Commissioner, affected individuals and any other agency (think law enforcement) that might mitigate harm to those affected. Violations of the Act can yield fines of up to $100,000.
|California
While not in effect until January of 2020, but voted into law in 2018, the California Consumer Privacy Act (CCPA) is the Plymouth Rock of privacy in the United States. The law cites the tens of millions of people whose personal data was misused by the data mining firm Cambridge Analytica, a greater desire to heighten data privacy controls and transparency of data practices and the people's desire for privacy and more control over their information. The Act provides specific provisions around full disclosure regarding the collection of personal information (including sources, the purpose and whether the data is disclosed or sold to another party). It also provides the right to be deleted (like the GDPR right to be forgotten) and wraps these rights in protection of equal service and pricing, even if the individual exercises his or her rights under the Act (the net neutrality of privacy). The Act is enforced with penalties up to $100-$750 USD per consumer (per violation). That puts settlements in the sphere of GDPR penalties.
|Study Warns of Major Cyber Attack
In a recent independent study of 1,250 global security and business leaders, CEOs, board members and technical executives unanimously predict a major cyber attack in the next two to five years. Over 60% of respondents assume a major event will occur. Business leaders now fear consequences of a major cyber attack more so than regulatory retaliation. Operation disruption and reputational damage are of greater concern than potential financial losses and regulatory penalties. This trend reflects a shift from a compliance-centric security approach (avoiding punishment) to a more self-actualized mindset determined to reduce the risk of business-altering outcomes to protect the organization, its investors and clients.
As a result, the idea that “the CISO is the least interesting person to the board, until they are the most important person” is a thing of the past. Most boards are now strongly familiar with security budgets, strategies and policies, technologies, and current security and privacy risks. Line of sight to the board is also direct. Almost half of the surveyed security officers report to the board of CEO, a third report to the CIO (which is problematic), and a small handful now report to a privacy or data officer.
|Privacy in 2019
Perhaps the greatest innovation of the 21st century is turning the consumer into the product. In a connected world of Apple, Google, Amazon, Facebook and others, consumer preferences and behaviors are the raw materials for big data analytics that become a commodity for sale. As we've seen before, compliance and regulations often play catch up to technical innovation. And in 2018, compliance turned to focus more on privacy, perhaps the counterbalance to a new economy of “the consumer is the product.” 2018 is the year when privacy commissions and industry regulators moved their chess pieces into place. 2019 and beyond will see industry pawns sacrificed to send a message to the cardinals and royalty of the corporate world. The message: privacy and data responsibility must be as important to the officers of a business as profitability is to the investors. As such, privacy and compliance blur together, and security becomes the guardian, keeping the others in check.
*****
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark's role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves on the Board of Editors of Cybersecurity Law & Strategy and as a member of the LegalSec Council with the International Legal Technology Association (ILTA). He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllState Attorney General Faces Federal Courtroom Test Over Crypto Mining Ban
4 minute readSo You Want to Be a Tech Lawyer? Consider Product Counseling
New Class Action Points to Fears Over Privacy, Abortions and Fertility
5th Circuit Rules Open-Source Code Is Not Property in Tornado Cash Appeal
5 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250