How Tech Companies Should Rethink Data Privacy
The year 2018 will be remembered as the end of the free-for-all era of internet privacy, brought down by a series of high-profile security breaches and scandals. 2019 will be defined by the reaction to this abrupt shift and by the growing public alarm over the types of data being collected about users, how it’s used, and how securely it is stored. Going forward, companies will be expected to demonstrate a commitment to accountability, lawfulness, transparency, and an intensive focus on data protection.
This paradigm shift is occurring at precisely the same moment that artificial intelligence (AI) and internet of things (IoT) innovations are delivering even more valuable insights via data. However, companies seeking to take advantage of these technologies should exercise prudence, lest they run afoul of a changing regulatory environment and increasingly wary consumers.
The implementation of two pieces of legislation will radically transform how companies approach data privacy: Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). California’s law is of particular interest since, by some metrics, it goes even further than the GDPR in protecting consumer data and because it applies to every company doing business in the state, regardless of where it is headquartered. This makes the CCPA a de facto national law, especially in the absence of superseding federal regulations.
Here are the most important things to know about the California law:
1. Violations will be extremely costly.
Companies found to be in violation of the CCPA are liable for civil damages of $100 to $750 per user, which has the potential to add up to astronomical sums. What’s more, this mechanism empowers consumers and lawyers to seek damages, rather than any regulatory agency. This represents an enormous shift in risk from the past when data breaches were met with fines and temporary PR crises. As Jim Halpert, a data protection specialist at DLA Piper, points out, “Class action lawyers are motivated quite differently than regulators. They have the opportunity to file lawsuits, throw a lot of spaghetti against the wall, and extract a settlement.” CCPA’s potential for massive financial penalties fundamentally alters the risk versus reward calculus of data assets.
2. It radically expands the definition of “private data.”
The California law stipulates that if a company’s data is not encrypted or redacted and there is a breach, they are obligated to report it, thus inviting legal action. The protected data here includes not just credit card data but social security numbers, all government ID numbers, medical identifiers, and perhaps most crucially to marketers, smartphone IDs.
3. It takes effect in January 2020.
Any entity with users in California has about a year to become compliant, which makes it extremely urgent for executives to fully grasp the significance of this legislation and restructure their policies accordingly.
4. It’s a sign of things to come.
California’s legislators have signaled that they are open to amending the CCPA in places where it is unworkable for businesses, but while there may be a reprieve from some of the law’s excesses, there is no escaping the privacy backlash it represents. There are similar laws in Brazil, China and, of course, the EU, and many observers believe it’s only a matter of time before Congress passes federal data privacy regulations.
Mapping your data assets can be both difficult and expensive, and it only gives you a snapshot view unless you have a framework in place to keep track of how your data is moving and who is accountable for it. This complex and shifting landscape demands that businesses restructure their relationship with data on multiple fronts: not merely legally, but culturally and strategically. Taking on this task requires a top-down approach. In addition to ensuring regulatory compliance, the following strategies may also be the best way to ensure organizational readiness against traditional cyberattacks:
1. Restructure data governance.
In the past, data management responsibilities were often divided between a legal office, an IT security team, and marketers, each of whom had different skill sets and frequently divergent priorities. Companies hired chief data officers in order to develop a unified data privacy strategy, which had mixed results. Now we are witnessing the evolution of the Chief Privacy Officer, who is focused on driving strategy and policies related to data privacy. Representatives from different departments can still bring their unique perspectives, but new data opportunities must be weighed from a risk/reward mindset that recognizes data as a valuable asset, but also an asset with serious risks if managed incorrectly.
2. Conduct an impact gap assessment.
3. Update overall strategy.
Tech companies whose business models involves data monetization practices that are not transparent to users will have to start addressing difficult questions about how to adapt their business model to this period of greater risk. Shaghaghi says, “If your products and services are based on a set of principles that is opposed to this upcoming evolution of data management practices, then you’ve got a major problem on your hands in terms of how you need to change your strategy.”
Malicious intrusions will continue to be a major concern in 2019 and no one will be immune. Halpert describes the situation in stark terms, “Eventually there will be a successful penetration of a company’s systems, inevitably. The question is really whether the company is resilient, whether it’s flexible and able to respond quickly to attacks.”
The good news is that both regulators and the public at large will extend patience to companies that can show they are making a good faith effort to address privacy concerns. Companies that take immediate steps to secure, encrypt, and track sensitive data will have a better chance of emerging unscathed from crisis. In today’s privacy-conscious environment, the time to take action on data protection is now—before the inevitable breach takes place.
Shahryar Shaghaghi, Principal - National Cybersecurity and Privacy Leader
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Explore Blockchain, Data Privacy and the Amazon effect
Business of Baseball
Mayor of the City
InsightUnderstanding the Costs and Complexity of Data-Privacy ComplianceSafeguarding the privacy of sensitive customer data has become a business-critical requirement for just about any company around the globe.
InsightFTC Cybersecurity Proposals Introduce Daunting Compliance Burdens for Financial InstitutionsThe Federal Trade Commission (FTC) has proposed changes to the cybersecurity and privacy rules under the Gramm-Leach-Bliley Act (GLBA) that will bring additional compliance mandates for financial institutions.