There are not many who will not be able to recount some detail when asked about Edward Snowden and his leak of classified CIA information or Facebook’s Cambridge Analytica debacle where the data breach affected America’s Presidential election. Every headline across national dailies and televised news harped on one and ONE point only, that is – The infringement of personal data protection rights.
These events are just one of many that have been regularly taking place across multiple industries. Have a LinkedIn account? You could have been part of a data breach that gave hackers access to emails, passwords, phone numbers, and personal and professional experiences [1]. Did you signup and try to evaluate a policy on Policybazar.com? Hackers might have just made away with your personal details*[2], company names, payment information, and address, among other details [2]. Have an AADHAR card? Do you know hackers made away with various personal information, including biometric data, of around 1.1 million people [3]?
With such serious data breach incidents becoming a scarily common global incident, it was only a matter of time before a re-evaluation of existing data protection laws was commissioned and new legislations were brought into place. Although this is good news for individuals and their rights to control sensitive personal data, it leaves organisations with the huge task of ensuring the proper adherence to processing and protection of customer data under strict regulatory laws from data protection authorities.
If by the nature of your business, it collects customer data, data privacy laws and regulations will affect you. Let us explore the same and learn steps you can take to comply with the laws.
Data Protection compliance – the what?
Data protection and privacy compliance, in other words, is the process of properly handling sensitive customer data per data protection laws, regulations and best practices for maintaining data privacy. Once a company fully ensures they meet all the legal and regulatory requirements of storing and processing users’ personal data, they are said to be data privacy compliant.
The guiding star in this regard would be the General Data Protection Regulation (GDPR) of the European Union. Also, similar regulations worth mentioning would be The California Consumer Privacy Act (CCPA) and The Health Insurance Portability and Accountability Act (HIPPA) of the U.S and Australia’s Privacy Act. A majority of global businesses follow these Acts to process and store customer data.
Data Protection compliance – the why?
In 2016, due to an inadvertent human error at Rainbow Babies & Children’s Hospital of Cleveland, Ohio, [4] the private health information of about 800 plus patients was disclosed. It was the result of not maintaining proper procedures for handling sensitive personal data. The IT department is usually the first to be blamed in such scenarios. Still, a data breach is the result of collective malpractice. As per a study by SHRM.org, human errors total up to 52% of the root cause of security breaches [5]. The most common scenarios are –
- Using weak passwords.
- Sharing sensitive information with the wrong recipient.
- Falling for phishing scams.
- Failure to perform periodic security audits.
- Hoarding non-anonymised sensitive information.
A meagre 20% of companies use a data classification system and discard unnecessary files they have collected from users. In comparison, less than 25% of companies perform regular vulnerability checks, and a whopping 43% of organisations are unaware or unsure of what employees do with the sensitive data they receive [6]. Mind you, gross negligence in the care for sensitive personal data are offences that attract huge penalties under various digital privacy laws.
A simple fix to this fiasco starts with a small step of training your employees in basic data protection measures. Lack of knowledge prevents the employees from spotting and dodging security threats in their early-stage or limiting its effects in the unfortunate event of a data breach.
The fallout –
As a result of negligence and non-compliance, organisations and their employees both face the threat of possible civil and criminal prosecutions and huge penalties. The GDPR in the EU is designed to discourage irresponsible data safety practices by levying severe penalties. It can range from –
- 10 Million Euros to 2% of a company’s preceding year’s annual global turnover or whichever is higher for less severe infringements,
- 20 Million Euros to 4% of a company’s preceding year’s annual global turnover or whichever is higher for more serious offences [7].
In a report from 2021 by IBM on the cost a company faces due to a data breach, the sum stood at USD 4.24 million on average [8]. Factor in the possibility of class action lawsuits and the price of the negligence, and it is as good as anyone’s guess.
Since 2020, class action lawsuits under the California Consumer Privacy Act (CCPA) have had plaintiffs seeking damages from anywhere between USD 100 – 750 per affected member. In 2021, Zoom, a popular video conferencing application had to agree to pay USD 85 million to settle a class-action suit [9] that brought into light Zoom’s reckless attitude of sharing data with third-party applications without the consent or adequate notice of the concerned user.
Apart from monetary penalties, as mentioned above, public backlash and shaming on social media are enough to tarnish the reputation of a business for a long time. A Deloitte University press study points out that 80% of consumers choose to conduct business with companies that have not experienced privacy issues compared to a company that has [10].
Incentive for Data Protection training?
Apart from the obvious endeavour to keep a clean brand image and customer loyalty, certain states in the U.S have started offering legal incentives to companies that implement data security compliance training as an affirmative defence (this is a form of defence in which the defendant introduces evidence, which, if found to be credible, will negate criminal or civil liability) in instances of a data breach. The state of Utah, U.S.A, [11] passed a law in 2021 that gave companies an affirmative defence to –
- Any claim alleging the organisation’s failure to implement reasonable security controls that resulted in the security system being compromised.
- Any claim alleging that the organisation failed to respond appropriately to a security breach.
- Any claim alleging the organisation failed to notify an individual whose personal data may have been compromised due to the data breach.
The state of Ohio and Connecticut have also passed similar laws to usher in a change and accelerate data safety practices. With several other states contemplating similar legislation, it shows the method is a success. It won’t be wrong to speculate that such similar or better incentives will soon be offered by other nation-states too. The quicker a company can tap into this, the better they are shielded from any risk exposure.
Conclusion –
It is not unheard how small and mid-sized businesses (SMBs) had to scale down their operations to survive the pandemic. Yet cyber threats over this period have only increased. A study by IBM points out that 60% of SMBs that faced data security issues have gone out of business within 6 months of the event [12]. Failure to implement data security practices and observe the regulatory recommendations have disastrous consequences irrespective of the company size. Challenges regarding consumer data protection will only increase as data transfer volumes go up and a new normal of work-from-home is standardised. A sound understanding of the legal landscape impacting personal, sensitive personal data and adopting extensive compliance systems are indispensable for the continued viability of a business to thrive.
With a little help –
At Rainmaker, we are all about limiting the exposure of our clients. Although the Personal Data Protection Bill in India is yet to be passed and take effect on Indian companies, we believe in starting early. We are helping our clients develop proper digital hygiene that takes inspiration from various tier-one data protection authority guidelines worldwide. We are prepared for the future. Are you? Talk to us today to know more.
*At the time of writing this article (25/07/22) an audit is currently in progress to assess the type of data that may have been exposed in the Policybazar data breach.
Author: Sagnik Mukherjee
Editor: Sumali Nagarajan
DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd
References –
- https://www.linkedin.com/help/linkedin/answer/69603/notice-of-data-breach-may-2016?lang=en
- https://www.moneycontrol.com/news/business/startup/policybazaar-notifies-breach-in-it-systems-says-no-significant-customer-data-exposed-8878001.html
- https://www.moneylife.in/article/aadhaar-data-breach-largest-in-the-world-says-wefs-global-risk-report-and-avast/56384.html
- https://blog.netwrix.com/2019/06/06/who-is-to-blame-for-a-data-breach-answers-to-the-most-pressing-questions/
- https://www.shrm.org/resourcesandtools/hr-topics/risk-management/pages/human-error-top-cause-data-breaches.aspx
- https://blog.netwrix.com/2019/06/06/who-is-to-blame-for-a-data-breach-answers-to-the-most-pressing-questions/
- https://gdpr-info.eu/issues/fines-penalties/
- https://www.ibm.com/in-en/security/data-breach
- https://www.reuters.com/technology/zoom-reaches-85-mln-settlement-lawsuit-over-user-privacy-zoombombing-2021-08-01/
- https://www2.deloitte.com/content/dam/insights/us/articles/consumer-data-privacy-strategies/DUP_970-Building-consumer-trust_MASTER.pdf
- https://www.jdsupra.com/legalnews/utah-becomes-the-second-u-s-state-to-7031711/
- https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html