2017 looks to be the year when privacy and data security compliance expectations here and across the Atlantic become clear and compelling for U.S. companies. Companies know that huge privacy and security fines lurk in the European Union, but they may not truly understand the seismic changes coming to Europe’s privacy regime.
At home, U.S. boards loathe consumer, market and regulatory scrutiny that follows data breaches — just ask Yahoo. They undertake (or delegate) data security risk analysis and mitigation, and begrudgingly budget (not enough) for cybersecurity. But the significance of nitty-gritty data security regulatory enforcement standards and data breach class litigation likely aren’t on the boardroom radar.
A last best chance awaits companies in 2017 to effectively educate themselves about these issues and invest in necessary legal and technical resource-building.
The EU Data Protection Regulation Tidal Wave
It is hard to overstate to companies the importance of using 2017 to get ready for EU privacy and security changes. In May 2018, the new General Data Protection Regulation (GDPR) takes effect as a replacement for the present, two-decades-old privacy framework.
Under the new GDPR, companies must notify privacy regulators within 72 hours of discovering a data breach. Also, many companies must name data protection officers, and all businesses will face tighter consent obligations for using personal data.
Additionally, there are the dizzying maximum fines of 20 million euros ($22.5 million) or up to 4% of a company’s global revenue. For example, Alphabet’s Google had $60.6 billion FY2015 global revenues, and 4% of that total is $2.4 billion. That would be a pretty steep fine for a single GDPR violation. It is highly unlikely that the EU will seek such astronomical sanctions, but the possibility of that kind of bottom line impact should motivate companies to better prepare for the GDPR.
Companies should benchmark their existing EU compliance program against the new GDPR. Breaking the task into piece-by-piece chunks can make the project more digestible.
FTC Data Security Enforcement Authority Clarification
For nearly 15 years, the Federal Trade Commission (FTC) has taken action against companies that it felt weren’t doing enough to protect consumers’ personal data. But critics argue the commission is operating without direct authority to carry out such enforcement and is asking companies to meet unclear standards about what is reasonable data security.
Almost no companies have been willing to directly challenge the FTC, but defunct medical testing company LabMD and its iconoclastic leader Michael Daugherty continue to press. LabMD’s challenge is before the federal Eleventh Circuit after the commission overruled its own chief administrative law judge. The chief judge questioned the commission staff’s conclusion that a breach of sensitive personal data — without evidence of actual misuse by bad actors — was enough alone to show consumer harm and lax data security. A ruling is expected in 2017.
Companies should expect that the FTC will pursue data security enforcement in 2017 — particularly in the exploding world of Internet of Things. Enforcement will likely continue regardless of whom President-elect Donald Trump appoints to the commission.
How Much Harm is Enough in Data Breach Class Litigation?
Consumers embroiled in data breach class action complaints against companies haven’t had much success getting past the early stages of litigation. Bottom line, just worrying that your breached personal information might be exploited by identity thieves and lurking cybercriminals isn’t really the kind of harm that courts recognize.
But the lawsuits keep coming as plaintiffs and their lawyers hope to chip away at the high threshold of concrete harm required by the U.S. Supreme Court, or to force a settlement. Inconsistencies in how federal courts have treated the data breach harm standard leave the door open at least a crack.
Companies want clarity on a strong harm standard to discourage such suits and to better gauge risk. There is a chance the Supreme Court may directly address the concrete harm standard in a data breach case in 2017. But companies should be prepared to argue over the lack of harm in data breach claims.
Now more than ever is the time for U.S. companies to prepare, through education and legal technology resources, for the seismic privacy and data security changes that are expected in 2017 and beyond.
— Read Your Employees: The First Line of Defense Against Cybersecurity Threats on ThinkAdvisor’s TechCenter.