Comment: Happy Privacy Day – Fines Quadrupled in 2019 v. 2018
US and EU data privacy authorities levied over a $1 billion in fines last year compared to slightly less than $250m in 2018. Keith Lipman, founder and president of Prosperoware, looks at the widening net of data privacy and cyber laws; the requirements that most privacy laws have in common; the steps that law firms and companies must take to comply; and the policies that must be in place to avoid you having “a really bad day.”
As we observe privacy day today (27 January) there will be many facts and stats flying around but one salient one that we would all do well to pay attention to is this: US and EU data privacy authorities levied over a $1 billion in fines last year compared to slightly less than $250m in 2018.*
In the United States, cybersecurity and privacy laws are becoming more stringent and more prevalent: in January 2020 the California Consumer Privacy Act (CCPA) came into effect. CCPA is based on GDPR. In July 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act) which expands data breach notification obligations under New York law as well as the state’s jurisdiction.
Like GDPR, this new regulation not only protects the citizens of these states, but its reach extends to businesses globally. It’s no wonder that privacy and cybersecurity are top of mind for every company board of directors.
What does every organization need to anticipate? Well first, that it will have a really bad day and will have a breach of some nature.
Regulators and potentially the court will typically apply a negligence standard to the organization’s actions and there are multiple standards for how they can protect personal data ranging from ISO, AICPA (SOC2), to NIST. ISO and NIST have just issued new privacy frameworks.
Most privacy laws have a common approach. They require companies to:
- Secure personal data to those who need to know,
- Allow people to ask the company what data they have on them (data subject access request)
- Many grant the right to be forgotten
- Ask consumers consent to how their data is being used
- Require firms to have a data map
- Delete personal data when it is no longer required (data minimization)
In reality, companies are given a lot of freedom as to how they implement these basic concepts. The key thing is that they need to establish policies or controls. Creating these controls requires the participation of key stakeholders throughout the firm. The establishment of the controls is not enough. The firm needs to put these controls into action and then audit the organization. This ability to provide assurances that the controls are being followed is going to be a critical element to avoid being fined.
Privacy and cybersecurity laws actually offer an opportunity to help organizations improve their processes. For law firms, they need to focus on improving the process for both the business and practice of law. Every of part of the firm engages in a type of matter. It just may be called something else: project, engagement, a close, deal, opportunity, campaign, etc. Firms must think through the lifecycle of personal data throughout the life of the matter type or process — Privacy by Design in GDPR lingo.
For many firms, the biggest challenge is going to be around their documents and emails. In each type of matter or type of process, the firm must determine how much personal data is contained therein: (1) a little – just secure the documents (2) some personal – secure just the folder (3) pervasive personal data – secure the matter.
The personal data will need to be secure and accessible by those who need to know. Defining this will take serious policy development and gets difficult due to the dynamic nature of collaboration that happens in law firms – “we just need the opinion from the tax team on this one document,” or “we need document processing to work on this one document,” and so on.
Without the appropriate technology, a rigid policy is simply going to result in frustration, delay or worse.
For each matter type, the next set of work is to determine when to start deleting personal data contained in the matter type. The underlying logic for data minimization is to reduce the risk of data exposure. Establishing a legitimate policy is critical. The challenge with data minimization is that organizations need to balance the risk that the documents will be needed to defend themselves in case of a dispute versus their duty under privacy laws. This means that organizations will need to have very granular policies that permits the destruction of data that is not relevant in defending itself in a dispute while keep the critical supporting documents.
The hard work of creating these policies, implementing and then auditing their application will result in both internal and external stakeholders sleeping better at night. Without it, an unsuspecting firm may have a really bad day which could have devastating consequences from fines and reputational damage.