Regulatory action underscores the importance of data privacy
ORGANIZATIONS are concerned about their ability to protect customer data, and for good reason.
Recently, the UK Information Commissioner’s Office (ICO) announced an intention to fine British Airways GBP183.39 million (US$228.14 million) and Marriott International GBP99.2 million (US$123.38 million) for data breaches in the recent past.
The penalties to be levied by the ICO are within the boundaries set by the EU’s General Data Protection Act (GDPR) — and are some of the biggest numbers companies have seen so far.
On the other side of the pond, the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and various state-level regulatory bodies in the US levied US$700 million in fines on Equifax for its massive data breach back in 2017.
The final settlement includes a US$175 million civil penalty to states, US$100 million civil penalty to the CFPB, and a restitution fund for consumers, starting with US$380.5 million and up to US$505.5 million in total, with a cap of US$20,000 per consumer — as provided by the National Consumer Law Center (NCLC).
“Much of the monetary relief focuses on credit monitoring, which is of limited effectiveness in preventing identity theft. Ironically, much of the funds for credit monitoring will go into the pockets of another credit bureau, Experian,” NCLC Staff Attorney Chi Chi Wu explained.
“Congress has already made free the single most effective measure to prevent identity theft – a security freeze. Consumers affected by the Equifax breach should just freeze their credit reports if they are concerned about identity theft,” Wu added.
Overall, with respect to the size of the companies involved, the quantum of fine isn’t something that will dent cash flows severely — but board members will definitely feel the pinch and see an impact on share prices in the short term as reputation and customer trust suffer.
Aside from impacting the companies involved, the regulatory actions (or intent, in the case of the ICO) seems to have forced compliance professionals, data managers, and business leaders to sit up and pay attention to the changing landscape of data privacy and protection.
“Entities subject to the GDPR should take note of the large fines and use this as an opportunity to check, and if necessary, improve their current cybersecurity policies and procedures,” Willkie Farr & Gallagher (UK) LLP Partner Henrietta de Salis told Tech Wire Asia.
Commenting on the data breach at Starwood Hotels and Resorts, and its subsequent acquisition by Marriott International which landed the latter in the center of scandal, de Salis said that companies involved in M&A activities should also learn the lesson from the ICO’s announcements and prioritize the cybersecurity due diligence for targets subject to the GDPR.
“If necessary, ensure a target improves its processes relating to cybersecurity as soon as possible, to mitigate the risk of breaches occurring.”
According to the London-based legal adviser, the GDPR gives national competent authorities such as the ICO in the UK more powers to impose significant fines on companies where there has been a breach of data privacy and the ICO has shown it is willing to use those powers in these cases.
“Whilst the proposed fines are certainly headline-making, the ICO has not in fact imposed the maximum level of fine allowed by the legislation,” de Salis pointed out.
“Other European data protection regulators (e.g. in France) have also issued significant fines under the GDPR and further regulators may well follow suit,” Ropes & Gray Counsel Clare Sellars shared with Tech Wire Asia.
“The ICO is likely to continue to work closely with other EU supervisory authorities regarding personal data protection and enforcement and has confirmed that it is committed to maintaining its strong European and global links.”
Overall, the message is loud and clear: Companies need to get their act together and make sure they’ve audited and mapped their data streams, secured access to customer data, and monitor — ideally in real-time — any access to customer data, authorized or unauthorized.
“Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public,” Information Commissioner Elizabeth Denham emphasized.
Companies, therefore, will need to think long and hard about how they use customer data and create a good plan to store and protect it responsibly.
“The scrutiny surrounding data and privacy will continue to intensify for the foreseeable future, and the consequences will become more significant,” New York-based Paul, Weiss, Rifkind, Wharton & Garrison LLP Litigation Partner Jeannie Rhee told Tech Wire Asia.
“Companies, directors, and officers must be aware of the increased scrutiny, and they should focus their efforts appropriately to manage the risk relating to data privacy obligations.
“Outside counsel can be of assistance in determining the need for and the scope of a data privacy inquiry; they may also review the possible reporting or disclosure obligations that may exist. Outside counsel also can provide insight on the range of practices across companies and industries facing similar cyber issues,” Rhee advised.
An important question that was raised as a result of these regulatory actions, however, is this: Should companies be able to insure against penalties imposed as a result of failure to comply with the GDPR or other data privacy/protection laws? Experts in the law believe that there’s no right answer. For now.