ENTERPRISE | CONSUMER PRIVACY TIPS | DATA BREACHES & ALERTS | WHITEPAPERS

Privacy & Security – A Review of 2018 and Some Predictions for 2019

It goes without saying that 2018 was an important year in the world of privacy. Information Age called 2018 the year of data protection. CSO Online called 2018 the year data privacy got real. Above the Law called 2018 a momentous year for privacy law. Government Technology called 2018 the year privacy took center stage.

As we enter the first full week of 2019, it is worth taking a moment to look back at some of the critical events over the past year:

– The European Union General Data Protection Regulation (GDPR) went into force in May and brought heightened attention to data privacy and security issues.

– The California Consumer Privacy Act (CCPA) became the future of privacy law in the United States by granting CA consumers the right to access and delete their personal information held by businesses, as well as the right to opt out (for adults) of the sale of their personal information to third-parties. Enforcement of the law begins in 2020.

– Data privacy protections have become an area of broad public support. Polls consistently placed data privacy as a top issue among the public and customers are often identifying privacy as a key area of consideration when making product purchases.

– Privacy issues became a potential driver of stock market value at publicly traded companiees as Facebook twice saw substantial price falls due to its handling of user privacy.

– The privacy of personal information has become a key focus of politicians, regulators and the media. The Cambridge Analytica scandal focused attention on this area and there are already predictions of a new federal privacy law in 2019.

What will 2019 hold?

– More Privacy Breaches

Billions of records were exposed in 2018 and there is no reason to expect that 2019 will see a slowdown in privacy breaches. It took less than 24 hours into the new year for the first data breach of 2019.

– A Record Privacy Fine or Settlement

Government fines will pick up momentum in 2019 and there will be at least one record privacy fine out of Europe. To date, most enforcement actions by Data Protection Authorities have started by offering the company an opportunity to come into compliance before the DPA considers the appropriateness of a penalty. However, according to comments made by regulators at the IAPP Data Protection Congress in Europe last year, the transition period is going to come to an end and its safe to expect some major fines in 2019.

Given that large government investigations in the United States typically take years to come to a settlement with the business or make a decision on whether to pursue an enforcement action, GDPR fines are clearly still in their infancy. Nevertheless, there is a strong possibility of at least one monster GDPR fine in 2019. GDPR authorizes fines of up to 4 percent of global annual revenue and there are enough complaints against large companies around forced consent that a significant penalty could be levied to show multinational corporations that the DPAs mean business.

The Federal Trade Commission will also be under pressure to open and pursue privacy investigations in 2019. It has already been investigating the potential violation of the consent decree by Facebook since March, when it confirmed in a statement that it was looking into Facebook’s data practices following the press reports about Cambridge Analytica. With lawmakers raising questions of the FTC Commissioners about the progress of the inquiry, and the New York Times questioning its effectiveness as Congress is considering additional privacy regulations, the FTC is going to be looking to exercise its authority.

– New Privacy Laws

California probably won’t be the only privacy law that businesses need to prepare for in 2019. If Congress does not demonstrate leadership on privacy early in the year, the states are likely to start moving on their own legislation. In response to Congressional inaction on data breaches over the past two decades, every single state passed a data breach notification law after California did so. If the Senators and Representatives can not agree on what approach to take, the states will stop anticipating federal preemption and pass their own version of GDPR.

– Privacy and Security Teams will Increasingly Join Forces to Protect Data

There is increasing recognition that it is not privacy OR security that needs to be tackled in order to give the public control over their data again, but privacy AND security. The public is not distinguishing between an external data breach and an internal privacy leak. The result is the same – insecurity about the confidentiality of personal information.

Privacy and security have historically been separate teams within many businesses. Security professionals have focused on the protection of systems and data from external threats such as hacking. Privacy teams, on the other hand, have been tasked with ensuring transparent and non-misleading disclosures about data privacy practices to consumers and other individuals about whom the company possesses PII. The composition of the teams has been largely different in the past as well. The security team is historically composed of IT and cybersecurity professionals in order to conduct offensive and defensive programs against hacking. The privacy team, on the other hand, has been more frequently composed of legal and compliance professionals.

The historic separation of privacy and security within many companies could start changing however as new laws target both. Both GDPR and CCPA tackle both privacy and security concerns, for example. The privacy implications of GDPR are well known and analyzed. Yet, GDPR also asks businesses to implement security measures appropriate to the risks in Article 32, as well as strengthens the requirement to notify individuals and authorities through 72 hour data breach reporting and data subject communications specified in Articles 33 and 34.

The CCPA similarly creates both privacy and cybersecurity obligations. In addition to its privacy protections (DSAR / Individual Rights and the Right to Opt Out of the Sale of Personal Information), CCPA imposes liability on covered businesses through class actions for the failure to implement and maintain reasonable security procedures and practices. The result of this section of the new California privacy law is the possibility of statutory damages of between $100 and $750 per consumer per incident. For large organizations that suffer data breaches exposing the nonencrypted or nonredacted personal information of millions of users, it could result in lawsuit damages exceeding $100 million as a result of insufficient security practices.

In addition to the combination of privacy and security measures in key government laws to protect personal data, there is also an increasing amount of overlap between measures recommended for privacy and security protections. For example, data minimization is a core principle of GDPR that works to minimize both potential privacy and security issues. Privacy by design is another example that cuts across the historic separation of the teams in their efforts to execute their missions.

What are your predictions?

We would love to hear where you think privacy is going in 2019. Feel free to drop us a line!

Privacy & Security – A Review of 2018 and Some Predictions for 2019

Contact

888-252-5653

About

Consumers

Businesses