Table of Contents
INTRODUCTION
For businesses large and small, compliance with federal, state
and foreign privacy laws and regulations has become an essential
business obligation. These laws govern a company’s collection,
storage, use, sharing and disposal of personally identifiable
information (PII), protected health information (PHI) and payment
card information (PCI).
A company’s innocent or inadvertent failure to abide by
these laws, or its failure to timely and fully disclose how it
performs such tasks, can make it a target for regulatory
proceedings and civil class actions. These lapses also can be a
source of reputational damage to the business. In addition, a
significant number of public and private entities simply are
unaware of the laws that govern consumers’ and employees’
privacy rights and the associated risks and exposures.
The Risks Are Real
Government regulators and class action plaintiffs’ attorneys
are targeting organizations believed to be noncompliant in these
areas, as well as those that have suffered data breaches.
Additionally, many lenders, customers and potential customers are
conducting “audits” of their clients’ and business
partners’ electronic environments to identify any
vulnerabilities that could lead to a privacy breach. Then there are
ransomware and advanced persistent threats (APTs). All of this
scrutiny makes it critical for business owners and managers to
invest the time and resources needed to comply with these new
standards by adopting required plans and policies, performing
mandatory employee training, and conducting timely audits and
assessments to ensure that their organizations meet today’s
mandates governing the security and privacy of data they hold.
So, too, the frequency and severity of ransomware and the U.S.
government’s limitations on where payments can be made have put
tremendous stress on insurance companies and businesses that rely
on internet connectivity to function. If those entities deal with
third-party vendors, the magnitude of the risk can multiply
exponentially. The same applies to APTs, which are cyber-attacks
executed by sophisticated bad actors targeting specific
information, usually in a long-term campaign involving multiple
steps.
In short, the risks are real, particularly for small and
medium-sized firms, which typically do not have the robust
cybersecurity protections of larger companies with significant
information technology budgets. In 2019, the average cost of a
breach was $8.9 million, the cost per breached record was $242 for
PII and the cost per record for PHI was $428. Perhaps more
importantly, a Deloitte University Press study reveals that 80
percent of consumers indicate they are more likely to do business
with companies that have not experienced a privacy event than with
a company that has suffered one.
For years, a panoply of regulators has been investigating
privacy breaches and prosecuting enforcement actions against
companies conducting business in their states. Fines in these
proceedings often have exceeded $1 million. At the same time,
consumer class actions can allege damages that defy quantification.
In California alone, since the adoption of the California Consumer
Privacy Act (CCPA) on January 1, 2020, more than 25 regulatory
investigations and a rapidly growing number of CCPA class actions
have been opened, with consumers seeking damages between $100 and
$750 per affected class member, per incident.
The Greater Threat
As dangerous as a regulatory investigation may be, consumer
class action litigation presents an even greater risk.
In July 2020 in the U.S. District Court for the Northern
District of California, a putative class of consumers sued Walmart
over privacy concerns. Plaintiffs alleged the company had violated
the CCPA’s security provision, acted negligently under the
California Customer Records Act, committed unfair business
practices and breached the contract arising from Walmart’s
stated privacy policy.
According to the Complaint, “the dark web is replete with
stolen Walmart accounts for sale,” including credit and
payment card information. The Complaint further avers that
Walmart’s online security systems were vulnerable to
unauthorized access. The named plaintiff also asserted he had
communicated with the alleged hackers and verified that the
available personal information belonged to Walmart’s customers,
a highly uncommon allegation in privacy litigation. Citing the
CCPA, the named plaintiff seeks class-wide damages of at least $100
and up to $750 per affected consumer. For Walmart, a potential
class of two million Californians could yield between $200 million
and $1.5 billion in damages.
While smaller businesses might not have a corresponding customer
base, even a company with 50,000 California residents as consumers
could face damages ranging from $5 million to $37.5 million or
more.
- Rahman v. Marriott International, Inc.
As one would expect, courts in California evaluate each lawsuit
carefully, based on its individual facts. For example, in Rahman,
the court found that the plaintiff lacked Article III standing in a
case involving the theft of non-sensitive personal information
arising from a data breach.
There, Marriott moved to dismiss for lack of subject-matter
jurisdiction after confirming that no sensitive information had
been compromised. Marriott argued that although the hackers had
accessed the plaintiff’s personal information, the data lacked
the sensitivity required to sustain a finding of injury in fact.
The court agreed.
- Barnes v. Hanna Andersson, LLC and Salesforce.Com,
Inc.
Conversely, in a consolidated case involving online and mail
order retailer Hanna Andersson and Salesforce.com, a class of
consumers alleging violations of the CCPA agreed to settle with the
defendants for $400,000, pending court approval. The plaintiffs had
argued that the defendants’ alleged failure to implement and
maintain reasonable security procedures and practices had caused a
data breach. As part of the settlement, the defendants agreed to a
plan to improve their data security, including regular risk
assessments, implementation of multifactor authentication for all
cloud service accounts, hiring additional technical personnel,
conducting regular phishing and penetration testing, and
establishing a director of cyber security. In other words, the very
types of best practices discussed below. Finally, the defendants
agreed not to oppose an application for attorneys’ fees and
costs of up to $120,000, which is not included in the above
settlement amount.
Vigilance and Expert Legal Defense
Simply put, consumer class actions under the CCPA can get ugly.
We all have seen the results in other consumer privacy lawsuits
around the country; it’s not a pretty picture. And even where a
company prevails on a motion to dismiss or obtains a summary
judgment in its favor, the legal fees alone can reach well into six
figures. This is not inexpensive litigation; no matter the outcome,
the cost of defending these actions dwarfs the expense of providing
compliance training and implementing best practices.
Employment- and consumer-related risks and exposures also have
become increasingly prevalent, particularly under the Americans
with Disabilities Act (ADA). A company must be vigilant to ensure
that its websites and other e-commerce solutions are compliant,
lest it face ADA class actions. Beyond the consumer and employment
class actions, public companies that have been hacked face the
threat of shareholder litigation. Yahoo! settled a derivative
action for $29 million, and other companies have made seven-figure
payments to settle with their shareholders.
In sum, class action lawsuits, whether filed on behalf of
consumers, employees and/or shareholders, can subsidize a plaintiff
counsel’s retirement fund at the expense of the noncompliant
company (and possibly its insurers as well).
For more than 15 years, lawyers have counseled business entities
on best practices in the field of data privacy, as well as their
regulatory obligations. We have trained their employees on
compliance strategies designed to lower a company’s risks and
exposures arising from its collection, storage, use, disclosure and
deletion of PII, PHI and/or PCI, extending such training to its
customers, clients, employees, potential employees and business
partners. We also frequently engage with regulators to protect our
clients’ capital.
FEDERAL, STATE AND INTERNATIONAL REGULATORY SCHEMES
United States
Privacy legislation at the federal level remains largely
industry-specific, such as the mandates imposed on health care
providers and insurers under the Health Insurance Portability and
Accountability Act (HIPAA), financial institutions under the
Gramm-Leach-Bliley Act (GLBA), and all regulated entities and
individuals under the Federal Trade Commission Act.
To fill in the gaps created by federal law, a myriad of state
data security and privacy laws have been enacted, and continue to
evolve on an almost monthly basis. These laws typically regulate
entities of all sizes, regardless of whether they have one or many
employees, so long as they own or are in possession of the PII, PHI
and/or PCI of consumers, employees and potential employees.
For example, in 2004, California became the first state to enact
privacy legislation designed to protect its residents’ PII.
Next came the CCPA, which was followed by the passage of the
even-more stringent California Privacy Rights Act (CPRA) by
referendum in November 2020.
On March 2, 2021, Virginia became the second state to enact a
comprehensive data privacy law, the Virginia Consumer Data
Protection Act (VCDPA). The VCDPA draws from the CCPA and the CPRA,
although it differs in important respects that should incentivize
companies doing business in or marketing to Virginia residents to
reassess their collection and use of consumer personal information
and modify their compliance policies and procedures
accordingly.
Nevada, Vermont, Connecticut and Colorado also have enacted data
privacy laws that take guidance from the CCPA and other state and
international laws. Other states, such as Florida and Washington,
are not far behind.
Following suit, New York has enacted the Stop Hacks and Improve
Electronic Data Security Act (SHIELD Act), which imposes data
security obligations on companies that do business in or collect
information concerning New York residents. At the same time, the
Cybersecurity Regulation of the New York Division of Financial
Services (NYDSF) requires New York?regulated financial services
institutions ? including agencies and branches of non-U.S. banks
licensed in the state of New York ? to assess their cybersecurity
risk profile and implement a program designed to protect consumers
and “ensure the safety and soundness of the institution,”
as well as New York’s financial services industry.
In turn, Illinois became one of the first states to focus on
biometric and genetic data, enacting the Biometric Information
Privacy Act (BIPA) and the Genetic Information Privacy Act (GIPA).
The availability of a private right of action under BIPA has led to
countless class action lawsuits. New York City also has enacted a
new biometrics privacy ordinance that went into effect in July
2021.
International
At the same time, many businesses are subject to the European
Union’s (EU’s) General Data Protection Regulation (GDPR),
which applies to every organization that has a web presence and
markets products or services in a direct manner to consumers in the
EU. Canada, Australia and other foreign jurisdictions have adopted
their own privacy regimes, with respect to which you should be
knowledgeable and compliant if your company does business in one or
more of those countries.
WHAT SHOULD COMPANIES BE CONCERNED ABOUT?
Employee Training
Do your company’s employees know the difference between PII
and nonprotected data? Do they know what constitutes PII, PHI and
PCI in the jurisdiction(s) where your business operates? While some
examples of PII may be obvious, such as social security numbers,
far more is involved.
While some organizations differ, there are typically seven
stages at which internal policies and regulations apply: creation,
processing, storage, use, sharing, archival and destruction. To
avoid regulatory fines, consumer and shareholder class actions, and
the associated legal fees, employees should know how to collect
information appropriately, classify and update it accurately, share
it responsibly, and delete it when requested by a consumer pursuant
to law or when it is no longer of use.
Data Handling Outside the Office
The security of information kept on mobile devices is often
overlooked. Some of the most common threats include loss or theft
of mobile devices, use of unsecured public Wi-Fi spots and shoulder
surfing (spying on the user of an ATM, computer or other electronic
device) in public spaces – all issues that need to be addressed in
corporate policies and employee training to ensure that your
workforce knows how to avoid these kinds of risks. With more people
working remotely, the question of how to protect data outside the
office is more important than ever.
Payment Card Industry Data Security Standards
The Payment Card Industry Data Security Standards (PCI-DSS)
mandate that all companies that accept, process, store or transmit
credit card information maintain a secure environment. The PCI-DSS
applies to any organization ? regardless of size or number of
transactions ? that accepts, transmits or stores cardholder data.
Different requirements apply to organizations depending on their
transaction volume over a 12-month period. At the discretion of
their acquirer or service provider, businesses that do not comply
with PCI-DSS may be subject to fines, card replacement costs,
costly forensic audits and other expenses in the event of a privacy
incident.
SO, WHAT DO YOU DO? AND WHAT DO WE DO?
Businesses must recognize that they cannot ignore or take a
relaxed approach to their data security and privacy compliance; it
is a necessary and critical component of a company’s
operations. While the requirements for each business will be
different ? depending on the relevant industry, location and other
factors ? there are some general practices attorneys train a
business’s employees to follow so that they meet their and your
compliance obligations:
- Create and memorialize regulatory compliance policies and
procedures that account for your specific business model. - Provide compliance training to your key personnel to ensure
that your company’s business culture comports with applicable
regulatory schemes and regulators’ expectations. - Inventory and assess the PII, PHI and PCI you collect so that
you have a record of what is in your possession and the security
standards that apply to this data. - Update your website home page to comply with applicable
laws. - Collaborate with experienced technical service providers to
ensure that reasonable security procedures are in place and that
data is properly protected. - Address nondiscrimination issues to provide consumers with the
right to equitable service and pricing (i.e., consumers should not
have to pay for the privilege of not having their personal
information shared with advertisers). - Implement and regularly update appropriate incident response
and business continuity plans. - Conduct an audit of (or obtain an assessment certification
from) your vendors and others with access to your electronic
infrastructure to ensure that these third parties are compliant
with governing law and have cybersecurity protections, including
insurance, at least as robust as yours (after all, you’re only
as strong as your weakest link). - Work closely with your insurance broker to evaluate the
coverage you have and that you contemplate buying or not
buying.
When performed properly, such services and tools should mitigate
and reduce a company’s risks and potential exposures arising
from an adverse privacy incident, including ransomware and
phishing. Also, a company’s demonstrated risk and loss
reduction could ultimately lead to an insurance premium abatement
that over time may result in the services and tools paying for
themselves several times over.
CONCLUSION
A company’s failure to comply with data privacy laws can
have disastrous consequences. This is an enterprise-level risk that
needs to be managed properly. According to a 2018 study by the
National Cyber Security Alliance, 60 percent of small businesses
that experienced a cyber-attack went out of business within six
months of the event.
It is axiomatic that cyber and other types of insurance policies
can be dense and complicated. As a result, it is incumbent on
brokers and underwriters to guide their clients and prospective
policyholders regarding selection of the products, coverages and
deductibles appropriate for their unique, individual needs, risks
and exposures. It goes without saying that financial professionals
should know the types and scope of the insurance products a company
needs and ensure that those needs are fulfilled.
In short, an effective data privacy program will go a long way
toward avoiding the substantial perils that could befall a
noncompliant entity. A company’s continuing viability could be
short-lived without it.
Originally published by Advisen Cyber FPN, 13 August
2021.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.