Gloomy statistics and stories of well-known corporations losing customer and vendor personal information to large-scale data breaches fill the news on a near daily basis. The frequency of data breaches has increased to an unprecedented rate, and the cost continues to rise each year. A study by the Ponemon Institute reports the average cost of a data breach is up 6.4 percent since 2017, to a whopping $3.86 million.
While there is significant press surrounding the fines organizations must pay for breaches and violations, the other less apparent and often difficult to quantify costs can be much greater, farther reaching and longer lasting. These may include reputational damage, loss of stock value, loss of current and future customers, class action lawsuits and remediation expenses from breaches such as notification costs or credit report monitoring for affected customers.
Many of these costs can, however, be avoided. Investing time and resources to build a comprehensive privacy program can pay dividends. The more organizations prepare, the better positioned they can be to steer clear of fines, negative press and other organizational challenges.
The costs of data privacy risks are daunting. With a proactive approach, a concerted upfront investment and the development of a strategic privacy program, organizations will be prepared to prevent data privacy incidents and ensure compliance with privacy regulations.
Regardless of industry, all organizations that process personal data should address the following:
New data privacy laws such as the European Union’s (EU) General Data Protection Regulation (GDPR) are now in force, and the associated regulatory bodies are cracking down on the first offenders. AggregateIQ, a Canadian digital advertising firm, was the first organization outside the EU to receive an enforcement notice on July 6, 2018, after a tip that the organization was using data analytics for political campaigning without user consent. The U.K. Commissioner required the organization to cease all processing of the personal data of U.K. or EU citizens relating to political campaigning, or face fines up to € 20M or 4 percent of revenue. The significance of this case cannot be overstated: it confirms that the regulators are not going to limit their scope of enforcement based upon an organization’s physical location.
In September, Facebook reported its largest breach to date. The attack exposed the personal data of 50 million users. Approximately one tenth of the accounts exposed belonged to European citizens, all of whom qualify as covered under the GDPR. While the organization succeeded in reporting the breach within the GDPR’s required 72-hour window, the case is now under investigation by the Ireland Data Protection Commission. The investigation confirms that simply meeting the reporting requirements is not enough to avoid the scrutiny of the auditors in the event of a breach.
The ability to demonstrate compliance efforts (in conjunction with cooperating with the supervisory authorities) will be essential in order to minimize fines and penalties in the event of a breach. While Facebook is unlikely to be fined the maximum penalty of 4 percent of revenue, it is likely that the amount will be substantial.
While the fines of today’s data privacy regulations are harsher than ever before, they are not always an organization’s biggest concern. After involvement with the Cambridge Analytica scandal earlier this year, the U.K.’s Information Commissioner’s Office hit Facebook with a $660,000 fine, which seems miniscule given the scale of the organization. The real blows, however, came later in the form of a loss of 3 million users, over three dozen class action lawsuits and a stock market valuation that fell by a staggering $156 billion.
The aftershock of a data breach can be a public relations (PR) nightmare: The larger the breach, the more expensive the recovery. Once technology upgrades are added along with notification expenses and corrective services (such as credit monitoring), the dollars add up quickly. In 2018, Facebook invested heavily into PR campaigns designed to reassure and educate users about data privacy, but not all organizations can afford that level of investment. For many organizations, once a customer’s trust is lost, it may be too difficult or too costly to win it back.
Regulators are not the only ones keeping an eye on data privacy policy. In many cases the data subjects involved, better known as customers and employees, are ready to take control of their data and exercise their new rights. Under the GDPR and the California Data Protection Act (CaCPA), data subjects have the right to know what personal information a organization has on them, take the data with them in a usable format and request it be deleted – all within a short window of time. Data subject requests are time consuming to respond to and can expend significant resources. For some organizations, this process is a nuisance. However, if an organization is targeted by activist groups with a campaign designed to disrupt operations, the bombardment could derail the organization’s objectives.
By developing an efficient process to handle these requests coupled with a sound data strategy – one that deletes data unnecessary to providing the requested services, organizations can decrease risk and create efficiencies that will result in significant savings over time. The first line of defense against baseless data subject requests should be a clear and transparent public message about how the organization collects, stores, shares and otherwise processes personal information. To meet GDPR’s transparency requirement, publicly available privacy policies should be designed to help data subjects feel comfortable doing business with the organization by explaining exactly how and why it is processing their personal data. Establishing this level of comfort or trust can play a large role in customer relationships in the years to come, and can help decrease the number of requests in the short term.
Organizations unprepared to comply with data privacy regulations may fall behind their competition. For example, organizations that prioritize the development of a comprehensive data privacy program also actively evaluate vendor security practices for safety and compliance with regulations. Selecting a vendor that is non-compliant with GDPR is not only a risky move – it may be a violation of GDPR. Vendors should take steps now to become compliant and avoid losing business to competitors who can already demonstrate compliance.
When most people think of data breaches, they often assume that they are caused by hackers stealing information from the outside the organization; however, according to McAfee, 43 percent of data loss occur from within the organization. Most of these leaks are due to poor data management practices, inadequate controls, lost equipment and negligence. Incorporating data privacy best practices into employee education and training requires an investment of time and resources, but the investment is well worth the effort. By investing in training and awareness programs and protecting devices with multi-factor authentication or remote wipe features, organizations could reduce the number of in-house leaks by half.
For more information on this topic, or to learn how Baker Tilly specialists can help you with privacy regulation compliance or assessing readiness, contact our team.