With the EU’s new privacy rules (GDPR) that took effect earlier this year, the California Consumer Privacy Act that takes effect January 1st, 2020, and the clamor for a federal data privacy law in the United States, it is increasingly clear that privacy will not, in the future, be an optional part of business operations.
The advent of new rules make clear that personal data is considered a human right and a property right belonging to consumers – which can include employees, customers, patients and other persons.
Now, Apple is taking sides publicly. Speaking in Brussels this week, CEO Tim Cook said that GDPR has confirmed that privacy is good law and good policy, and that users should know what is collected about them and why; that data belong to users; that security is at the heart of data privacy; and that companies should “challenge themselves” not to collect unnecessary data in the first place. Echoing the view of the modern regulator, he also said that privacy is a “fundamental” human right.
This statement draws a clear line between Apple, a hardware company, and its data-collecting business rivals such as Facebook and Google. However, it also points to an increasingly true reality: lawmakers are starting to pay attention to privacy, both in the U.S. and outside of the U.S. Consumers are starting to expect better from companies.
For small and medium companies, coming out strong on privacy is a good way to differentiate yourself from competitors. It is an excellent employee-relations tool (and may be helpful in forestalling data-privacy claims with disgruntled or terminated employees). It is smart business. It is a part of every acquisition’s due diligence, so it should be part of your exit strategy. And it will soon be required for operations anyway.
Why not plan, and profit from it, now?
For any U.S. business that has spent 2018 gearing up to comply with the EU’s new privacy rules General Data Protection Regulation (GDPR), which took effect in May, your time and effort were well spent. One month after the GDPR took effect, California rushed through a new law, the California Consumer Privacy Act (CCPA) that clearly took inspiration from broad aspects of the GDPR.
If you’ve ever wondered why all the hullabaloo about cyber planning, here is a great example:
Equifax has said that it “owed no duty to safeguard the personal information of millions of consumers and financial institutions” affected by its massive 2017 data breach, and has asked to have the resulting lawsuits dismissed. (Daily Report, 24 July 2018.)
The claims of the affected financial institutions are, in essence, vendor management claims. Their success in court, and the likelihood that those banks can look to Equifax to make whole their losses, may depend in part on how good their contracts were with Equifax. The losses the banks suffered likely include costs of customer relations (phone, email, and other support), continued anti-fraud efforts in the aftermath of the breach, issuance of new cards or accounts or credentials to replace compromised accounts, and other direct costs.
To gain an idea of the scope of the potential loss to the banks, keep in mind that Target settled most of the claims relating to its 2013 data breach, for about $100 million total. Of that money, $10 million went to consumers. $60 -$70 million went to credit card issuers like Visa and MasterCard.
The comparative commercial losses after a massive data breach usually dwarf the losses to consumers personally. Target was breached when an HVAC vendor left open a hole to a single store in the Midwest. Equifax was breached when it failed to install a single routine software patch recommended by its IT vendor.
How good are your contracts with your vendors? Could they make you whole if you were fighting about whose responsibility it was to restore your business operations, buy new computer equipment, replace or rebuild your business data, handle your customer and client relations, pay the PR firm and lawyers, and more? Planning is easy, relatively inexpensive, and can flag many “little” details like standard contractual language. Taken together, these efforts can prevent greater losses later. #CyberForGrowth
A recent court dispute makes clear that there are many elements to cyber planning and protection for any company to consider. Although some do involve technical bells and whistles, many or most are merely business operation decisions involving non-technical matters. Just like other operational decisions, the success of these planning measures can have a direct impact on your bottom line.
The Spec’s Family Partners Ltd. v. The Hanover Insurance Co. case involves insurance coverage for a data breach. The insured retailer sought insurance coverage of losses incurred under its merchant account with a payment card processor. Because that account and those losses are governed by a merchant account agreement, the insurer denied coverage under the retailer’s cyber policy, citing the policy’s “contractual exclusions” clause. In other words: the insurer refused to pay for losses the retailer suffered because of the terms of its merchant account agreement. In the case, the appeals court ruled in favor of the retailer, saying that there are several non-contractual theories relating to the losses (costs), and that the trial court must consider those before ruling that the insurer may decline payment. The appeals court did NOT require that the contractual claims be considered, and so in effect it has implicitly endorsed the validity of the exclusion in the policy.
What does this mean for insureds, i.e., ordinary business operators?
First: vendor management is a critical part of cyber planning.
Where you can, try to negotiate for your vendors to take on part of the losses following a data breach; and if the breach is of their system, have your agreement specify that you are entitled to full coverage and remedies from the vendor. Where, as here, the vendor is likely a large market power and you have little basis to negotiate, at least understand what losses the contract apportions to you, so that you can tailor your insurance and other planning appropriately.
Second: cyber insurance.
The main rule of thumb is to have a policy. The corollary is to understand what it covers. They are not comprehensive, and not all policies cover all losses; in this way, they resemble the homeowner’s policy that may cover flooding but NOT sewage backup, depending on what you bought.
This “contractual claims” exclusion is common, and it generally means that the insurer will not cover any costs or losses you bear in a cyber-breach that are the result of a contractual provision with a third party. Thus, if you have a weak vendor contract and end up carrying the costs of a data breach because of that weak contract, you cannot count on your insurance to make you whole. In other words, you will have lost two chances to spread the risk and losses to third parties.
Although a contractual claims exclusion is common, they are by no means non-negotiable. There are carriers that do not use such exclusions, or that use them sparingly. Because so many breaches end up involving some form of third-party contractual dispute, it is worth shopping around on the front end to avoid finding that you are self-insuring all your contractual losses on the back end.
If you have received a deluge of emails regarding updated privacy policies from services you use, you are not alone. They relate to a new set of data privacy rules that went into effect across the European Union on May 25, known as the General Data Protection Regulation (GDPR). The new rules have sweeping implications for businesses around the world. In fact, Facebook and others have already been sued for non-compliance with the GDPR.
If you do business in the EU (including the UK, which has said it will honor the rules) in any way, it would be a good idea to check with counsel regarding whether your business must comply. Although the rules are designed to cover consumer privacy, the way they are written is very broad; B2B as well as B2C customers are affected.
Common facts that can subject you to the GDPR include having European sales or facilities, using cloud-based storage for your website or portal, performing services in the EU, serving customers located there, having employees there, having vendors there, and having European employees who work in the United States temporarily.
The fact that your company is US-based does not matter: the rules explicitly apply to any company handling the personal information of persons in the EU, regardless of the company’s location. In addition, if you serve customers who pass you EU data, they may ask you to certify your security practices or to sign a “Data Processing Agreement” that makes certain assurances about your practices.
In addition to their operational implications, the rules require notice of a breach of any EU personal data within 72 hours – a huge hurdle unless you have conducted some advance planning. Many companies are reviewing their privacy policies, work flows, employee policies, cyber preparedness planning, vendor agreements, and other matters in connection with the GDPR. Not all companies have to conduct a “scorched earth” approach to privacy, but nearly all companies would do well to consider their business and privacy practices and make adjustments where they can.
The rules as drafted leave a great deal of room for the regulators to maneuver; they are very ambiguous. The very clear part of the GDPR, however, is this: fines for non-compliance can be assessed up to the greater of €20 million or 4% of global revenue.
Taylor English’s Data Security & Privacy Team is assisting the firm’s clients with assessment of the client’s exposure to the rules, policy drafting and review, contractual terms relating to the new rules, and liaison with security and technical resources. Our team has extensive in-house compliance experience, internationally and domestically, as well as broad expertise in the legal aspects of information security planning and incident response.
The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.
It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.
If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.
The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.
The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Intellectual Property
- Public Policy
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate