It is becoming highly expensive to evade data privacy compliance. While different agencies have imposed fines and penalties in varied amounts for years, the European Union’s new General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, escalates the stakes. It allows for penalties of up to 20 million Euros or 4% of a company’s prior-year worldwide turnover, whichever is greater, depending on the “nature, seriousness, and length” of the breach and the “categories of personal data impacted.”
Our right to privacy is fundamental to all of us. Privacy is power — control over oneself. Since the birth of the internet, the majority of our lives have been purposely performed online, making the notion of privacy even more crucial. The “special categories” established by GDPR Article 9 acknowledge the sensitivity of particular aspects of our lives that, if made public, may have a bigger effect. Race, ethnic origin, political ideas, religious or philosophical beliefs, trade union membership, genetic or biometric data, and information on a person’s sex life or sexual orientation are examples of these categories.
Trends in Global Privacy
Around the world, this notion is taking on quite varied forms. The European Union is moving toward recognising digital privacy as a basic human right, and other nations are following suit with local legislation to give comparable safeguards. At this moment, the United States is the last holdout for general privacy rights, but even here, we’ve established increased privacy safeguards for personal health information (PHI) since 1999 under HIPAA.
U.S. Statutes
All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands now have breach notification legislation for the first time. While these regulations are often violated, they normally compel private organisations to notify impacted users and the attorney general of any security breach or illegal exposure of personally identifiable information (PII).
These regulations are centred on data variables such as social security and driver’s licence numbers, birth date and location, age, marital status, race, salary, phone number, and other demographic or financial data. Based on recent headlines and most people’s experiences dealing with the fallout from repeated credit card and large-scale PII data breaches (e.g., Equifax), it’s simple to see why keeping this sensitive information secret is so important.
The Price of a Breach
Recent data breaches have resulted in CEOs being hauled before Congress, millions of dollars in penalties, and hundreds of millions of dollars in repair and litigation expenses.
Equifax (2017) – PII of 146 million people: estimated to be $439 million to $600 million
Anthem PHI Breach (2015) – 80 million people’s PHI: $260 million in remedy; penalties are still being challenged
Target Credit Card Breach (2013) – 70 million people’s PII: $372 million in fines, penalties, and remediation
According to a 2017 IBM-sponsored research, the average cost of a data breach for firms of all sizes worldwide is $3.62 million, or $141 per record. When a third-party service provider caused a data breach, the New Jersey Attorney General penalised a medical practise $418,000, or roughly $260 per patient record. The Ponemon Institute, the group that conducted the IBM research, says that even one employee’s lost or stolen laptop may cost up to $50,000 once all the legal notifications are made.
Action Required
For intentional and uncorrected breaches, every federal and state entity with privacy enforcement jurisdiction imposes harsher penalties. Some fundamental methods to preventing, identifying, and mitigating a privacy compliance failure are as follows:
Create and keep a thorough information security policy and programme in place.
Separate sensitive or vital data from the rest of the computer network.
Ensure that all systems are securely setup and patched on a regular basis.
Use encryption technology to protect sensitive and essential data.
Limit access to the very bare minimum.
Implement thorough recording, monitoring, and alerting for crucial events that may signal a breach.
Create a solid incident response and breach notification procedure.
Conduct impartial third-party security evaluations on a regular basis.
What Should You Do Next?
While remedy and notification are costly, failing to comply with privacy laws may be even more costly. Prevention is less expensive than cleanup, and preparedness is preferable to litigation. The increasing privacy compliance responsibilities might be challenging to comprehend and apply. When in doubt, it is smart to seek outside guidance. Furthermore, implementing or managing information security and data privacy evaluations with the assistance of legal counsel may give legal privilege protection if litigation is ever necessary.