Cyber and Privacy: The shifting landscape of keeping information private

Authored by AXA XL Global Underwriting Manager, General Liability Nicoletta George

With more states and countries adopting disparate privacy regulations, organizations could fall afoul of privacy regulations far too easily. How will your organization stay compliant?

In Nevada, privacy laws require websites to provide opt-out options for consumers with regard to their personal data being sold to third parties. In Arizona, an e-book law prohibits any publicly funded library from disclosing any record or information on users of the library requesting or obtaining materials or services, or even using the library. Connecticut employers must give written notice to all employees prior to engaging in electronic monitoring.

Right now, in the US, there are 32 states with either fully signed privacy laws (four) or bills in various stages of consideration (28) . In each case, the state privacy laws, or proposed laws vary widely. California, Colorado, Utah and Virginia, for example, have enacted comprehensive consumer data privacy laws.

When looking beyond the US, privacy laws become even more complex. As of April 2022, 137 out of 194 countries have legislation in place that protect data and privacy, and 9% more have draft legislation. Just 15% of countries have no legislation in place or in the works.

As more countries and jurisdictions adopt data privacy laws, organizations will be required to maintain the online privacy of their customer, employee, and vendor data. One of the more comprehensive data privacy laws took effect in May 2018. The General Data Protection Regulation (GDPR) regulates data protection in the European Union (EU) and the European Economic Area (EEA), and businesses must comply even if they are not located in the EU/EEA.

One of the most stringent privacy regulations, GDPR gives control of personal data back to the individual and addresses data transfer outside of the EU/EEA jurisdiction. Post-Brexit, the UK is no longer subject to the EU/EEA GDPR but has the UK GDPR. The Data Protection Act 2018 is the UK’s version of the GDPR.

The Cost of Noncompliance

As stricter privacy laws continue to be adopted, it falls on the organization to be aware of each jurisdiction’s privacy regulations and understand how to implement safeguards to protect personal data. For example, in February 2022, the Illinois Supreme Court ruled that BIPA (Biometric Information Privacy Act) claims are not barred by the exclusivity provisions of the Illinois Workers’ Compensation Act. This decision may have set the precedent for future Employers Liability claims for alleged violations of employees’ statutory rights under BIPA.

In April 2022, the U.S. District Court in the Northern District of California approved an $85 million settlement between Zoom Video Communications and 150 million class members for the violation of privacy rights by sharing personal data to companies such as Facebook and Google and for permitting hackers to disrupt meetings. Federal Court OKs $85M Privacy Settlement for Zoom App Users Nationwide | San Jose Inside.

Then there are the outsider attacks. While many hackers do target the systems of larger organizations, smaller entities increasingly find themselves the victims of a data breach, as well. No matter the size of the organization, hackers are looking for easy access. Too often, organizations mistakenly believe they have little data of value that would attract a hacker.

Yet, in nearly every industry, there has been a significant increase in the number of breaches over the last two years. And such breaches can be devastating from a cost perspective. Just one data breach can add per-record fines (the average is approximately $1000 per individual record) and penalties for noncompliance.

Then there’s the impact on business. Depending on the size of the breach, one incident can halt business operations. Starting back up requires an investigation, a forensics examination of systems to ensure they are secure, and then the restarting of operations. With the cost of a single data breach averaging $149,000, a small business could experience devastating loss in just one incident.

Putting Protections in Place

Knowing what regulatory requirements you have to comply with is often a moving target. You will need to understand the requirements for not only where your organization is located and conducts business, but also everywhere your customers are. This becomes more difficult for organizations with an online sales presence. However, awareness of the rules is the first step toward implementing the appropriate checks and balances for an organization in terms of both security posture and appropriate privacy programs. Where are your networks and systems located? How quickly can your team respond to a breach or any incident of compromised data? Will your system be segregated from the rest of your network, or will you have to halt operations to investigate?

Best practices for a comprehensive data breach response will include:

• Consideration of various breach scenarios
• Identification of your incident response team, including outside support teams
• Consideration of applicable privacy laws
• A step-by-step response plan in place
• Paper copies of all emergency contact information, including team contacts
• A post-breach review process in place to prevent future breaches that is updated and reviewed regularly