With more states and countries adopting disparate privacy regulations, organizations could fall afoul of privacy regulations far too easily. How will your organization stay compliant?
May 18, 2022
By Nicoletta George
Global Underwriting Manager, General Liability, AXA XL
In Nevada, privacy laws require websites to provide opt-out options for consumers with regard to their personal data being sold to third parties. In Arizona, an e-book law prohibits any publicly funded library from disclosing any record or information on users of the library requesting or obtaining materials or services, or . Connecticut employers must give.
Right now, in the US, there are 32 states with either fully signed privacy laws (four) or bills in . In each case, the state privacy laws, or proposed laws vary widely. California, Colorado, Utah and Virginia, for example, have enacted .
When looking beyond the US, privacy laws become even more complex. As of April 2022, 137 out of 194 countries have legislation in place that protect data and privacy, and . Just 15% of countries have no legislation in place or in the works.
As more countries and jurisdictions adopt data privacy laws, organizations will be required to maintain the online privacy of their customer, employee, and vendor data. One of the more comprehensive data privacy laws took effect in May 2018. The General Data Protection Regulation (GDPR) regulates data protection in the European Union (EU) and the European Economic Area (EEA), and businesses must comply even if they are not located in the EU/EEA.
One of the most stringent privacy regulations, GDPR gives control of personal data back to the individual and addresses data transfer outside of the EU/EEA jurisdiction. Post-Brexit, the UK is no longer subject to the EU/EEA GDPR but has the UK GDPR. is the UK’s version of the GDPR.
While many hackers do target the systems of larger organizations, smaller entities increasingly find themselves the victims of a data breach, as well.
The Cost of Noncompliance
As stricter privacy laws continue to be adopted, it falls on the organization to be aware of each jurisdiction’s privacy regulations and understand how to implement safeguards to protect personal data. For example, in February 2022, the Illinois Supreme Court ruled that BIPA (Biometric Information Privacy Act) claims are not barred by the exclusivity provisions of the Illinois Workers’ Compensation Act. This decision may have set the precedent for future Employers Liability claims for alleged violations of employees’ statutory rights under BIPA.
In April 2022, the U.S. District Court in the Northern District of California approved an $85 million settlement between Zoom Video Communications and 150 million class members for the violation of privacy rights by sharing personal data to companies such as Facebook and Google and for permitting hackers to disrupt meetings. | San Jose Inside.
Then there are the outsider attacks. While many hackers do target the systems of larger organizations, smaller entities increasingly find themselves the victims of a data breach, as well. No matter the size of the organization, hackers are looking for easy access. Too often, organizations mistakenly believe they have little data of value that would attract a hacker.
Yet, in nearly every industry, there has been a significant increase in the number of breaches over the last two years. And such breaches can be devastating from a cost perspective. Just one data breach can add per-record fines () and penalties for noncompliance.
Then there’s the impact on business. Depending on the size of the breach, one incident can halt business operations. Starting back up requires an investigation, a forensics examination of systems to ensure they are secure, and then the restarting of operations. With the , a small business could experience devastating loss in just one incident.
Putting Protections in Place
Knowing what regulatory requirements you have to comply with is often a moving target. You will need to understand the requirements for not only where your organization is located and conducts business, but also everywhere your customers are. This becomes more difficult for organizations with an online sales presence. However, awareness of the rules is the first step toward implementing the appropriate checks and balances for an organization in terms of both security posture and appropriate privacy programs. Where are your networks and systems located? How quickly can your team respond to a breach or any incident of compromised data? Will your system be segregated from the rest of your network, or will you have to halt operations to investigate?
Best practices for a comprehensive data breach response will include:
- Consideration of various breach scenarios
- Identification of your incident response team, including outside support teams
- Consideration of applicable privacy laws
- A step-by-step response plan in place
- Paper copies of all emergency contact information, including team contacts
- A post-breach review process in place to prevent future breaches that is updated and reviewed regularly
