Data Privacy & Negligence:
3 Steps to Prevent Class Action Lawsuits
Data privacy is an inherent right; individuals should own their own data. While there has been outrage and punitive damages resulting in businesses not adhering to data privacy regulations, such as GDPR, CCPA and NYPA, financial implications resulting from these violations initially proved too insignificant to ensure broad compliance. However, the class action lawsuits are beginning and they will bring with them significant financial and reputational damage to businesses on the other side.
The days of collecting and selling individuals’ data without permission are over. Companies need to learn how to operate in this new reality in a way that both respects customer data privacy and still allows them to operate effectively. Fire is an apt analogy: it can be harnessed for warmth and to cook food, but it can also burn down your house if the correct controls are not in place.
Companies who do not comply with data privacy regulations will inevitably be exposed by the See-Through-Economy. Once social media takes over, they no longer have control over their narrative. Instead of looking the other way, companies need to proactively address any issues or gaps in their compliance around individual data. Taking a risk-based approach to Data Privacy Protection will ensure companies have evidence that they weren’t negligent should they receive a complaint, face a lawsuit or experience a data breach.
Three things Risk Managers can immediately do to ensure they avoid these costly consequences are:
- Beginning with the most egregious, assess risk and rank all data privacy vulnerabilities, implementing risk mitigation programs from there.
- Develop a security incident response plan of action – you cannot be sued for a data breach occurring, but you can be sued for negligence.
- Establish internal cross-functional alignment with all stakeholders. It truly takes a village to ensure that your vulnerabilities are mitigated.
How Did We Get Here?
Data overload.
As technology continues to advance, the embedding of it into all facets of our lives is accelerating. From POS systems and banking applications, to thermostats and our beloved cell phones, everything shiny and new is “smart.” Our information is scanned, processed and analyzed in the blink of an eye. The past decade has been one of unparalleled innovation, and if 2020 taught us anything it’s that this trend isn’t decelerating any time soon. The world is migrating towards a remote operating model, and this is a trend that is only expected to continue post-pandemic.
Every interaction we have with technology contributes to our digital profile – and can be bought. Our information is in high demand by businesses. When leveraged appropriately (and with permission), personal data can be used to curate a better, more relevant customer experience. When misused, as it often is, it creates a barrage of unwanted marketing messages.
Customer data protection regulations across the globe are sporadic and inconsistent in their requirements, often leaving gray areas and room for interpretation. These regulations are also often enforced on a local or state level. The European Union (EU), however, began increasing blanket privacy protections for its residents on a large scale several years ago in an effort to protect their citizens and ensure businesses were enabling sound practices.
The EU: Leading the World in Data Privacy Protections
The Data Governance Act is a regulation as of 25 November 2020 on EU and EEA data governance issued by the European Commission (EC). While GDPR covers individuals, the goal of this new act is to create a data market that offers more efficiency of data transfers to businesses by providing protections for corporate and public service data. The agenda is focused on industries like the agricultural, environmental, energy, finance, healthcare, mobility and public administration sectors.
The wide-sweeping Data Governance Act is the EC’s way of leveraging more data for good, while increasing public trust in sharing that data. This new regulated market generates new opportunities for innovation: medical tests could be used by businesses to work on treatments; climate change research may lead to the development of more precise farming tools; healthcare data can be enabled to produce better and faster diagnoses. With the amount of data being produced in the coming years, the possibilities will increase exponentially.
The 2020 European Strategy for Data mandate is meant to create new ways of sharing data that is collected by companies and the public sector, or is freely shared by individuals, while increasing public trust in data sharing. This is a carrot and stick approach: those organizations that are in compliance with these EU mandates will benefit, while those that are not will be disadvantaged.
So what’s at stake here? Companies that fail to comply with these new mandates will face fines, lawsuits and exclusion from a data market of 27 member countries with a total population of 446 million. Keep in mind that the transatlantic digital trade is worth $7.1 trillion (£5.6tn) and includes more than 5,300 companies of which 65% are small-medium enterprises (SMEs).
New regulations and laws are sprouting up everywhere today. So how can your organization ensure data privacy compliance in this ever changing landscape? Taking a comprehensive approach to risk management that includes data, as well as transparency across all processes, people and policies is key; legal and regulatory compliance issues that are only indirectly related to GDPR are critical for interpreting new laws and regulations.
Negligence in Risk Management
Today, consumer opinions have more power than ever. We’re rarely found without a smartphone, tablet or laptop nearby. Our devices are all-consuming, and the more we use them, the more we share – but whether we’re liking a photo, writing a review or retweeting an article, sharing our thoughts and behaviors involves a lot more than we’re made consciously aware of.
In the past, a company’s response to a scandal made an impact on their reputation. While it still holds weight, nowadays, that press release is instantly drowned out by the opinions circulating online by customers, competitors, influencers and other curious onlookers. At LogicManager, we call this phenomenon the See-Through Economy. Because the See-Through Economy heightens the implications of a scandal, it also heightens the urgency for preventing negligence: the leading cause of scandals.
Corporations have been held to the highest courts regarding their rights and responsibilities as natural persons. In other words, they are granted a form of citizenship and are expected to uphold corporate social responsibility and conduct business responsibly. The GDPR and other privacy laws are not simply IT governance check-the-box exercises; without managing these regulations through a comprehensive enterprise risk management (ERM) approach, information slips through the cracks and before you know it, you’re being served (and then turned into a viral meme).
Class Action Lawsuits
Let’s talk about the consequences for neglecting to protect your customers’ data privacy.
In October 2020, the Information Commissioner’s Office (ICO) announced that it had fined Marriott International £18.4m and British Airways (BA) £20 million. Although these final penalties were reduced significantly based on each company’s mitigation responses, they represent the highest regulatory penalties to date. So where did they go wrong?
Marriott suffered a security breach that affected an estimated 339 million guest records globally, with seven million records relating to individuals in the UK. The compromised data included names, email addresses, phone numbers, passport numbers, arrival and departure information and loyalty program information. The ICO found that Marriott was negligent in not putting appropriate technical and organizational measures in place to secure personal data. They identified failure in monitoring privileged accounts and databases, identifying and reducing vulnerabilities on servers and protecting PPI.
The BA network experienced a cyber attack that enabled unauthorized access to the information of more than 400,000 customers. According to the ICO, the attacker compromised the BA network by obtaining credentials of a user within a third party supplier using remote access. The attacker was able to acquire details such as customer names, addresses, payment card numbers, CVV security numbers and more. According to the ICO, BA had breached requirements of payment card information data security standards (PCI DSS) in relation to its payment data storage.
Despite the consequences imposed on Marriott and BA, the victims of these data breaches – their customers – did not feel justice was served. This resulted in numerous class action lawsuits against both companies. These class action lawsuits are among many popping up around Europe, a place where suing for privacy rights through an independent law firm was once a rare occurrence. This trend reveals that major regulations like the GDPR have made Europeans more aware of their privacy rights.
As a response, the EU has developed a law that will take effect in 2022 requiring all 27 member states to allow class action lawsuits. The claim for damages is likely to be higher than the regulators’ fines.
Solution: Taking a Risk-Based Approach to Data Privacy Compliance
As a risk management company, privacy and data protection are core to our belief system. LogicManager has been and will continue to be an advocate for strong data governance and the protection of personal information. We believe that taking a risk-based approach to data privacy management is the best way to protect your business and customers alike.
But how do you know where to start? Consider the following strategies for beginning to take a risk-based approach to data privacy today:
- Identify and assess your most critical and egregious vulnerabilities. A good place to start is with a comprehensive risk assessment or Privacy Impact Assessment (PIA), a process which assists in identifying and managing the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships and more.
- Take negligence off the table as soon as possible. Putting risk management best practices in place safeguards your organization from negligence, because you’re bringing important information to the forefront of your governance activities. If there is an emerging threat, you’ll know about it and will then be enabled by your controls and policies to do something about it.
- Take the stigma out of mitigating data privacy risk. As risk managers, we know that it takes a village to launch your strategic risk activities into core business processes. Drive engagement across your enterprise by communicating the why behind your work with leadership, cross-functional teams, the board and other stakeholders. Understanding fosters transparency and enables everyone to prevent risks before they manifest into a scandal.
LogicManager is built on a foundation of risk-based best practices and streamlines your due diligence efforts so that you can focus on helping your business excel (while we keep your organization in compliance with privacy laws). Here’s how you’ll be set up for success with our software solutions:
- Leverage robust GDPR and Privacy Incident Management solutions.
Meet the heightened obligations of handling personal data with our comprehensive point solution packages. From GDPR compliance, to Privacy Incident Management, Data Subject Access Requests, IT Risk Assessments, and more, these packages are designed to be used out of the box, yet can be customized to fit your unique needs. - Gain a holistic view of your enterprise.
Yes, data sounds like it belongs to IT, and yes, it’s a regulation so Compliance should be involved as well. But realistically, data of all types runs through every single department across the organization. Therefore, the best way to comply with regulations like the GDPR is to integrate every department into the compliance process. LogicManager’s GRC foundation addresses these interdependencies by providing an enterprise-wide view of your risk and compliance efforts. - AI that helps you work smarter, not harder.
We want to help you address compliance requirements as efficiently and effectively as possible. Chances are, there are regulatory concerns you’re already addressing within other activities at your organization – but that might not be clear upon first glance. LogicManager’s AI functionality, “Taxonomy Insights,” automatically suggests mitigations based on insights pulled from all other departments so that nobody repeats their work.
Investing in an intelligent risk and compliance technology like LogicManager not only protects your business from the bad, but it promotes good governance. Good governance helps you maintain consumer trust, foster positive community relationships and uphold corporate social responsibility so that you can succeed in today’s See-Through Economy and beyond.