Shahryar Shaghaghi, MSc, Principal and Cybersecurity and Privacy National Leader, CohnReznick
The year 2018 will be remembered as the end of the free-for-all era of internet privacy, brought down by a series of high-profile security breaches and scandals. 2019 will be defined by the reaction to this abrupt shift and by the growing public alarm over the types of data being collected about users, how it’s used, and how securely it is stored. Going forward, companies will be expected to demonstrate a commitment to accountability, lawfulness, transparency, and an intensive focus on data protection.
This paradigm shift is occurring at precisely the same moment that artificial intelligence (AI) and internet of things (IoT) innovations are delivering even more valuable insights via data. However, companies seeking to take advantage of these technologies should exercise prudence, lest they run afoul of a changing regulatory environment and increasingly wary consumers.
New legislation and a new data mindset
The implementation of two pieces of legislation will radically transform how companies approach data privacy: Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). California’s law is of particular interest since, by some metrics, it goes even further than the GDPR in protecting consumer data and because it applies to every company doing business in the state, regardless of where it is headquartered. This makes the CCPA a de facto national law, especially in the absence of superseding federal regulations.
Here are the most important things to know about the California law:
1. VIOLATIONS WILL BE EXTREMELY COSTLY.
Companies found to be in violation of the CCPA are liable for civil damages of $100 to $750 per user, which has the potential to add up to astronomical sums. What’s more, this mechanism empowers consumers and lawyers to seek damages, rather than any regulatory agency. This represents an enormous shift in risk from the past when data breaches were met with fines and temporary PR crises. As Jim Halpert, a data protection specialist at DLA Piper, points out, “Class action lawyers are motivated quite differently than regulators. They have the opportunity to file lawsuits, throw a lot of spaghetti against the wall, and extract a settlement.” CCPA’s potential for massive financial penalties fundamentally alters the risk versus reward calculus of data assets.
2. IT RADICALLY EXPANDS THE DEFINITION OF “PRIVATE DATA.”
The California law stipulates that if a company’s data is not encrypted or redacted and there is a breach, they are obligated to report it, thus inviting legal action. The protected data here includes not just credit card data but social security numbers, all government ID numbers, medical identifiers, and perhaps most crucially to marketers, smartphone IDs.
3. IT TAKES EFFECT IN JANUARY 2020.
Any entity with users in California has about a year to become compliant, which makes it extremely urgent for executives to fully grasp the significance of this legislation and restructure their policies accordingly.
4. IT’S A SIGN OF THINGS TO COME.
California’s legislators have signaled that they are open to amending the CCPA in places where it is unworkable for businesses, but while there may be a reprieve from some of the law’s excesses, there is no escaping the privacy backlash it represents. There are similar laws in Brazil, China and, of course, the EU, and many observers believe it’s only a matter of time before Congress passes federal data privacy regulations.
Getting a handle on your data
The rapidly changing legal environment means that companies are anxious to evaluate their data sharing models, but even getting a clear picture of the situation can be daunting. Shahryar Shaghaghi, a Principal with CohnReznick Advisory and national leader of its Cybersecurity and Privacy Practice, speaks to that challenge, saying, “Most companies today struggle with identifying and classifying data because the data has been extended outside of the enterprise, and there’s a lot of unstructured data as part of the business processes and transactions. Most companies don’t have a good handle on how to even identify personally identifiable information (PII) [data that could identify a particular individual] among millions of spreadsheets or thousands of PDF files that are being exchanged on payload, tied to emails and things like that.”Most companies don’t have a good handle on how to identify PII among millions of spreadsheets. Shahryar Shaghaghi Principal, CohnReznick National Cybersecurity and Privacy Leader
Mapping your data assets can be both difficult and expensive, and it only gives you a snapshot view unless you have a framework in place to keep track of how your data is moving and who is accountable for it. This complex and shifting landscape demands that businesses restructure their relationship with data on multiple fronts: not merely legally, but culturally and strategically. Taking on this task requires a top-down approach. In addition to ensuring regulatory compliance, the following strategies may also be the best way to ensure organizational readiness against traditional cyberattacks:
1. RESTRUCTURE DATA GOVERNANCE.
In the past, data management responsibilities were often divided between a legal office, an IT security team, and marketers, each of whom had different skill sets and frequently divergent priorities. Companies hired chief data officers in order to develop a unified data privacy strategy, which had mixed results. Now we are witnessing the evolution of the Chief Privacy Officer, who is focused on driving strategy and policies related to data privacy. Representatives from different departments can still bring their unique perspectives, but new data opportunities must be weighed from a risk/reward mindset that recognizes data as a valuable asset, but also an asset with serious risks if managed incorrectly.
2. CONDUCT AN IMPACT GAP ASSESSMENT.
3. UPDATE OVERALL STRATEGY.
Tech companies whose business models involves data monetization practices that are not transparent to users will have to start addressing difficult questions about how to adapt their business model to this period of greater risk. Shaghaghi says, “If your products and services are based on a set of principles that is opposed to this upcoming evolution of data management practices, then you’ve got a major problem on your hands in terms of how you need to change your strategy.”
Familiar threats with new defenses
Malicious intrusions will continue to be a major concern in 2019 and no one will be immune. Halpert describes the situation in stark terms, “Eventually there will be a successful penetration of a company’s systems, inevitably. The question is really whether the company is resilient, whether it’s flexible and able to respond quickly to attacks.”
The good news is that both regulators and the public at large will extend patience to companies that can show they are making a good faith effort to address privacy concerns. Companies that take immediate steps to secure, encrypt, and track sensitive data will have a better chance of emerging unscathed from crisis. In today’s privacy-conscious environment, the time to take action on data protection is now—before the inevitable breach takes place.
Shahryar Shaghaghi, Principal – National Cybersecurity and Privacy Leader