By Rebecca L. Rakoski, Esq., co-founder and managing partner of XPAN Law Group, LLC, a boutique international cybersecurity and data privacy law firm.
In 2019, the global average cost of a data breach was $3.92 million; a 1.5 percent increase from 2018.1 Organizations face an unprecedented number of attacks. And while the healthcare industry always seems to be on the top of any hacker’s hit list , the truth is cyber attacks impact every industry.2 Healthcare was the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging $6.45 million. However, regardless of the size of the business, cybersecurity is a threat that needs to be addressed by all. Experts universally agree that it is not a matter of if an organization will be hit by a cyber attack, but rather when an attack will occur.3 Add to that sweeping changes to data privacy laws (i.e. the California Consumer Privacy Act of 2018) and to breach notification laws (i.e. the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act), it is no surprise there is a doubling of the costs of a data breach.
This series of articles will address how companies can realistically approach cybersecurity and data privacy in their daily operations. First, the series will explain the current legal landscape of data privacy and cybersecurity laws. Second, we will examine how organizations can address these issues and deal with the rapid changes in the legal landscape. Third and finally, the series will explore the tools and expertise organizations should be looking at to stay on top of (and hopefully ahead of) cybersecurity and data privacy issues.
But, before delving into solutions, the topic to understand when dealing with cybersecurity and data privacy is: what are the organization’s legal obligations?
Europe has significantly driven the conversation of data privacy, and by extension data security, since the enactment of the European Union’s General Data Protection Regulation (“GDPR”). The GDPR was adopted in April 2016 and went into effect on May 25, 2018.4 The GDPR derives from the fundamental right to the “protection of personal data” under Article 8 of the Charter of Fundamental Rights of the European Union.5 It applies to the “processing” and free movement of “personal data,” both terms being broadly defined.6 The activities surrounding the processing of personal data does not necessarily need to take place in the Union, nor do they need to be economic in nature. In other words, the GDPR applies both within the EU as well as outside of it.7
This extraterritorial effect is one of the most significant in terms of global impact that the GDPR has on data processing. We see this extraterritorial obligation adopted in other laws and regulations that impact personal data, such as the California Consumer Privacy Act of 2018 (“CCPA”). And this idea of a law that follows the data makes complete sense since, while laws have borders, data does not.
The CCPA applies to the collection of private information related to a “consumer” (i.e. “natural person who is a California resident.”).8 Here we again see the extraterritorial effect. The CCPA does apply to organizations that “do business” in California. That does not necessarily mean the business must be physically located in California or registered as a business in California. It applies generally to the “collection of private information.” However, that does not mean that the CCPA applies to all businesses that collect data on California residents. There is a jurisdictional threshold which requires a business that: (i) has gross revenues exceeding twenty-five (25) million dollars; (ii) buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices; or (iii) “derives 50 percent or more of its annual revenues from selling consumers’ personal information.”9
Finally, the New York Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act was signed into law on July 25, 2019 and broadens the scope of information covered under the previous New York breach notification law10, updates the notification requirements when there is a breach of data and adds data security requirements for covered entities. Beginning on October 23, 2019, covered entities must comply with the updated notification requirements.11 However, covered entities have until March 21, 2020 to comply with the proactive data security requirements. The SHIELD Act applies to any organization that collects data on New York residents. Again, we see this extraterritorial obligation. Companies do not have to be registered to do business in New York, just collecting data on New York residents.12
These are just three classic examples of recent laws in the area of data privacy and cybersecurity. However, it is important to keep in mind this is not an exhaustive list. There are other regulations like the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Massachusetts Standards for the Protection of Personal Information, the Illinois Biometric Information Privacy Act (“BIPA”), and the Nevada Internet Privacy Law- just to name a few, that are rapidly changing the collection and processing of data within those regions.
And this does not even scratch the surface of data breach notification laws, which exist in all fifty (50) states or the case law, like the Pennsylvania Supreme Court’s decision in Dittman v. UPMC.13 The truth of it is, we are only starting to scratch the surface of dealing with the legalities of data privacy and cybersecurity. This area is complex and rapidly changing. Two aspects that also make it an exciting and fascinating area to study. As we continue to explore this developing field of law, this series will highlight any new laws and how they intersect and affect existing laws/regulations.
Nothing contained in this article should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.