The prevalence and cost of a data or privacy breach is old news, yet continues to rise year-after-year. According to the 2015 Ponemon Institute Cost of Data Breach Study: Global Analysis, in 2015, the average total cost of a data breach increased from $3.52 million in 2014 to $3.79 million and the average cost of each lost or stolen record increased from $145 to $154. While that amount of money is certainly a big blow to large companies, it is ruinous to mid-sized and small companies. In its 2014 Midsize Business Monitor, the Hartford found that 4 in 10 or approximately 43% of midsized businesses have experienced a data breach in the past 3 years. Recent studies show that over 90% of all breaches occur at small businesses. It is imperative every company with an online presence or mobile app consider the risks and consequences of data and privacy breach when creating its business model, marketing plan, and product or service development. The examples that follow will shed some light on how non-compliance with data and privacy regulations has led many companies to enormous financial losses and government penalties.
Privacy Breach Examples
I. Singapore’s Personal Data Protection Commission investigated 3,700 valid complaints of the Do Not Call Registry provisions within five months of its taking effect.
The Do Not Call Registry provisions under Singapore’s Personal Data Protection Act of 2012 went into effect on January 2, 2014. By May 2014, the Personal Data Protection Commission had already investigated valid complaints against 680 organizations. The Commission issued a press release on May 23, 2014 detailing its investigation efforts to date, including its identification of at least one agency, which the Commission intended to file charges against in State Courts on June 4, 2014. Under the PDPA, any person found guilty of sending telemarketing messages to Singapore telephone numbers without checking the DNC Registry will be liable for a fine of up to S$10,000 per message sent.
The Chairman of the Commission said “[t]he Personal Data Protection Commission is serious about compliance with the DNC requirements in the Personal Data Protection Act.” He also confirmed the Commission’s commitment to “monitor compliance with the requirements in the PDPA, including those relating to data protection, once the Act is fully in force on 2 July 2014.”
II. The UK Court of Appeal allows breach of privacy case against Google to go forward despite Google’s attempt to block the suit.
In March 2015, the Court of Appeal denied Google’s attempt to block a suit filed against it for violation of privacy rights. In Vidal-Hall v. Google, claimants alleged Google violated their privacy rights by collecting private information about their Internet usage through their Safari browser without their consent or knowledge. Court documents filed by the claimants’ attorneys argued that Google’s “clandestine tracking and collation” of their Internet usage through cookies was illegal under European law. While the Court of Appeal did not issue a ruling on the merits of the case, it made an impactful ruling on elemental and jurisdictional issues raised.
The three key rulings are:
- Under the Data Protection Act, it is now sufficient to allege emotional distress alone. It is not longer necessary to establish pecuniary loss or damage to bring a claim under the DPA.
- Under the DPA it is arguable browser generated information constitutes “personal data.”
- For purposes of out-of-jurisdiction service, misuse of private information should be classified a tort.
III. Through US Federal Trade Commission Settlements, many US companies have been required to establish comprehensive privacy programs.
In 2012, the FTC accepted a final settlement with Facebook resolving charges that Facebook deceived customers by telling them they could keep their information private but repeatedly allowing it to be shared and made public. As part of the privacy program, Facebook must obtain biennial privacy audits by an independent third party.
2012 also saw the largest FTC civil penalty for violation of a commission order. Google Inc. agreed to a $22.5 million penalty to settle FTC charges that it misrepresented to users of Apple Inc’s Safari Internet browser that it would not place tracking cookies or serve targeted ads to those users, which violated an earlier privacy settlement between Google Inc. and the FTC. In regard to the enormous penalty, FTC Chairman said “[n]o matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”
In 2014, the FTC approved a final settlement with Snapchat resolving charges that deceived customers with promises about the disappearing nature of messages sent through the app, the amount of personal data collected, and the security measures taken to protect the data. The comprehensive privacy program Snapchat was required to implement must be monitored by an independent privacy professional for 20 years.
Data Breach Examples
I. A federal judge gives preliminary approval to Target’s $10 million data breach settlement.
During the 2013 holiday season, Target acknowledged that hackers stole credit and debit card information of 40 million Target customers, and later, email and mailing addresses of between 70 million and 110 million customers. This past March a federal judge gave pre approval of a $10 million settlement in a class action suit filed on behalf of Target customers. Target could still face lawsuits from several credit card companies, as well as fines and penalties imposed by state and federal agencies, including the state attorneys general, the FTC, and the Securities and Exchange Commission. Target estimated that at the end of January 2014 it had already accrued $225 million of expenses related to the data breach.
II. AT&T enters into largest data breach settlement with the FCC to date.
In April 2015, the FCC announced a $25 million settlement with AT&T Services Inc. resolving allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia, and the Philippines. The breach affected almost 280,000 US customers and included unauthorized access to customers’ names and full and partial social security numbers.
Data and Privacy Breach Prevention Tips
I. Know and understand the data protection and privacy laws and regulations of each market you enter. It is not enough to just know the law, a good degree of understanding is necessary in order to comply with the law. An example in the context of data protection would be an understanding of the meaning of different terms as they are applied in different jurisdictions, e.g., “personal data,” “privacy,” “document,” etc. Any US company that does business with EU citizens, and then transfers personal customer data outside of the EU, will need to consider alternative data transfer frameworks instead of Safe Harbor since that program was ruled invalid by the Court of Justice of the EU.
II. Have a breach prevention and response plan in place. For the first time in 2015, the Ponemon Institute Cost of Data Breach Study: Global Analysis looked at the benefits of the active involvement of company executives and board of directors. The Study found that board involvement decreased the per record cost by $5.50. Consider consulting a privacy professional for guidance on how to implement a program that is appropriate for company needs. Make sure the plan is known and understood by all employees. Both initial and regular training and monitoring may be necessary. Consider regular audits by an independent third party, annually or biannually. Look into the benefits of data breach insurance. The Study found that insurance protection reduced the per record cost by $4.40.
III. The protection by design approach can reduce breach risk and make a prevention and response plan more manageable. Rather than involving attorneys during the late stages of the development of the product or service, get them involved during the planning and design stages. It will be a waste of time and money to learn after or in the final stages of the development of a product or service that data and privacy protections weren’t considered and built in. Amendment 37 of the current draft of the EU General Data Protection Regulation provides “[t]he principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early stage, right through its ultimate deployment, use and final disposal.” European Union Agency for Network and Information Security recently published an in-depth guide on Privacy and Data Protection by Design—from policy to engineering. This guide provides an overview and analysis of the policies of the protection by design approach, as well as privacy design strategies and techniques.
With the high cost and likelihood of a data or privacy breach in business today, it is important to understand the risks and consequences associated with a breach. Three things that may help to prevent a breach or contain and control the consequences are: the knowledge and a solid understanding of data and privacy protection laws, the creation and implementation of a thorough breach prevention and response plan, and the use of the protection by design approach in the development of your products or services.
Are you interested in expanding your digital company globally? Sign up for the Globig newsletter to stay on top of the latest news.