Data protection and privacy concerns rank among the most pressing issues of our age, with accompanying laws attaining an ever-increasing level of importance. Certainly, new cyber security and data protection regulations issued by the New York State Department of Financial Services and the forthcoming EU General Data Protection Regulation aim to meet the need for robust legislation and strict enforcement. In a rapidly evolving global business environment, one thing seems certain: data protection and privacy laws will not stand still – and neither can the organisations subject to them.
Pfeifle: Could you outline how data protection and privacy laws are impacting companies in your region? Are any recent developments having a strong resonance?
J. Cohen: In New York, new cyber security and data protection regulations issued by the New York State Department of Financial Services (DFS) for banks, insurance companies and other financial institutions regulated by the DFS became effective on 1 March 2017. There is a phase-in period for compliance, so financial institutions in New York are working to conform their practices to the new regulations. Many of the requirements were already addressed in existing regulatory and technical guidance so may not require action, but other requirements are new. For example, New York financial institutions must have written policies in place governing access to and use of non-public information by the institutions’ third-party service providers.
Lehmann: There are three major issues that should attract the attention of most German companies. Namely, the threat of cyber attack, the future of transatlantic data transfers and preparations for the General Data Protection Regulation (GDPR), which comes into force in May 2018. Recently, there have been a number of cyber attacks, ranging from the theft of valuable data, to the destruction of infrastructure. Most companies fear such an attack and have tried to step up their protective measures accordingly. Those German companies that rely on the transfer of data to the US are worried about what the new US administration is going to do about the protection of data, particularly the data of European citizens. The early signs have been unsettling; the Trump government has already announced that there will be less protection for European data. Further, the standard of protection offered to the data of US citizens has also recently been reduced. Finally, and naturally, everybody should prepare for the GDPR.
Bullwinkel: Asia is in the middle of a digital transformation powered by data. Across the region, millions of connected devices and rapidly improving infrastructure are generating enormous opportunities. With those opportunities comes a responsibility to keep collected and processed data safe and secure. Data protection legislation is key in providing appropriate rules around how personally identifiable information is collected, used and safeguarded, and we consider them of fundamental importance. We have been heartened by the enactment of privacy laws over the last few years in countries like Singapore and Malaysia, which require data to be treated respectfully, while also providing the flexibility that is required by organisations that do business regionally and globally to be able to move such data across borders, where needed and so long as the security and integrity of that data can be maintained. Against this backdrop, organisations are investing more time and resources than ever before in understanding data protection and privacy laws and implementing compliance programmes.
Howie: A number of laws recently passed globally are affecting all multinational companies. The largest is the EU’s GDPR. Any global company, whether it has a presence in Europe or has European customers, will need to comply with GDPR. Companies will need to make a decision whether to apply GDPR to just EU operations, or adopt it globally. Most companies are likely going to adopt it globally, so as to have a single data protection and privacy programme. Next, data localisation laws are forcing companies to revisit their strategies. For example, any company that does business in Russia will need to decide whether or not to place services in Russia if it is currently offering services to Russian citizens from outside Russia. The EU ePrivacy Regulation draft is also on the radar of many companies, if they offer communications services. Companies will need to consider whether or not to differentiate service in Europe to meet the requirements of the Regulation if it becomes law.
B. Cohen: The US takes a sectoral approach to privacy regulation, meaning that rather than having one comprehensive law regulating the privacy of personal data like in the EU, the US has multiple privacy laws impacting different types of data, like healthcare data and financial data. Companies therefore must take stock of the types of information they collect, assess the different laws that apply, and adjust their compliance procedures accordingly. Interestingly, one recent development impacting US companies is a non-US law, the EU GDPR, which applies, in part, to non-EU companies that offer products and services to EU residents. That law takes effect in May 2018, and carries a maximum penalty of 4 percent of a company’s global annual turnover. Because of this, some US companies are now starting to seriously assess their compliance with EU data protection law.
Pfeifle: In your experience, are company boards sufficiently aware of the amount of sensitive data they hold, handle and store? Do they fully appreciate the consequences that loss of such data could bring under privacy laws?
Lehmann: Most of the bigger companies are aware that data, and sensitive data in particular, is of great value and should, therefore, be carefully protected. The loss of such data would not only have legal, but often far worse practical consequences, such as reputational damage. Whether all companies are fully aware of the legal consequences of data loss is hard to tell however, though the consequences are severe. Not only could a serious fine be imposed, but notification duties could go as far as mandatory announcements in two major newspapers, informing the public that data has been lost.
Bullwinkel: Awareness of the amount of sensitive data that companies hold and the great responsibilities that come with being custodians of that data is growing at the board level. There are two key reasons for this. First, in the wake of recent high-profile data protection incidents, organisations in Asia are increasingly being held to account by their regulators. While financial sanctions are of course a concern, the bigger concern for many boards is the reputational impact that comes with being ‘named and shamed’, since most enforcement notices are public. Second, many regulations in Asia now specifically require boards to be involved in risk management decisions. For example, regulations in the financial services sector increasingly require board oversight and approval.
Howie: Many, but not all, company boards are aware of the need to protect the data that they hold about individuals, in part due to the size of fines in GDPR for non-compliance – 2 percent and 4 percent of global turnover and revenue respectively – but very few understand what data they have, how it is collected and protected and whether or not real revenue or value is derived from it. The risk picture is seriously underestimated.
B. Cohen: While most boards of major companies are generally aware of data privacy and cyber security risk and of the highest-risk data they process, they generally are not aware of the vast amount of data processed and how that data has propagated throughout the organisation. But in all fairness, the business often cannot answer this question for a number of reasons, including cheap storage, the free flow of data throughout an organisation and the immense task of data deletion. Some recent high-profile breaches, particularly those which have resulted in the firings or resignations of top officers, have gotten the attention of boards and senior executives with regard to the legal and reputational consequences a loss of data could bring. And no director wants to be the next to have his or her emails hacked and published on the internet.
J. Cohen: This varies by industry and company, but in general, most boards now understand that this is an area of risk that they need to consider like any other as part of good corporate governance. That said, some boards lack sufficient knowledge about their companies’ data processing practices to make informed decisions about that risk. In addition, in fairness to board members, these areas of technology and law are developing rapidly, so it can be challenging for boards to keep current. In particular, the regulatory landscape is evolving for companies that produce products for the Internet of Things. The Federal Trade Commission (FTC) recently broadened the definition of sensitive information to include data collected from users’ smart TVs and initiated an enforcement action against a company for failing to secure adequately its home security cameras that stream data to users’ remote devices.
Pfeifle: To what extent have regulatory authorities stepped up their data protection monitoring and enforcement efforts? Is this changing the way companies operate?
Bullwinkel: Monitoring and enforcement efforts are on the increase. Most of the ‘grace periods’ associated with new laws have expired and regulators are taking action against companies that fail to comply. In Singapore, for example, we saw a series of enforcement decisions last year – the first since the Personal Data Protection Act came into effect. It is telling that the most serious and high-profile breaches in the region are associated with security incidents, where organisations failed to ensure that data was protected to the necessary standards. To address the growing range of threats, from ransomware to theft of sensitive information, organisations are looking at how technology tools, such as encryption and identity protection based on international standards, can be used to enhance data security.
Howie: Under the Obama administration, the FTC appeared very willing to flex its regulatory muscles. Many companies took note and took steps to secure data they collected and stored. The former California State Attorney General (AG), Kamala Harris, in an annual report published in her last year in office, even went as far as to suggest what a reasonable standard of care was, that companies should follow to protect customer data. Again, many companies did take note. However, it is unclear what position the FTC will take under the new administration, and there is a new California State AG who has yet to set their priorities. The big unknown is what positions the supervisory authorities under GDPR will take. The supervisory authorities have expansive powers under GDPR, such as creating lists of high risk processing activities. Further, the European Data Protection Board, which will replace the Article 29 Working Party, shall have the power to issue binding rulings, rather than opinions, on a wide range of data protection topics.
B. Cohen: The FTC is the clear leader in consumer data protection and privacy enforcement in the US, and is into its third decade of enforcement of these issues, bringing multiple enforcement actions per year and investigating many more. It has increased its enforcement operations over the years, including the hiring of technologists who help investigative staff dissect complex technical issues more easily. States have also increased their activity, both in enforcing their own existing consumer protection laws, similarly to the FTC, and in enacting new data protection laws. Companies that have major, highly-publicised data breaches can count on receiving enquiries from both federal and state officials. This has had a significant effect on the way companies operate, as they now must often consider the various different sources of risk – from federal authorities, private authorities, private plaintiffs and others – when considering their data governance.
J. Cohen: The FTC has used its authority under Section 5 of the FTC Act to bring numerous enforcement actions based on companies’ data protection practices, and in some cases, such as Wyndham and LabMD, has engaged in protracted legal battles to establish its authority. The Federal Communications Commission (FCC) had more recently become active in this area. For example, in 2016, it and the FTC launched parallel inquiries into the practices of various mobile carriers and device manufacturers relating to mobile device security updates, which many thought signalled future collaboration with respect to privacy regulation. However, going forward, the extent of the FTC’s and FCC’s enforcement activities under the new administration is unclear.
Lehmann: Monitoring had already been stepped up the wake of the decision rendered by the European Court of Justice in the famous Schrems case, which indicated that the Safe Harbour regime did not offer enough protection. Several German regulators had sent thousands of letters to companies to question them about their international transfer of data. Since then, German regulators have conducted several further such campaigns. For example, they have asked law firms about their data protection provisions, or they have checked whether websites are compliant. It is to be expected that further monitoring activity will occur after the GDPR comes into force.
Pfeifle: In your opinion, are companies improving their understanding of data protection duties and confidentiality issues? How should they go about identifying and filling any knowledge gaps?
Howie: Any company of size that does business with European citizens, whether or not they have a presence in Europe, is trying to figure out how to implement GDPR. This is a boom time for consultants, and as the deadline for compliance approaches – 25 May 2018 – the demand will grow. Most companies are trying to hire staff with data protection and privacy experience, but these roles are hard to find. Many companies will look for lawyers to fill positions, but the reality is that qualified programme managers and technologists are the real skills they need, but probably do not realise it. Conferences, such as those run by the International Association of Privacy Professionals, and the training and certification schemes delivered by them, are also popular means of gaining an understanding of the challenges and requirements of GDPR. However, data protection and privacy law is constantly evolving globally, and it is possible that companies will focus too heavily on GDPR, and not pay attention to the likes of the recent Russian data localisation law.
Lehmann: Companies are definitely becoming more alert to data protection and data security issues. This is obvious by looking at the efforts that many put into improving both data protection and security, such as the measures that are being taken to ensure that staff are aware of the significance of data protection, as well as the money companies are spending on boosting their security measures. In order to achieve more data protection and security, it is advisable not just to consult the internal IT department but also enlist the expertise of an external adviser. The IT department, who were solely responsible for cyber security in the past, will, more often than not, have a problem admitting that there are serious gaps in their provisions or that they could have done a lot more. Moreover, one person with sufficient standing in the company should take the responsibility and get enough power to see such an evaluation though. Again, those persons should not be part of the IT department. Finally, the results should be shared with a wider circle of employees to check whether their daily practice matches the results of the evaluation because new organisational measures will not have the desired effect if they do not tie in with the everyday procedures of the company.
J. Cohen: While the understanding of data duties may not extend all the way to the board level in all cases, the people responsible for these matters on a daily basis are well aware of the requirements, particularly in regulated industries. Where we still see some gaps are in smaller companies and in less mature industries, both because they have fewer resources to devote to data protection issues and because there is less guidance for them to follow. Because this is a rapidly developing area of the law, there are many publications available online that can be helpful to companies seeking more information in this area. We recommend that companies identify several publications geared to their industry, follow those publications for updates and then follow up with counsel to understand how those updates apply to them.
B. Cohen: Companies are improving their understanding of these duties and issues because of the regulatory and reputational risks they face as a result of a breach, and because their customers and consumers care about the protection of their data. The heightened issue regarding data protection and confidentiality often trickles down to the negotiation of transactions in the insurance market, and with respect to compliance in general. Companies identify and fill knowledge gaps by first conducting a data inventory to ascertain the information they have on hand, and then by conducting a compliance assessment of internal data governance procedures against applicable laws, contractual obligations and cyber security standards. The legal and threat landscape is continually changing, so companies should dedicate ongoing resources to risk assessment and mitigation.
Bullwinkel: Many of the laws are new and guidance is being issued all the time, so compliance is a continuous process. One issue, which is perhaps surprising, is the level of ‘over-compliance’, where the laws are being interpreted too conservatively by some organisations. A good example is data transfers. Even though there are few, if any, blanket prohibitions on the transfer of personal data outside of countries in Asia, we still see some misconceptions which suggest that data must remain in-country. Given that 21st century business depends on the sharing of data and information across borders, this misreading of the regulations is a major issue for organisations and is slowing the pace of innovation. Fortunately, identifying and filling knowledge gaps is not as difficult as it used to be because regulators are going out of their way to issue helpful guidance. Take the recent Outsourcing Guidelines for Singapore’s financial institutions, issued by the Monetary Authority of Singapore – these made it very clear that data transfers are permitted. That green light unlocked the benefits of technologies such as cloud computing for Singapore’s financial institutions and their customers.
Pfeifle: Could you highlight any recent, high-profile data protection cases which exemplify the risks and challenges surrounding data protection and privacy laws?
J. Cohen: Following the massive Home Depot data breach in 2014, in which hackers breached Home Depot’s payment card data systems and stole the financial data of 56 million customers, shareholders filed a suit against the company’s directors and officers. The plaintiffs alleged that Home Depot’s directors and officers failed to put sufficient internal controls in place to oversee the risk of a data breach. These types of lawsuits are common following a data breach affecting a publicly traded company. In this case, decided in late 2016 by the US District Court of Georgia, Home Depot was able to show numerous instances of its audit committee receiving regular reports from management on data security matters, and the board in turn receiving regular briefings from both management and the audit committee. Thus, the record showed a board and audit committee engaged in cyber security oversight, which was key in helping the company’s directors and officers avoid liability.
B. Cohen: Last year, the FBI took Apple to court to force the company to decrypt an Apple-manufactured phone owned by a terrorism suspect. Apple had engineered its phones such that the company could not decrypt the phones as a matter of course; rather, the phones could only be decrypted by the owner, who in this case was deceased. The FBI tried to force Apple to break the encryption of its phones, which Apple fought in court, with support from other companies in the US technology industry. Ultimately, the FBI figured out another way to decrypt the phones, leaving the legal issue for another day, but companies – and in particular computing device manufacturers and cloud service providers – must consider how the structure of their services might facilitate or obstruct law enforcement investigations, and how they will react.
Bullwinkel: The recent enforcement cases in Singapore are a good example. Many of the recent breaches of the Personal Data Protection Act were triggered by organisations failing to protect data through appropriate security measures. This, in turn, led to personal data being accessed or leaked. Not only do security breaches tend to lead to the highest fines, they also tend to do the most damage from a reputational perspective because of the loss of trust that is associated with a data breach incident. The recent cases in Singapore are typical of the risks and challenges that organisations now face. On the one hand, they need data to do business in this increasingly connected Asia – whether it is data about employees, customers, suppliers or otherwise. On the other hand, as organisations capture and use more data, they need to be more careful than ever before to ensure that the data is kept secure.
Lehmann: In Germany, there has been no case that has garnered anywhere near the same attention as the theft of user data at Yahoo. However, much public attention was paid to the attack on the German parliament, the Bundestag, which made a major overhaul of the complete IT landscape necessary. Moreover, servers of the German Federal Labour Agency were very likely successfully breached. A great number of people received emails as part of a phishing scheme that used data that only the Agency had access to. Finally, banks are reporting a growing number of attempts to steal access data from customers in order to sweep money from accounts.
Howie: The biggest, most recent data protection case was Russia v. LinkedIn. LinkedIn was a test case for the new Russian data protection law that focused on localisation requirements. LinkedIn was found not to conform to the law by not running their services targeted to Russian citizens in Russia, and illegally transferring data outside of Russia. There have been a number of settlements between companies in the US, and the FTC, around data protection.
Pfeifle: In your experience, are companies implementing data protection controls proactively or reactively? How easy, or otherwise, is it to establish a data protection culture across an organisation?
B. Cohen: Companies are implementing a mix of proactive and reactive data protection controls, which vary based on the organisation’s approach to risk, as well as its resources. One trend we are seeing is that companies are more likely to develop proactive controls once they have had incidents that have forced them to react. Establishing a data protection culture can be difficult, particularly for larger organisations that have a habit of holding on to data sets for potential future use, and for start-ups looking for ways to monetise data. However, savvy organisations can improve data protection by setting a strong tone at the top, and monitoring for, and taking action when, there are violations of those controls.
Bullwinkel: While some compliance programmes are reactive, in response to complaints or enforcement notices, the vast majority of these initiatives are proactive. Establishing a data protection culture is not easy and it requires work – but with the right support, it is readily achievable. It cannot be delivered by the legal team alone – it depends on full stakeholder involvement from the across the organisation, including the board, the HR and finance functions and of course the technology and operations teams. The latter have a particularly important role to play because of the role that technology plays in ensuring data security. And compliance does not end with the organisation itself – organisations are increasingly looking to their partners and service providers for help. Our customers, for example, increasingly expect us to understand the regulatory requirements to which they have to adhere and to have tools in place to help them with their compliance programme.
Lehmann: Due to all of the news coverage of data leaks and fines for data protection deficiencies, as well as the impending implementation of the GDPR, it is necessary for companies to proactively tackle data protection issues because of the risk that not only will the company suffer a severe attack but the directors of the company will be held responsible for a failure to comply with applicable rules, and the resulting weaknesses which may be exploited by attackers. If the company suffered damages on account of such a failure by a director or the board of directors, the supervisory board of, for example, a stock company, would be held by law to assert claims for compensation against the director or the board of directors responsible. This is often incentive enough for companies to take care of data protection and security issues.
Howie: Most companies are approaching compliance with data protection and privacy laws retroactively, in part due to GDPR and the emergence of data localisation laws. This causes significant challenges for companies that have spent years routinely collecting customer data with a goal of using it to sell advertising, or to try and analyse it to find a means of deriving value from it eventually. Entire business models and systems involving hundreds of thousands of lines of code have to change or be updated. GDPR itself introduced new requirements around data protection impact assessments, record keeping, data subject rights and accountability, and even a company with a great privacy programme will find that it has to implement new controls reactively. Creating a data protection culture is extremely difficult, for so many different reasons. Where entire business models are built around the collection and use of data, business leaders will be very resistant to change. Generationally, younger people do not grasp the concepts of privacy, and they tend to be your developers, and will not code for privacy protections. These are just two examples of the challenges companies will face.
J. Cohen: Despite guidance from privacy experts and regulators recommending a privacy-by-design approach, we find that many companies are still implementing controls reactively, either in response to an incident or to new enforcement mechanisms. Companies are understandably balancing the benefits of these measures with both their cost and their effect on the user experience with the companies’ products and services. Particularly in an industry that makes significant use of personal data, data protection considerations should ideally be built into a company’s workflow so that initiatives do not progress too far without taking data protection requirements into account.
Pfeifle: How should a company prepare for a potential data security breach incident? What are the essential components of a robust response plan?
Bullwinkel: There are two aspects. First, ensure that a response plan is in place and that a response team is constituted. Second, ensure that the response plan can be carried out effectively when a data breach occurs. The response team should involve more than just the legal and IT departments; it should ideally include members from corporate communications, operations and one or more members of senior management. Increasingly, response teams also include external advisers such as lawyers and IT forensics to ensure legal privilege is maintained and that evidence is preserved for the purposes of prosecution or carrying out of root cause analyses for reporting purposes.
J. Cohen: Companies should have a detailed security incident response plan in place that is tailored to the companies’ organisational structure and practices. The essential components of any plan include a description of how and when to use the plan, including different levels of incident response and escalation points, identification of key team members and their roles, categorisation and prioritisation of different types of incidents, plans for each incident type and a plan for communications with third parties. The plan should also include post-incident procedures to make sure the incident is appropriately documented and that the plan is updated to take into account any lessons learned.
Howie: Companies first need to develop a plan to handle a breach, and test it through exercises. People need to be trained to understand what the plan is, and their role in it. The plan must be tested and updated frequently, at least annually, or more often as the business changes, to make sure it remains relevant. Key elements of the plan must include the criteria by which breach notifications to consumers and regulators take place, who is responsible for making the notifications, how enquiries from consumers and regulators will take place, what outside counsel or breach advisory firms will be retained – and having contracts in place so they can be called in immediately to assist, and how to protect evidence for use by law enforcement or for use in civil proceedings.
Lehmann: First, the company should check its internal and external protective measures. Where they are found to be insufficient they should be brought up to the appropriate level. Then staff awareness should be raised as much as possible, particularly for unusual events and the avoidance of typical failures, such as the use of weak passwords, neglecting security measures and others. The company should look for the right advisers in such a case, such as technical experts, forensics experts and public relations professionals. If the company wants to do its utmost to prepare, it will also initiate a practice alarm.
B. Cohen: A company should prepare for a data security breach by designating a team responsible for responding to a breach, developing an easy-to-follow incident response plan, and training those who will be responsible for implementing the plan. A robust response plan should contain procedures for first containing and controlling a potential incident, determining the cause and scope of the incident, analysing the legal implications and contacting law enforcement, affected individuals and business partners. More comprehensive plans may also set out the contact information of various vendors who may be able to help, with whom the company may have a pre-negotiated arrangement to provide breach response services. Effective plans also contain clear lines for reporting significant issues to senior management as necessary. Companies should also include clear guidelines for when to involve legal counsel and to help protect investigations under the attorney-client privilege where possible.
Pfeifle: What strategies should companies use to deal with data security risks, such as those posed by Bring Your Own Device (BYOD) policies? Is the employer-employee trust gap widening or closing in this regard?
Lehmann: It seems that despite all the risks, BYOD is still an ongoing trend. Therefore, companies will have to come to terms with it. The best strategy seems be the introduction of reasonable and acceptable rules for staff. Such rules would include separating sensitive data and blocking access to this data from certain devices. There should also be rules governing which devices are eligible for a BYOD scheme. They should meet certain standards of protection; they should not be too old, and so on. Compliance should be monitored. Secure mechanisms of authentication are even more important than usual. The same applies to notifications in case of theft or loss of the device. Finally, rules on what happens to devices if a member of staff leaves the company are also essential.
Howie: BYOD can be a legal and security nightmare. My general advice is not to utilise BYOD policies. Where a BYOD policy is in place, perhaps as a cost-cutting measure, prudent companies will utilise mobile device management (MDM) software to manage the devices, and those applications that run in secure containers to access corporate email, documents, messaging and other important data. Make employees aware of the relevant policies, and have frank discussions with them about how their device can be completely wiped, including of family pictures and all personal data, if needs be. Figure out in advance what will happen when an employee is terminated, voluntarily or otherwise, to protect company intellectual property and possibly personal data about customers.
B. Cohen: No company is able to completely eliminate data security risks. Therefore, companies should adopt administrative, technical and physical safeguards to secure data that they maintain. For example, with respect to BYOD, an administrative safeguard would be to adopt a BYOD policy and train employees on the risks involved when storing company data on their personal device. A technical safeguard would be to deploy mobile device management software to be able to impose employer policies on personal devices, including the ability to remotely wipe company data. A physical safeguard would be to strictly limit access to the rooms housing or providing access to the servers that control access to employee devices. On the whole, this is not yet a big issue for employees, who in many cases willingly permit greater access by employers in exchange for convenience, such as the use of one device in the context of a BYOD programme.
J. Cohen: In some industries there is a trend toward BYOD policies as more employees are permitted or encouraged to work remotely. It is not so much a matter of employer-employee trust, but simply a fact that as the number of devices connected remotely to an employer’s network increases, so does the risk. A key component of any data security programme is educating employees about steps they must take to mitigate the risks, including refraining from storing unencrypted sensitive employer data on personal devices, being alert to phishing schemes, using strong passwords and secure wireless connections, and promptly reporting any suspected security breach to the employer. For their part, companies can limit the types of company resources that can be accessed remotely and limit the types of devices that they permit employees to use.
Bullwinkel: Companies should not be afraid to use technology. There is a growing acceptance among companies and regulators that technologies such as cloud computing have the potential to actually increase the level of compliance versus existing, on-premises solutions or paper-based storage of information. If you look at the investments that companies are making in security, with billions of dollars being spent on protecting against the very latest cyber security threats in state-of-the-art data centres, and compare that to the levels of protection available to even the most sophisticated organisations on their own premises, it is evident that cloud technologies have a key role to play in data security.
Pfeifle: What role can insurance play in managing some of the risks, liabilities, losses and potential costs linked to a data breach?
Howie: Insurance has a role, but should not be relied on to cover all costs of a breach. Make sure you have a policy that covers data breaches – general liability insurance products likely will not –and understand what your company needs to do to make sure the policy will pay out in the event of a breach. For example, if you cannot prove you made a best faith effort to keep systems up-to-date with software updates, or that you restricted access to sensitive data, you may find your insurance company will not pay out.
B. Cohen: Insurance can play a very important role in managing these risks. The problem is that there is no consistency in the data breach insurance market, for a number of reasons. First, the risks are new and emerging and so are the policies. Second, breaches vary and courts are still in the process of sorting out what breaches are covered by what types of policy terms. Third, data can be valuable and potential damages can be high, which has led to cautious underwriting and higher premiums for greater protection. That said, it is precisely because of this increased risk that companies should consider data breach insurance.
J. Cohen: Insurance can play a key role in mitigating a company’s exposure in the event of a data breach, but it is important that companies understand the scope of their coverage in this area. Many insurance companies take the position that data breach incidents are not covered by traditional commercial general liability policies and that only a specific cyber liability policy provides coverage for data breaches. In litigation, courts have come out both sides of this issue, but there is a trend towards finding that traditional policies do not cover such incidents. Given the prevalence of high-profile data breaches in recent years, across all industries, companies are increasingly purchasing cyber liability insurance. Companies should examine their existing coverage carefully and determine based on the nature of their business and data collection practices whether it would be prudent to purchase a cyber liability policy.
Bullwinkel: The role of insurance depends on each company’s approach to risk mitigation but it will undoubtedly have a role to play for some organisations as part of a broader cyber security strategy. However, insurance alone will not be enough since it only covers the financial exposure. It is often impossible to quantify or recover the reputational exposure that comes with a data protection incident. Cyber insurance goes hand-in-hand with other aspects of compliance, such as IT strategy. In our experience, insurers increasingly want to understand the strength of the policyholder’s underlying IT infrastructure before making an underwriting decision.
Lehmann: Insurance is crucial. It forces companies to bring their protective measures to the necessary level. Most insurers require information and sometimes even testing. Moreover, if the company was successfully attacked, a severe production breakdown could have occurred that is often covered by the insurance. Finally, a director who does not arrange a good insurance policy is considered to have neglected his duties and may be held responsible for the damages that would otherwise have been covered by the insurance.
Pfeifle: What overall advice would you give to companies in terms of establishing an appropriate data protection programme that ensures compliance with existing data privacy laws?
Lehmann: Currently, it is difficult to be concrete. The reason is that the German government authorities have not yet come up with reliable recommendations regarding how to comply with the GDPR. However, that is the most pressing challenge for every company at the moment. And therefore, any company would be well advised to do a thorough review of the standard of their data protection provisions now because this will be necessary under the GDPR anyway. Then, the company should start to close gaps in its data protection provisions and reduce weaknesses. The government authorities will hopefully start to publish guidelines soon and these should be adhered to.
Bullwinkel: Companies should not stop innovating. Of course, protecting personal data is critical and should be a high priority for every organisation – but nothing in data protection laws requires organisations to stand still. Organisations can and should be innovating to take full advantage of the opportunities presented by the digital transformation – indeed, their survival depends on it because the organisations that stand still will be overtaken. The good news is that it is possible to innovate and still comply with the growing body of data protection laws. In fact, new technologies are not just capable of complying with data protection requirements, they can actually enhance the level of compliance because of the security features that are built into these services, such as encryption and highly secure data centres.
J. Cohen: Companies should begin by preparing a comprehensive and detailed description of the categories of data collected by the company, including the jurisdiction of origin, and the ways in which it is processed, whether by the company or its vendors. In a large organisation, this can be a significant undertaking as there is often no central repository for this type of information, so this may require a detailed survey of each business segment. The company and its counsel can then compare that collection and processing with the requirements of applicable law, determine any gaps and implement appropriate remediation measures. It is vital for compliance purposes that this information be updated and the process repeated whenever there is a change or addition to the company’s data collection or processing practices.
B. Cohen: The two main themes are accountability and repetition. Accountability has gradually become the global standard of care for data protection compliance programmes. Regulators in the US, EU and elsewhere want companies to undertake risk assessments, develop controls based on those risks, test compliance with those controls and make corrections as necessary. They expect companies to consider privacy and data protection through ‘privacy impact assessments’ throughout the process of developing products and services involving the handling of data, and to delete data when no longer needed. In general, this requires an overarching compliance strategy and programme, with dedicated resources to oversee and manage the programme. Repetition is important because companies cannot mitigate risks by developing policies and not enforcing them. A data protection compliance programme is only as good as it is tested and improved, so companies should incorporate regular audit procedures and re-evaluation of the programme as time goes by.
Howie: Start by creating a board-level committee whose only role is to oversee data protection, privacy and cyber security efforts of the company. A chief privacy officer (CPO) should be appointed, and they should report to the board as well as to an executive, who, if not the chief executive (CEO), reports to the CEO. The CPO should be given the tools, staff and budget necessary to establish a privacy programme. The privacy programme needs to cover everything from research and development, through to sales and marketing and service and support. The CPO need not be a lawyer; in fact, there is an argument to suggest that they should not be a lawyer, but they must have privacy experience. If your company is subject to GDPR, appoint a data protection officer (DPO), too. The DPO should be a lawyer. The DPO and CPO should be parallel to each other in the organisation. The DPO, or CPO if you do not have a DPO, should have staff or external counsel that track statutes and regulations and provide digests of requirements in business terms to the CPO, who should incorporate them into their programme.
Pfeifle: How do you envisage data privacy issues developing over the coming months and years? Do you expect to see ever-tightening data regulation and enforcement?
B. Cohen: I expect to see greater regulation and enforcement over the coming months and years. Privacy class action lawsuits have increased in the US, regulatory enforcement activity has been greater, and individuals raise more complaints about the handling of their information, which will lead to new laws. In the near term, the GDPR is going to shape the compliance programmes of EU-based companies as well as non-EU-based companies that offer products and services within the EU. The result will be heightened attention to these issues by companies, as a market practice and for compliance purposes.
Bullwinkel: The issue of how laws, including those related to data privacy, develop and keep pace with technology is indeed an interesting question, and we have been quite vocal in promoting a dialogue on exactly that. This includes calling for a Digital Geneva Convention that would commit governments to implement norms, to protect civilians on the internet. The protection of privacy balanced with the needs of law enforcement requires the community, corporations and governments around the world to collaboratively work towards putting in place laws and regulation that better reflect the world that exists today. It is fair to assume that we will see more laws and more enforcement, particularly in the cyber security space. A number of countries in Asia, including China and Singapore, are putting in place comprehensive cyber security laws as we speak. One thing is certain: like technology, the laws will not stand still – and neither can the organisations, and their boards, who are subject to them.
J. Cohen: In the US, we are seeing a renewed focus by courts and some regulators in their decisionmaking on whether there was actual harm to the data subject as a result of the data privacy violation. The decision by the US Supreme Court in Spokeo v. Robins, which urged courts to consider the “concreteness” of an injury when deciding whether plaintiffs have standing, has been accompanied by a number of lower court decisions in which the court determined that the data privacy violation did not result in actionable harm to the data subjects. In Europe, the trend is moving in the other direction, with courts and regulators placing greater emphasis on the rights of the data subject. We can see this in the requirements of the GDPR, the requirements under the Privacy Shield for transferring personal data from the EU to the US, and the recent decision by the Court of Justice of the European Union broadening the definition of “personal data” to include dynamic IP addresses. It will be interesting to see if these two trends continue to diverge over time.
Howie: In a nutshell, data protection laws will continually be strengthened – either in legislation or through binding rules, and data localisation laws will continue to be passed which will threaten the free movement of data globally. These will force companies to manage data in-country, subject to differing laws, and creating headaches for everyone. Paradoxically, this situation could actually hamper data protection and cyber security at-scale, and lead to more breaches and threats to individual privacy.
Lehmann: The data protection world will, at any rate, become more difficult. Transatlantic data transfer has been endangered by the new US administration. A member of the European Commission, Vĕra Jourová, has already voiced concerns that the validity of the Privacy Shield might be questioned under president Trump. Moreover, the pressure on companies will be greater going forward because the fines for non-compliance may be €20m or 4 percent of a company’s annual turnover. Finally, regulators will want to be in the middle of what is happening right from the start, so they will play a very active role in the enforcement of the new rules.
As publications director, Sam Pfeifle oversees everything from the Daily Dashboard to the monthly Privacy Advisor to the International Association of Privacy Professionals’ (IAPP’s) various blogs, books and resource centre items. Mr Pfeifle came to the IAPP after stints overseeing a number of B2B publications, including titles in the physical security, workboat and 3D data capture industries. He began his journalism career with the alternative newsweekly, The Portland Phoenix. He can be contacted on +1 (603) 427 9209 or by email: email@example.com.
Dr Jochen Lehmann has been a partner at GÖRG since 2007 and specialises in IT matters, with a particular focus on data protection and data security. He has built his expertise in this particular field of law since he began working for GÖRG 15 years ago. Dr Lehmann is a regular speaker on the subject of data secrecy and data protection in various contexts, such as data secrecy and directors’ liability or data secrecy and insurance. He can be contacted on +49 221 33660 244 or by email: firstname.lastname@example.org.
Bret Cohen practices in the areas of privacy, cyber security and consumer protection. With a particular focus on the internet and e-commerce, he advises extensively on legal issues related to cloud computing, social media, mobile applications, online tracking and analytics, and software development. Mr Cohen counsels and is a frequent speaker on strategic compliance with global privacy laws, including cross-border transfer restrictions, data localisation requirements and the impact of government surveillance on the digital economy. He/She can be contacted on +1 (202) 637 8867 or by email: email@example.com.
John Howie is the chief privacy officer and head of cyber security for Huawei Consumer Business Group. He has over 25 years’ of experience working in information and communications technology in a variety of industry sectors including financial, telecommunications, entertainment, education and software manufacturing. He can be contacted by email: firstname.lastname@example.org.
Jeff Bullwinkel is based in Singapore and oversees Microsoft’s legal and corporate affairs teams across the region. This includes supporting commercial transactions and providing regulatory counsel to business groups on public policy issues such as intellectual property rights, privacy, internet security and safety, competition and international trade. He can be contacted on +65 6888 8899 or by email: email@example.com.
Jessica Cohen focuses on intellectual property and technology issues in a wide variety of transactions, including licensing and development agreements, outsourcing agreements, service agreements, strategic alliances and mergers and acquisitions. As part of Skadden’s intellectual property and technology group, Ms Cohen counsels clients on intellectual property protection and ownership issues, and technology implementation and maintenance issues. She also advises clients on general commercial contract issues, including those arising in manufacturing and supply arrangements. She can be contacted on +1 (212) 735 2793 or by email: firstname.lastname@example.org.
© Financier Worldwide