Recent Regulatory Developments Pertaining to Cybersecurity and Data Privacy

 

As the rate of cyber-attacks, data breaches and illegitimate practice of personal data is growing exponentially, the cybersecurity landscape is also evolving more rapidly than ever before. Data privacy and cybersecurity continue creating a buzz across industries today.

The escalating and overlapping grove of data security and privacy regulations, within the United States and across the world, has continued to upsurge compliance costs and regulatory risks. However, several new laws are taking effect globally to regulate the collection, utilization, retention, disclosure, and disposal of personal information.

In today’s digital age, it is more significant than ever for companies, especially for those who handle financial data, medical information, and other personally identifiable information, to comprehend the rights and responsibilities of individuals and organizations pertaining to personal information.

 

Perceive the Trend with Major Cyber Attacks

Malicious actors or hackers target a wide range of industries to gain access to large amounts of personal identifying information like payment account information. Last year, an American multinational diversified hospitality company Marriott International, for instance, faced the most significant breach of 2018. That time, the company revealed that nearly 383 million guests’ personal information was compromised when the database of Starwood Hotels was breached.

Another case of the retail industry, including Under Amour, Saks and Lord & Taylor, had also experienced significant breaches of their user data in the same year. The airline industry is not far away from these kinds of breaches, and often on target by attackers.

Businesses and governments also continue to be targeted by ransomware attacks, with weakening effects on operations. Recently, one of the leading aluminium producers Norsk Hydro reported breaches in their operations.

 

Data Privacy Regulations & Provisions

In May last year, the European Union (EU) enforced the Global Data Protection Regulation (GDPR) that brought comprehensive changes in the privacy and data security policies to the huge number of companies operating, not only in the EU but across the world.

With this policy, the companies processing the personal data of subjects residing in the EU employs the GDPR, regardless of the company’s location, and generally directs how companies manage and share such data.

Provisions of the GDPR that will be significant for all companies include:

Consent

The requirement for explicit and informed consent is necessary for collecting personal data and mechanisms to withdraw such consent. It means that where a business intends to rely on consent for the legal processing of personal data, they must be proved that valid consent has been received from each individual whose personal data is being processed.

Breach notifications

When a personal data breach befalls, the business must notify the breach to the DPA (Data Protection Authority) if the breach is likely to result in a risk to the rights of individuals.

Right for Individuals

The right to access all data that a company has accumulated. Under the GDPR, individuals will have a right to access their personal data, rectify inaccuracies, to have personal data erased in certain cases, and restrain processes of their personal data.

Data Protection Impact Assessment (DPIA)

Where the processing is likely to result in a high risk to the rights of individuals, businesses must perform an impact’s assessment of the processing operations on the protection of personal data and must seek the advice of its DPO (Data Protection Officer) when carrying out a DPIA.

Penalties

The companies not having sufficient consent from individuals for processing their personal data or violating the basic principles for processing can result in fine. And for that, businesses can be fined up to €20 million or 4% of annual global turnover.

 

Recent Regulatory Actions

In the United States, there are a number of significant US enforcement actions relating to cybersecurity and data privacy, at both the state and federal level, were enforced last year. For instance, Uber, Equifax, and Altaba (previously Yahoo) were among companies that come in into costly settlements with state enforcement officers or the US SEC (Security and Exchange Commission).

To take in effect of several enforcement actions, the US SEC issued a range of cybersecurity guidelines. Those include state-of-the-art cybersecurity disclosure guidance, and a Report of Investigation highlighting that public companies should apply adequate internal controls to halt and spot cyber-related deceptions.

 

Regulatory Takeaways Globally

Several bills have recently been issued pertaining to data privacy and cybersecurity, including the Consumer Data Protection Act (CDPA), which is modeled on the EU’s GDPR that provides prison sentences for misrepresentations by executives.

The California Consumer Privacy Act (CCPA), the most comprehensive data privacy law to date in the US, offering consumers in California extensive rights to their personal information. The law was introduced in 2018.

Several other countries also have deployed or are considering to implement national data protection laws in their region. Similar to GDPR, Brazil has also implemented a new data protection law that comprises significant new data protection rules and restrictions. It also consisting of data breach notification, penalties of up to 2% of the country’s turnover, and up to around US$12 million each violation.

Also, Canada’s new Personal Information Protection and Electronic Documents Act requires entities to report data breaches case to the Canadian Office of the Privacy Commissioner. It also calls to inform the affected individuals as soon as viable and impose recordkeeping obligations for companies.

When comes to Asia, the world’s leading tech nation China has adopted multiple new cybersecurity and data privacy-related standards and draft or final regulations. The country has issued the national standard on protection of personal information, which became effective in May last year.

Besides, India is also considering a new Personal Data Protection Bill, which is modeled on the GDPR, with data localisation requirements, and will allegedly be high on the legislative agenda following the country’s recent elections.

In summary, as we all know the promising technologies like AI, IoT, blockchain, and others, are integrated into systems in a way results fast and better outcomes, simultaneously it leads new vulnerabilities and concerns to privacy and security. So, deploying a compliance program with a set of best practices for privacy and data security will obviously assist in easing these risks. But it’s an enduring process, specifically as companies face new blockades when rolling out new systems and technologies.