As we recently discussed, data breach legislation continues to be a moving target, with legislative changes pending in 32 States, not to mention Federal legislation and Global laws such as the EU GDPR, which have the potential to impact US organizations. Outside of this wave of legal requirements, there are industry-specific laws (HIPAA) and regulators who set standards and impose fines following a data breach, and these regulators are in flux as well. Within just the last year, we’ve seen the SEC and FTC both stepping up their game, and the same can be said for the Federal Communications Commission (FCC).
Liisa Thomas, chair of Winston’s Privacy and Data Security Practice, spoke at the U.S. Chamber of Commerce’s Institute for Legal Reform’s 16th Annuual Legal Reform Summit in Washington, D.C. recently on the topic of data privacy liability. Liisa presented a report, created by herself, and Associates Robert Newman and Alessandra Swanson: “A Perilous Patchwork: Data Privacy and Civil Liability in the Era of the Data Breach.” This is a topic we’ve been speaking on at length here at InTelligence, examining the growing complexities of compliance and liabilities in an era of multiple regulators as well as State / National and Global laws.
Compliance is a moving target for organizations today. Not only do we have State and National laws constantly in flux, but organizations must pay attention to industry regulators and regulations (HIPAA, SEC, the GrahamLeach-Bliley Act) in terms of compliance. Given the global nature of many organizations, laws such as the EU GDPR even have their impact on US organizations. Post-breach, the potential litigation net is even wider, with investigations and potential fines coming from the FTC, industry regulators, state attorney generals and the class action bar.
Being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach. In an article on CSO Online, Compliant does not equal protection: our false sense of security, I discuss the nuances of regulatory compliance and how, while important in driving protection standards, they could lead to complacency in setting security standards.
The FTC held its first “Start with Security” conference earlier this month, designed to help organizations implement effective data security strategies. This supply on educational resources comes soon after the Third Circuit re-affirmed the FTC’s authority to regulate data security standards of commercial entities. With the FTC’s authority now on firmer ground, it could be that we see the FTC step up more strongly with data security enforcement.
The Third Circuit this week affirmed that the Federal Trade Commission (FTC) has the authority to regulate data security standards of commercial entities. In FTC v. Wyndham, the agency sued Wyndham hotels after customer financial data was exposed. The FTC alleged that the hotel chain failed to maintain reasonable data security practices, outlined in detail, which led to at the exposure of the consumer data between 2008 and 2010. The company argued that the FTC lacks authority to regulate data security standards of commercial entities, an argument that was overruled in the lower court and again at the US Court of Appeals for the Third Circuit.
Earlier this year, we penned an article asking, HIPAA is Outdated: Does it Need an Update? In the article, we address the growing rate of healthcare data breaches, as well as the growing cost associated with these breaches, and posit that HIPAA may not be keeping up with the current issues of healthcare data protection.
Europe seems poised to finalize the terms of the EU General Data Protection Regulation by the end of the year. The EU GDPR is set to drastically chance data protection law, including an increase in penalties for a breach up to 2% of a corporation’s annual global turnover. While these new laws will have a large impact on European businesses and IT professionals, the GDPR will also have an impact on US IT departments.