Privacy and Data Security 2018 Year in Review

Financial Services Law

In many ways, it was the year of data privacy. In this article, we identify five of the biggest trends in privacy and data security, including the mammoth European Union General Data Protection Regulation (GDPR) taking effect, the hurried passage of the California Consumer Privacy Act (CCPA), the rapidly escalating political scrutiny emanating from revelations surrounding the 2016 election and social media accountability, and the new challenges raised by high-profile data breaches and emerging technology.

1. Omnibus privacy legislation becomes “a thing”

Far-reaching and industry-spanning privacy legislation finally matured in 2018. It is now a thing. After years of ramp-up and speculation as to its immediate impact, the GDPR finally became effective on May 25, 2018. Thus far, enforcement actions utilizing the GDPR’s severe civil penalty provisions—which include up to €20 million or 4 percent of a business’s global annual turnover—have been limited to data security incidents, including a €400,000 fine to a Portuguese hospital for granting broader-than-needed access to patient profiles and a €20,000 fine to a hacked German chat platform that failed to pseudonymize and encrypt sensitive information. European data protection authorities have signaled that enforcement actions for violations of the GDPR’s non-breach-related provisions will ramp up shortly. Whether an American Big Tech firm will be hit with the massive, front-page penalty that many have prognosticated since May 25 remains to be seen.

Also in May, Californians for Consumer Privacy (CCP), a relatively little-known consumer privacy rights group, submitted enough signatures to qualify the “California Consumer Personal Information Disclosure and Sale Initiative” for the November 2018 ballot in California. In a last-ditch effort to force the initiative into legislative control—and thus subjecting the law to a much easier threshold for later amendment—the California legislature hurriedly drafted a bill that convinced the CCP to agree to drop the ballot measure. The result was the CCPA, passed on June 28, 2018.

As many stakeholders in companies with consumers or employees in California are undoubtedly now aware, the CCPA adopts several GDPR concepts for the protection of data subjects, including the rights to ask a company what personal information it possesses on the consumer, to delete certain personal information and to opt out of any sales of personal information to third parties. The CCPA also implements a first-of-its-kind private right of action for data breaches that attaches civil penalties between $100 and $750 per consumer, per incident. Already the subject of an amendment, the law is expected to undergo additional amendments in the coming legislative sessions in Sacramento. It is currently set to go into effect between January 1 and July 1, 2020, varying by the provision and the date that the California Attorney General introduces implementing regulations.

Other jurisdictions will continue the march toward comprehensive privacy protections. In August, for instance, Brazil passed its General Data Privacy Law, which reflects many GDPR concepts and is set to become effective in 2020. That same month, Indian legislators unveiled the draft Personal Data Protection Bill, 2018, which attempts to combine elements of European, American and Chinese data protection regimes.

2. Privacy and security take their turn in the political spotlight

The ongoing scrutiny of the role of social media in the 2016 presidential election promises to continue into 2019. These issues bring enough gravity that it is reasonable to conclude that privacy issues will never again be able to hide from the national spotlight.

Scrutiny of Big Tech continued throughout 2018, with a number of major data breaches making headlines. In addition, the U.S. Congress convened several high-profile hearings in April and September in which Big Tech executives were grilled about privacy- and security-related issues.

Several big data breaches also became front-page news. In April, the Federal Trade Commission revealed that a 2016 breach of Uber resulted in the exposure of personal information of more than 20 million people. The company agreed to a $148 million settlement with the attorneys general of all 50 states and the District of Columbia in September. In December, hotel chain Marriott disclosed a data breach exposing the information of up to 500 million people. The incident is notable not only for its size, but because it apparently emanated from Marriott’s acquisition of the Starwood brand and its separate guest reservation system and, according to recent reports, investigators believe the incident is traceable to hackers working on behalf of the Chinese government.

If there is anyone who doubts the sobering implications of the CCPA’s new statutory penalties for data breaches, simply multiply the minimum penalty of $100 (or if you really want to scare yourself, the maximum of $750) by any of the above numbers and compare the resulting amount to the going rate for civil and regulatory settlements of alleged data breaches. The stakes for data breaches are about to be raised even higher.

3. States continue to expand existing protections

Other states expanded the reach of their privacy and security protections as well, even if they have thus far declined to follow California’s example of omnibus legislation. On September 4, 2018, the latest phase of the New York Department of Financial Services’ (DFS) Cybersecurity Requirements took effect following the regulation’s initial March 2017 implementation. The regulation represents perhaps the most sweeping cybersecurity regime in the nation, requiring covered entities to assess their specific risk profile and design programs ensuring information security, establish written cybersecurity policies, adopt encryption and monitoring mechanisms, and design audit trails allowing operational continuity in the event of a breach. By March 2019, these entities will also be expected to evaluate the risks presented by third-party data service providers. Cybersecurity legislation was passed also in Colorado and Ohio in 2018, with the latter jurisdiction providing a notable affirmative defense to breach allegations for companies that implement a recognized cybersecurity framework.

State data breach laws also undertook a steady expansion of coverage last year. On June 1, 2018, Alabama—the last state lacking such a law—implemented its notice statute, which notably defines covered PII to include data types on the outer reaches of most notice statutes, such as information relating to medical history and health insurance. Meanwhile, Colorado joined Florida in adopting the most stringent notification deadline, requiring notification no later than 30 days after determining that a security breach has occurred.

4. Emerging tech scrambles pre-existing notions of privacy protection

Artificial intelligence, machine learning, deep learning. The Internet of Things (IoT). Blockchain. If these concepts were not already in the popular lexicon, they are now. Together, these and other emerging technologies have already reshaped the debate over how best to secure personal information before the prior debate was anywhere near its conclusion. Real-world applications such as digital assistants, self-driving cars, cryptocurrency, facial recognition and data science have already demonstrated the bare minimum of what these technologies are capable of—as well as the many challenging privacy implications presented.

Understandably, lawmakers are well behind on legislating for such rapid innovation, but there was some progress in 2018. In May, Vermont passed a first-in-the-nation law to regulate data brokers, or businesses that knowingly sell or license the personal information of consumers with whom that business does not have a direct relationship. As of January 1, 2019, data brokers are required to register annually with the Vermont Secretary of State, disclose details regarding their identity and practices, and provide minimum information security requirements. In September, California passed the first state legislation addressing the security of IoT devices. Effective on January 1, 2020, the law mandates that manufacturers of connected devices follow reasonable security standards and require authentic access codes. It is enforceable by the California Attorney General.

5. A more regulated future awaits

The conventional wisdom is that the developments described above may soon converge into a federal privacy law with pre-emptive power over the CCPA and similar state laws. In August, it was reported that several Silicon Valley companies were lobbying the Trump administration to begin outlining a federal privacy law that would pre-empt the CCPA. And there appears to be bipartisan agreement on the now-divided Capitol Hill that privacy legislation is necessary. The remaining question is: What will a successful bill look like?

In little more than a month’s time, we have already seen three examples of where we may be headed. On November 1, Senator Ron Wyden (D-OR) introduced the Consumer Data Protection Act, which resembles the GDPR and turned heads by proposing up to 20 years in prison for executives responsible for misrepresentations in annual reports to the FTC. On November 6, Intel released a 6,000-word draft bill and online portal for further discussion that differs from the Wyden bill by protecting companies from civil actions and moving away from data minimization, among other things. Finally, on December 12, a group of 15 senators led by Senator Brian Schatz (D-HI) introduced the Data Care Act, which is notable for, among other things, introducing a fiduciary duty for online service providers and allowing both the FTC and states to enforce privacy violations.

What does it mean for financial services companies?

Financial services companies are already more familiar with privacy and data security laws than the average American business due to the sectoral focus of American privacy regulation, which has seen legislative schemes such as the Gramm-Leach-Bliley Act and the New York Department of Financial Services’ Cybersecurity Regulation. However, these existing regimes may be quickly eclipsed by the trend toward omnibus privacy laws and stricter oversight. For now, the CCPA’s exemption for GLBA-regulated PII somewhat eases the pain of implementation, but it remains to be seen whether new potential laws at the federal and state levels will afford similar leniency.