Socrates once said: “The secret of change is to focus all of your energy not on fighting the old, but on building the new.” Those wise words seem particularly appropriate in today’s digital age. Indeed, the digitizing of all our information has been a massive change to the way we do business and the way we order our personal lives. And we are, as a society, still working out the kinks.
The shift from a paper to digital, from in-person meetings to virtual meetings, and from paying with cash to ordering online has created a massive opportunity for companies to use – and misuse – people’s personal information in ways never imagined before.
That is why GCs throughout the country need to “focus all of their energy” on building new ways of protecting both their company’s data, as well as their customer’s data. As Socrates would agree, fighting for the old way of doing things is no longer a viable option.
In that vein, there are two particular cyber-related risks that GCs should pay particular attention to in 2021. The first is the risk of failing to abide by new data privacy laws that have real consequences for your company. The second is the risk of failing to address the host of employment and health care issues that have been created by the pandemic – the “cyberdemic” risk, if you will.
Accordingly, in this article, we are going to talk about the new data privacy law that took effect in California in 2020, the cyber-threats to company and customer information related to the pandemic, and what you as a GC can do to deal with those risks.
- The Dawn of Data Privacy Laws in the U.S. – The California Consumer Privacy Act
In 2018, California took a big step forward with regard to protecting data privacy in the cyber era. In passing the sweeping legislation called the California Consumer Privacy Act (CCPA), the State of California has articulated a fundamental principle – that consumers own their private information, and that businesses will be in hot water for violating that principle.
The law went into effect on January 1, 2020, and it gives California consumers a number of new data privacy rights, including:
- The right to know the personal information that a business collects, and how it is used and shared;
- The right to delete personal consumer information (with some exceptions);
- The right to opt-out of the sale of a consumer’s personal information; and
- The right to non-discrimination for exercising their CCPA rights.
The CCPA applies to most for-profit businesses that use personal information of California residents. Only small companies (with gross revenues under $25 million), public agencies, and non-profit organizations are exempt from the law.
The consequences to companies for violating the CCPA can be substantial. Specifically, a company may be fined $2,500 for each unintentional violation of the act, and $7,500 for each intentional violation. If a CCPA action is brought by an individual consumer, then the possible fine is $100 to $750 per incident, per consumer; or the fine will be the consumer’s actual damages, whichever is higher.
The CCPA might be a sign of things to come. The CCPA itself was inspired by the European General Data Protection Regulation (GDPR) enacted several years ago, which also gives EU consumers rights over their data. Thus, it is likely that a U.S. federal data privacy initiative could be next.
- The Privacy Threats Posed by the Pandemic
GCs must be mindful of the cybersecurity risks that have materialized based on the digitization of health records, and from employees working remotely.
With regard to health records, one report indicates that telehealth data breaches in 2020 were up 90 percent compared to the numbers in 2019. Also, contact tracing apps, used to assist in combating the Covid-19 virus, are being compromised. Sadly, health care records have become the most valuable type of information to those seeking to do harm and steal identities.
With regard to remote work, the uptick of those working from home has resulted in a simultaneous increase in the number of incidents in which an employee’s personal information has been hacked. Whether it is by phishing scams or cloning the email address of an executive or manager at the target’s company, cybercriminals are trying to get at the data in the possession of individual employees. In sum, GCs are confronting more and more cyberthreats as a result of the pandemic, and legal departments need to keep up to date on the latest cybersecurity threats.
- What Are Other GCs Doing to Confront These Risks?
Unfortunately, it seems that GCs at this point are not doing enough. A recent study discussed in the Global Legal Post found that 56 percent of GCs report that their companies are not ready for CCPA and other data privacy laws. Though the pandemic has upended operations in many companies during the last year, GCs remain concerned about privacy law compliance.
The fact that most GCs do not feel ready to handle the CCPA and other privacy laws is not for lack of trying. About half of GCs in the survey found lack of resources and exorbitant expense as the biggest challenge to compliance, while about one-third of respondents blamed the increased complexity of privacy laws. Also, approximately 10 percent of respondents pointed to difficulty in getting internal buy-in as the biggest hurdle to compliance.
Even those companies doing well on the privacy front are still daunted by the sheer number of requirements that privacy laws demand. In fact, almost one-fifth of respondents said that it was impossible to comply with every single requirement imposed on their organization. Finally, over half of those surveyed said the CCPA is the most challenging law for their company, while a little less than half claimed that the GDPR was the biggest challenge.
- So, What Can You Do at Your Organization to Tackle the Emerging Risks in 2021
The best way to confront the cybersecurity and data privacy risks in the coming year is to invest in the legal resources to ensure protection and compliance. While there are many online security tools available and there are ways to outsource some cybersecurity tasks, having top in-house legal talent on your team is the best way to protect your organization.
You would be wise to seek top legal talent that understands the new privacy laws and has experience managing ways in which a company can come into compliance. In short, in order to “focus all of your energy” on “building a new way” of doing things in our cyber era, get help from smart lawyers, who are eager to join in-house and know the latest in cybersecurity and privacy compliance. Then, instead of approaching change with trepidation, you can be confident that you have the legal talent to run a top-notch legal team that is equipped to protect your organization.
We have been and continue to be engaged with companies and not-for-profits who are following this path with exceptional results. It is a challenging area to create, implement and ensure compliance to while also navigating the myriad of legal challenges facing General Counsel or Chief Legal Officers.