Data Privacy & Cyber Concerns Remain Front and Center

The threat of a data breach has corporate counsel running scared—and for good reason. According to IBM Security Intelligence, the risk of experiencing a data breach of at least 10,000 records is greater than that of catching a winter flu. Now that cyber risk mitigation falls within corporate counsels’ purview, it comes as no surprise that in-house attorneys rank improving cybersecurity and data protection as some of their top three biggest business priorities for the year ahead. Lower middle market companies, especially, are looking to shore up their cybersecurity and data privacy efforts, with a third listing it as their No. 1 business priority.


Both data breaches and data privacy rank in corporate counsel’s top three biggest legal risks with respect to data, cited by 54 percent and 42 percent, respectively. While a higher percentage of respondents cited concerns about data breaches, the issue of legal risks associated with data privacy has increased substantially with the introduction of the EU’s General Data Protection Regulation (GDPR), effective as of May 2018, and the California Consumer Privacy Act, which goes into effect in 2020.


“Every organization, regardless of size or industry, will experience a data breach or cyberattack multiple times in their lifetime—if not weekly or monthly. Corporate counsel can help organizations prepare for every scenario possible by actively participating in discussions around cybersecurity and data privacy and shoring up their own data management and protection practices.”

Garrett_Greg.pngGREGORY A. GARRETT


A New Era of Data Privacy: Complying with National and International Standards

Data comes from all over the world. As such, compliance with international data laws is just as critical as compliance with those at the federal, state and local levels.
When it comes to global data privacy regulations, few are as top of mind for corporate counsel as the EU’s General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. To comply, more than half (59 percent) implemented or updated their data privacy notices and/or increased their data privacy budget (51 percent).
Nevertheless, while the GDPR’s compliance deadline has passed, organizations’ initial compliance journeys are just beginning. How the GDPR is monitored and enforced will change over time, requiring corporate counsel to stay alert.
But it doesn’t end there. In the wake of the GDPR, many similar data privacy laws have started to crop up—starting, in the U.S., with the California Consumer Privacy Act of 2018.


The Act, which goes into effect on Jan. 1, 2020, is intended to give consumers greater ownership, control and security of their own data in the following manner:


Under the Act, businesses must provide consumers with the categories of information collected  about them, their devices and their children, upon request; they must also stop collecting this information, if asked. Businesses that intend to sell consumers’ personal information must also inform them of the categories of personal information they are selling and to whom.


Under the Act, businesses cannot discriminate against consumers if asked to stop sharing or selling their personal data. This includes charging the consumer more, denying him or her access to services, or changing the quality of the service rendered.


Under current California law, businesses are required to implement “reasonable security measures” to safeguard Californians’ personal information. The Act increases the fines and penalties for violations of the existing law, so businesses are held more responsible for safeguarding consumers’ personal information.


“The constant, never-ending addition and revision of data-related regulations worldwide will only continue to add complexity to companies already trying to navigate a challenging network of cross-border litigation, investigation and data privacy concerns. Seeking data privacy expertise to help them navigate these international intricacies will become increasingly vital to organizations that are growing, or are looking to expand, their international reach.”

Aira-Ventrella_Jenna.pngJENNA AIRA-VENTRELLA
Managing Director and BDO Global E-Discovery Practice Leader


Several other states have begun discussing whether it makes sense to implement their own similar regulations, and a strong push for a comprehensive federal privacy law has already begun.
Abroad, the GDPR has triggered similar stirrings among other countries. Brazil, for example, recently implemented its own General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) in August of last year, whose provisions closely mirror the GDPR’s. Meanwhile, many other countries are debating whether to implement similar rules, or to update current ones to be more comprehensive.
Corporate counsel will need to figure out how to navigate these national and international regulations. Navigating disparate, and sometimes conflicting, data privacy laws is currently survey respondents’ greatest challenge in managing cross-border e-discovery (37 percent). In the end, a company may find itself between a rock and a hard place when forced to decide which legal risk to take—violating data protection laws or failing to respond to a U.S. subpoena or discovery requirement.


“Data governance for privacy, confidentiality and compliance is an ongoing process and commitment to safeguarding personal and other sensitive data that an organization collects, processes, sells, transfers or stores. Organizations and their legal departments will need to take a holistic approach to both—by not only evaluating and reacting to current risks, but by constantly readjusting their e-discovery strategies, technologies and processes to incorporate personal data privacy and protection into their design from the beginning.”

Schuler_Karen.pngKAREN SCHULER

BDO National Data & Information Governance Practice Leader