A government rule that threatens forfeiture of 4 percent of a company’s annual worldwide revenues would seem a sure bet to grab every business leader’s attention.
But a new survey finds that many companies in the U.S. and abroad have greeted last year’s implementation of the European Union’s landmark cybersecurity regulation with a resounding lack of urgency.
The EU’s much-heralded General Data Protection Regulation went into effect May 25, 2018. Yet a year later, an average of one out of four companies in every country reported having a low degree of confidence in their readiness to respond to a data breach covered by GDPR. That’s according to a survey of more than 1,200 organizations in the U.S., Europe, China and Japan.
Moreover, only 18 percent of respondents expressed a high degree of confidence in their ability to communicate a data breach to the relevant EU regulators within 72 hours of awareness, as required by GDPR. That lack of preparedness exists despite nearly 50 percent of respondents admitting they’ve experienced at least one data breach subject to the EU regulation’s reporting requirement.
The survey, “A Global View of GDPR Progress,” was conducted by the Ponemon Institute and sponsored by McDermott, Will & Emery.
“The study found there is a lot more work to do,” says Mark E. Schreiber, co-leader of McDermott’s privacy and cybersecurity practice. “For companies in the U.S., and especially for those in China and Japan, there’s a ways to go.”
But Ponemon Institute founder Larry Ponemon sees a light at the end of the tunnel.
“While many organizations are having a hard time getting into compliance, it’s all part of a process,” he says. “Things are going to get better.”
In addition to companies located inside the EU, GDPR applies to organizations outside the EU that offer goods or services to individuals in the EU. Importantly, the regulation also applies to organizations outside the EU that collect data on individuals inside the EU.
“Certainly companies that do business in Europe, that sell or want to sell to consumers there, including on their websites, have to take these obligations seriously,” Schreiber says.
Linn F. Freedman, who chairs the data privacy and cybersecurity section at Robinson & Cole in Providence, Rhode Island, says “myths” about the reach of GDPR have confused company decision-makers in making a commitment to compliance with the EU regulation.
“I’ve been finding that some companies assume that GDPR doesn’t apply to them, so they don’t even check if they have to comply,” Freedman reports. “On the other hand, I see companies that really might not have to comply putting in all these processes either because their lawyers don’t [understand] GDPR and are doing it as a ‘belts and suspenders’ strategy, or they’re just doing it to cover themselves.”
Schreiber admits that it’s harder to sell GDPR compliance to the mid-sized Worcester, Massachusetts, company that may have only token online sales to EU consumers. Some companies have simply decided to avoid the problem by implementing measures to prohibit web traffic or purchases from Europe and avoid targeting or tracking individuals while they are in the EU, the Boston lawyer says.
“Other companies have decided it’s a low risk so they won’t do much of anything,” Schreiber says. “And [still] other companies have started down the compliance route because they want to preserve that 1 or 5 percent of sales.”
While GDPR imposes more robust data processing safeguards, requires more detailed privacy notices, and overall affords EU residents greater privacy rights, the regulation notably requires organizations to report data breaches to an affected country’s regulator within 72 hours of becoming aware of a breach.
The 72-hour breach notification may come as a shock to U.S. companies used to dealing with 30- and 60-day notification requirements under various state laws, Schreiber says.
“That’s a very short time. In the U.S., it often takes that amount of time just to engage the forensic vendor [to address] a hack or outside threat actor,” he says.
For the most serious GDPR violations, companies can be fined up to 20 million euros (about $22 million) or up to 4 percent of a company’s annual worldwide revenue of the preceding financial year, whichever is greater. Fines and penalties are determined by regulators in the individual EU countries.
Schreiber says he’s not aware of any Massachusetts companies that have been hit with GDPR penalties thus far. However, he cautions that the EU’s data protection authorities are currently working through a backlog of tens of thousands of cases, so companies can’t assume they’ve dodged a bullet.
“Eventually, they will adjudicate those complaints,” he says. “A lot of them will be minor, requiring only a warning or some cleanup, but in others there will be fines.”
But Freedman says she got a different signal when she sat down with data protection authorities in the EU.
“They’re not going after small companies in Providence,” Freedman says. “A small business that does 95 percent of its business in Rhode Island and the U.S. is not going to be a No. 1 one target of these data protection authorities.”
And while levying a penalty of 4 percent of a company’s revenue could be devastating for many businesses, Freedman expects such draconian fines to be relatively rare.
“I know these regulators, and they’re not looking to put a company in Providence out of business,” Freedman says, adding that regulators will give weight to a company’s good-faith efforts at compliance. “Running around and saying you’re going to go out of business because of GDPR is extreme.”
Many U.S. companies early on were not “especially dutiful” in complying with their new EU data protection obligations because regulators hadn’t levied any fines, Schreiber says. The more recent announcement of eye-popping fines for GDPR violations has gotten the attention of the business community.
For example, the French regulatory authority fined Google $57 million in January for failing to disclose to users how it was collecting data over its various platforms for use in creating personalized advertising. And in April, Ireland’s Data Protection Commission announced the opening of an investigation against Facebook that reportedly could lead to a $2.2 billion fine based on an allegation that the company mistakenly stored millions of user passwords in plain text.
As a result, Schreiber says, more companies have gotten the message and are taking GDPR compliance more seriously.
“You’ve already seen some of the larger fines come out, mostly against major tech companies,” Schreiber says. “We probably won’t know for another two or three years what if any Massachusetts companies may get caught up in this.”
Attorneys should be advising clients that are not up to speed on GDPR compliance to conduct risk assessments defining their exposure under the EU regulation, he says. Clients also should be advised to engage forensic professionals who can identify vulnerabilities and recommend improved cybersecurity procedures and infrastructure for companies, he adds.
Private right of action
The most “ominous” aspect of GDPR that should get the attention of all companies is that the regulation provides a private right of action for persons whose data rights have been violated, says Boston cyber law attorney Joel K. Goloskie of Rhode Island-based Pannone, Lopes, Devereaux & O’Gara. He anticipates “lawsuit mills” springing up to handle GDPR claims, particularly since the regulation also authorizes not-for-profit organizations to stand in the shoes of individuals and sue on their behalf, collecting compensation afforded under the laws of a member EU state.
“What you’ve got under GDPR is an individual’s right to sue you in their home nation for any violation, even if it’s not a [data] breach,” Goloskie says.
Mid-sized companies that don’t have the compliance departments of large companies may find themselves to be most vulnerable to private suits under GDPR, he says.
But small businesses do have options to protect themselves, Goloskie says.
“You don’t need to be IBM. There are [law and IT] firms out there that do enough of this to do it at a cost-effective rate,” he says.
Ashley Winton has an on-the-ground EU perspective as a partner in McDermott’s London office. Rather than being alarmed, Winton says he was heartened by some of the Ponemon survey’s findings.
“It is clear that a very large number of companies have expended a great deal of effort in their GDPR compliance,” Winton says. “That is not just limited to European headquartered companies, but to U.S.-headquartered ones, too.”
The study found that approximately one-third of companies carried cyber risk insurance and that 43 percent of respondents reported that their insurance covered GDPR fines or penalties. In addition, 85 percent of respondents reported having a GDPR data protection officer.
While Freedman believes the need for GDPR compliance can be overblown in some cases, she says it would be short-sighted for companies to completely ignore the problem of cybersecurity. Instead, with the strict California Consumer Privacy Act going into effect in January 2020, she says it’s actually a good time for companies to tighten their cybersecurity policies in order to be in a good compliance posture for both CCPA and GDPR.
“Compliance with CCPA should be top-of-mind for any U.S. company, and it’s just like GDPR,” Freedman says, noting the Massachusetts Legislature is considering a data privacy bill modeled after the California law.
“It’s never too late,” she adds. “The timing right now is perfect for companies to be looking at compliance with GDPR, CCPA and a slew of new privacy laws that are coming down the pike.”