Around this time last year, I published an article stating, “we have all been flooded with emails from vendors or website pop-ups with privacy notice updates about their awareness and intent to meet the May 25, 2018 EU General Data Protection Regulation (GDPR) deadline.” And the race was on to comply with GDPR given the threat of hefty fines for breaching this law.
Fast forward to today, and we’re reading that Equifax will be paying nearly $700 million to settle a data breach investigation with U.S. regulators, which will also require the company to adjust how it protects and handles consumer data. This includes requirements regarding encryption and security patching.
According to my calculations, Equifax is paying in excess of 20% of its 2018 revenue ($3.4 billion, according to Gurufocus). I’d call that much more substantial than what GDPR is imposing. If a company fails to meet GDPR regulations, the Information Commissioner’s Office (ICO) or EU privacy regulators can enforce penalties of up to 4% of worldwide turnover or 20 million euros (USD $23.58 million), whichever is greater. In fact, recently, the ICO fined two companies for data breach-related violations — British Airways $230 million, which is 1.4% of its reported $16.6 billion in 2018 revenues, and Marriott $124 million, which is less than 1% of its reported 2018 revenues of $20.7 billion.
For comparison sake, it’s interesting to note that the California Consumer Protection Act (CCPA) is still a bit under the radar but will have even bigger teeth starting in January 2020 with fines potentially running into the billions of dollars. Had California sued Equifax, the firm would have had to pay between $100-$750 per record which would have amounted to 20x the $700 million. And the CCPA will define an incident as the leak of one record.
We can debate the justification of the relative amounts of these levies, but the point is that authorities are following through on their promises, and letting public and private entities know that they must act responsibly about their use of data. The key is to get beyond compliance checkboxes to establish a more fundamental and strategic approach to data privacy.
As I have previously stated, there needs to be a fundamental change in what personal information is gathered and for what purpose is it going to be used. It is also critical for customers to see the value of that data exchange. Modern business models are built on data collection, so unless consumers are willing to pay for services that have always been free, data will be collected. This is where new capabilities that allow data processors to apply analytics without decrypting data are becoming critical to restoring the balance between data privacy and data utility. CISOs and security professionals talk a lot about sharing information, but in reality, fear of retribution motivates them to keep things pretty close to the vest. And legislators, despite all their best intentions, don’t engage enough with CISOs and businesses to gain the critical insight on what the business needs. Both parties need to work in lockstep to enact protections that move faster than attackers and leverage the best innovations available to protect data from their adversaries.
And finally, the motivations of companies need to shift from compliance and defending against litigation and fines to one of concern and care for customer information and privacy, which will foster a relationship of trust. Companies must treat customer information not as a currency or commodity but instead as the most valuable bond between its users. Only when behaviors change — and security becomes a competitive differentiator and not a necessary evil that is a checkbox for compliance — will we see a true transformation on the approach to preserving data privacy.