In our data privacy series so far, we’ve discussed the current state of data privacy legislation in Europe and the U.S., how data privacy is driving changes to eDiscovery workflows (and even creating new workflows) and how an increased emphasis on data privacy is helping put information governance on the (data) map.
Today’s Data Breach Landscape
If it seems like a data breach or security vulnerability is in the news daily, that’s not an exaggeration. According to Identity Theft Resource Center (ITRC) research (reported by Security Magazine), the total number of data breaches through September 30, 2021 had already exceeded the total number of events in 2020 by 17%, with 1,291 breaches through the first nine months of 2021 compared to 1,108 breaches in all of 2020.
According to that Security Magazine article, the top ten security breaches of 2021 also each exposed more than 100 million user records, with the largest one leaving “a massive database of more than 5 billion records…exposed on the web without a password or any other authentication required to access it”. The second largest breach occurred at LinkedIn, where the personal data of 700 million LinkedIn users, nearly 93% of the company’s members, was on sale online, including data such as full names, phone numbers, physical addresses, email addresses, geolocation records and more. Despite efforts by organizations to protect users’ personal data, breaches and security vulnerabilities not only continue to happen, but increase in frequency.
Fines for Data Privacy Violations
While it continues to be tougher for organizations to protect personal data, the stakes for protecting personal data have never been higher with GDPR, CCPA and other recent data privacy laws, with fines for data privacy violations continuing to occur more frequently. Since GDPR was enacted, there have been over 900 fines assessed for a total of over €1.3 billion ($1.488 billion), as referenced in this GDPR enforcement tracking site. According to Tessian, the top 22 GDPR fines to date are $3 million and up, with Amazon ($877 million) and WhatsApp ($255 million), earning the two largest fines so far. And that’s just for GDPR specific fines.
Data Breach Notification Laws
When a U.S. organization experiences a data breach, they are required by law to notify individuals of security breaches of information involving personally identifiable information (PII). All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted data breach notification laws applicable to private businesses, and in some states, applicable to governmental entities as well. The National Conference of State Legislatures (NCSL) has a list of the data breach notification laws here, with links to each citation.
Lawyer Data Breach Notification Obligations
Lawyers have their own specific guidelines regarding data breach notification. Formal Opinion 483 of the American Bar Association (ABA) from October 2018 addresses Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.
The opinion references various Model Rules, such as Model Rule 1.1’s Duty of Competence and Model Rule 1.4’s Duty of Communication, which requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” It also discusses topics such as the obligation to monitor for a data breach, stopping the breach and restoring systems, determining what happened and expectations for notifying not just current, but also former clients.
Formal Opinion 483 states in its introduction that “the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be.” In fact, ABA’s 2021 Legal Technology Survey Report (discussed here), reports that 25% of law firm respondents reported that their firms had experienced a data breach at some time.
How an organization protects itself against data breaches and how it responds when a data breach occurs has never been more important. Effective management of today’s risks requires best practices across all disciplines of the organization, including information governance, privacy and security. Data privacy requirements have raised the stakes higher than ever for security lapses and the world is watching! Don’t be the next data breach story everyone reads about in the news!
For more regarding Compliance support for specialized expertise, click here.