Fiscal year 2018-2019 saw monumental privacy- and security-related developments. In May 2018, the General Data Protection Regulation (GDPR) came into effect. Established within the European Union (EU), GDPR impacts companies that offer goods or services to EU data subjects. Privacy and data regulations within The United States followed; California enacted the Consumer Privacy Act in June 2018 and Ohio enacted Senate Bill 220 known as the Ohio Data Protection Act shortly thereafter.
Along with the enactment of these far-reaching data security regulations, we have seen an uptick in subsequent data and security breach incidents. Many companies are now facing wide-ranging investigations into their compliance with GDPR regulatory bodies. Twitter, Inc. is facing complaints made to the Irish Data Protection Commission that they refused to provide data subjects with personal information requested (which included information from devices and timestamps when data subjects clicked on shortened links (for example, t.co)), and that it was technically feasible for the company to gauge someone's approximate location. Another major incident was reported when Marriott International Inc. disclosed a colossal data breach in November 2018, revealing that as many as 500 million data subjects had personal information exposed.
These issues will continue to develop in fiscal year 2019-2020 and beyond. Brouse McDowell is keeping a close watch on the impact these incidents, as well as others that show up every day, could have on our clients. Below are key privacy areas Brouse McDowell is monitoring in the upcoming fiscal year:
1. Ohio’s Data Protection Act
Ohio’s Senate Bill 220, referred to as the Ohio Data Protection Act, is in effect. It was passed to incentivize companies to voluntarily adopt what has been determined to be an appropriate cybersecurity program. Under the Act, Ohio now offers a legal defense mechanism to companies against lawsuits in exchange for implementation of an approved cybersecurity framework.
Brouse will be watching for cases in which companies are permitted to use the affirmative defense allowed under this act and the impact to our clients. We will also be looking for creative ways to assist companies that have an active online presence or that hold any type of personally identifiable information with developing policies that will provide protection under this new Ohio law.
2. Other States', and Perhaps, Federal Privacy Laws
With Ohio and California both passing privacy laws in 2018, we expect more states to follow. With states passing their own individual privacy regulations, we will be watching for the possibility of conflicts of law and any arising tensions between the states. We will also be cognizant of how the language and application of privacy regulations develop as states begin to pass laws with similar focus points of GDPR.
Privacy issues have been pushed to the top of corporate agendas on a national level and across boardrooms around the country. Developments surrounding the discussion of new federal laws concerning privacy and data security and the possible preemption of state laws will be on our radar as well as whether private causes of action might become available under any new regulation.
With new state laws in place designed to protect consumers, Brouse will also be closely following how the Federal Trade Commission, the U.S. authority on consumer protection, will be responding to and classifying these new state regulations.
3. GDPR Enforcement
Many companies were forced to scramble to comply or seek understanding as it relates to their obligations with the enactment of GDPR in 2018. As we roll into a new fiscal year, we are still seeing many companies seeking guidance in order to determine best practices for compliance with this new regulation. One key reason is that the penalties for non-compliance are astronomical and could reach 4% of a company’s global revenue for the previous fiscal year, or 20 million euros, whichever amount is higher. We will continue to watch how GDPR is being enforced globally; keeping a close eye on the EU’s various compliance investigations. Our attorneys will be watching for not only the types of enforcement, but also, associated penalties and remediation requirements issued as a result of enforcement. Non-compliance penalties have the ability to cripple companies; we will keep a close watch on any impact felt by companies.
4. New Data Breaches
Major U.S. companies are not immune from data breach incidents. In fact, one could say they are the prime target. Every day it seems a new major company discloses that they have been subject to a data breach. Twitter, Marriott, and The Neiman Marcus Group, LLC have all been subject to recent data breach disclosures. In addition, targeted cyberattacks have been causing major damage and disruption to businesses, municipalities, and individuals globally. These ransomware attacks, phishing attempts, and other cyberattacks have been increasing on a daily basis, and hackers have been finding new ways to breach security measures.
For example, earlier this week security researchers warned that hackers have now started to target the 1.5 billion people using the Google Calendar app. Researchers revealed that hackers have been exploiting the automatic integration between Google’s various services, and have been sending calendar invites containing malicious links intended to steal users’ credentials and later use them to compromise other personal information. These type of attacks open doors for various social engineering attacks by creating fake appointments using user accounts, which could later allow a bad actor to physically gain access to offices and other places where they were not invited. Kaspersky, an internet security firm, advised Google Calendar users to disable automatic adding of calendar invites by changing settings within the app; or if disabling automatic calendar invites is impractical, making sure to send a separate email or calling the person to verify that they actually sent you the invite to mitigate the risk of phishing attempts and other cyberattacks.