Summer 2019 saw a flurry of major fines levied against large corporations for data breaches and other privacy violations. Ranging from a €460,000 fine under the European General Data Protection Regulation (GDPR) for a Dutch hospital to Facebook's US$5-billion proposed settlement with the Federal Trade Commission (FTC), regulators are showing their teeth.
While regulatory enforcement proceedings in Canada do not carry the same risk of massive fines, this recent activity in other jurisdictions reflects the elevation of privacy issues as a fundamental right and the corresponding regulatory scrutiny to protect such rights around the world (including Canada). Organizations collecting personal information must integrate privacy into the design of their operations; privacy as an after-thought will not make the cut.
Some major fines and settlements from this summer include:
British Airways: £183 million
Beginning in about June 2018, attackers diverted traffic meant for British Airways' website to a fraudulent site. Using this site, attackers stole personal information, including credit card information, from about 500,000 customers. On July 8, 2019, the BBC reported the United Kingdom's Information Commissioner determined the company's poor security arrangements led to the information's compromise, and the Commissioner imposed a £183-million penalty on British Airways in connection with the breach.
This represents the largest such fine imposed in the United Kingdom, eclipsing the now-second-largest fine, £500,000 against Facebook in connection with the Cambridge Analytica data scandal. Importantly, though, this fine against Facebook was the maximum fine at the time. Now, under the GDRP, the maximum penalty is €20 million or 4 percent of the company's annual global turnover in—British Airways' case, this could have meant a fine approaching £500 million.
Equifax: US$700 million
In September 2017, a data breach at Equifax exposed the personal information of roughly 147 million people. On July 22, the CBC and New York Times reported Equifax agreed to pay up to US$700 million in fines and penalties as part of a settlement with various federal and state regulators. The settlement requires Equifax to pay a US$175-million fine to various states and a further US$100 million to the federal Consumer Financial Protection Bureau. Equifax also agreed to establish a US$300 to 450-million fund to compensate the breach's victims, as well as to provide free services to affected customers for a decade and to regularly submit its security policies to third-party assessment.
This settlement will have no effect on the 19,000 Canadians impacted by the breach.
Facebook: C$6.6 billion
Following the Cambridge Analytica scandal of 2018 (in which Facebook shared data on up to 87 million of its users with Cambridge Analytica), the FTC has imposed a US$5-billion fine on Facebook. This is the largest fine the FTC has ever levied on a technology company.
CEO Mark Zuckerberg will have to personally certify Facebook's compliance with its privacy programs, with a risk that false certification could expose him to civil or criminal penalties.
This fine is in addition to a €1-million fine imposed on Facebook in June 2019 under the GDPR in connection with the same breach by the Italian data protection regulator.
While the risk of major fines here is not the same as in the European Union, the regulatory scrutiny of privacy breaches and findings against an organization are not only potentially costly, they can also be powerful evidence in related proceedings such as data breach litigation and foreign regulatory investigations.
The increased regulatory scrutiny of privacy matters in Canada is expected. Canadian organizations should assess their operations to understand what steps are required to comply with their obligations to protect personal information and the privacy of their employees and their customers. Implementing privacy into the design of an organization’s operations can help avoid exposure to class actions, shareholder litigation, regulatory scrutiny, and negative public relations.
Recent statements from the federal Office of the Privacy Commissioner and the provincial privacy offices suggest regulators in Canada are focusing on how corporations protect information and respond to any breach that may occur. Recent decisions, for example Ari v. Insurance Corporation of British Columbia, suggest a failure to learn from past breaches may justify an award of punitive damages.
Canadian organization need to be aware of their data protection obligations and prepared for data breaches and cyberattacks. Addressing these issues before a breach can save organizations the expense of being caught off-guard and reduce the potential exposure from an attack or an accidental breach.