The following is an excerpt from Updating your data protection strategy, a free industry guide that looks at new data protection regulations in places like Europe, America, and Australia, and how to protect against the number one cause of data breaches. Catch up on part 1 here.
Here’s another reason to worry: right now, data regulations around the world are being tightened and even harsher penalties enforced to protect consumers. The GDPR was the first to completely change the way businesses collect, store and manage personal data.
The rest of the world soon followed suit, introducing new laws or strengthening those already in place. The Notifiable Data Breaches (NDB) scheme in Australia requires all businesses that experience a breach to report it to the individuals involved and to the government agency which enforces it. Multiple US states have their own data regulations, though California is leading the way with it’s Consumer Privacy Act. Additionally, the first-ever federal standard for penalizing companies for data breaches (dubbed the Data Security and Breach Notification nAct) has been put to the US Senate for consideration.
Governments the world over understand cyber security is a huge threat to the safety and privacy of their citizens. They continue to tighten the law for businesses who hold valuable information and impose harsh penalties when it is not properly protected. How will legal regulations affect you?
EUROPE - The GDPR
The GDPR requires data holders to do everything in their power to protect the personal data of European citizens from being leaked or exposed. Even accidental leaks are viewed as the data holder not doing enough to keep personal information safe. Because of this, unintentional data breaches – like sending an email to the wrong person, or not redacting a person’s bank account number – has penalties just as if the business did not use passwords and security systems to protect against hackers. Therefore, it is essential you have the necessary safeguards in place to protect against all types of potential data breaches.
Penalties: minor offences are to be punished by a fine of up to €10,000,000 (US$12,000,000) or 2% of annual global turnover (whichever is greater). More serious offences could be fined up to €20,000,00 (US$25,000,000) or 4% of annual global turnover (whichever is greater).
It should not be forgotten that the available penalties are more than just financial. The Data Protection authorities have far reaching powers that include the ability to put a stop to a businesses’ data processing or naming and shaming them publicly – either of which could be far more damaging than a financial fine.
Who does it apply to? Any organization globally that holds or processes the personal data of European citizens.
AUSTRALIA - The NDB Scheme
The Notifiable Data Breaches scheme (NDB) requires organizations in Australia to report all eligible data breaches to the affected parties and the Office of the Australian Information Commissioner (OAIC). Under the law, data breaches are those that result in serious harm to any individual affected and include emails sent to the wrong recipient.
Penalties: regulatory action and court-ordered civil penalties
Who does it apply to? Australian Government agencies, businesses, and not-for-profit organizations with an annual turnover of $3 million (US $2,400,000) or more, credit reporting bodies, health service providers, and TFN recipients.
NORTH AMERICA - CCPA, PIPEDA, HIPAA, GLBA
Nearly all US states have their own data breach notification laws. California was the first with legislation introduced in 2003. Different industries have their own regulations – the Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers medical data and The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, covers financial data.
The California Consumer Privacy Act of 2018 (CCPA) was legislated to provide the state’s citizens greater ownership of their personal information. From January 1, 2020, Californians have the right to know, among other things, what personal data is being collected on them and, if it is sold or disclosed, to whom. The CCPA applies to organizations that a) do business in California and b) either have annual gross revenues over US$25 million; hold the personal information of at least 50,000 consumers; or earn more than half of its annual revenue from the sale of consumers’ personal data.
Mandatory breach notification – PIPEDA
Canada’s notifiable data breach law came into effect on 1 November 2018. Organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) are now obligated to give notice of certain types of privacy breaches.
Download the guide to Updating your data protection strategy to learn about the new regulations and a simple solution to make sure your workplace is protected.