U.S. Companies Don’t Comply with Privacy Laws, but That is About to Change

This is a guest article by IT Governance USA GDPR Consultant William Gamble.

I am one of the few lawyers with an advanced certification in cybersecurity. I help organizations identify and comply with relevant cybersecurity and privacy laws.

Four years ago, in the run-up to the GDPR (General Data Protection Regulation) taking effect, I began getting panicked calls from U.S. organizations.

They didn’t have any data privacy policies and procedures in place and could potentially violate the GDPR. I told all of them that unless their company was big tech, they probably wouldn’t run afoul of the GDPR and be forced to pay a fine.

I was right. The number of medium-sized or smaller organizations that have been subject to fines is miniscule. That was to be expected in the Regulation’s infancy. But times change.

The GDPR has been joined by five U.S. state laws that mandate privacy protections, in California, Virginia, Colorado, Utah, and Connecticut.

There are another 22 proposed privacy statutes, some of which may be passed when the state legislatures adjourn at the end of June.

Besides these, almost half of U.S. states have cybersecurity laws. Most of these require organizations that process data to adopt “reasonable” cybersecurity protections.

How will this legislation affect organizations?

This plethora of cybersecurity and privacy laws does not necessarily mean that organizations are better prepared.

The problem isn’t just that organizations are liable to suffer a data breach or face enforcement action. They need to be equally concerned about the ammunition that increased legislation gives to plaintiffs’ lawyers, some of whom have already been highly successful.

The increase in legislation comes despite major obstacles put in place by the courts and the tech companies.

The largest roadblock has been a supreme court case called Spokeo, Inc. v. Robins.

As this case demonstrates, plaintiffs must show injuries – such as financial or reputational – losses before a data protection or data privacy case can proceed. This can be a challenge because often damages are covered.

By contrast, there is less coverage related to biometric and health care data. Likewise, under U.S. federal law, damages for the theft of credit card information are limited. Usually this amount is paid by the bank, retailer, or credit card company, so the plaintiff does not have actual injury.

In 2015, the federal Office of Personnel Management was hacked – most likely by Chinese state-sponsored attackers in an act of cyberespionage. This instigated a seven-year lawsuit that has recently been settled.

Although most of the 21 million victims could not prove damage, a sizable group could. This group will share $63 million in damages.  

The damages were paid to a group that includes victims who paid for identity theft protection and the ability to freeze or unfreeze their credit. These issues exist in just about any cybersecurity breach.

The private right of action

Two other recent laws have also created issues. The CPRA (California Privacy Rights Act) does enshrine for a private right of action, but only for a cybersecurity breach and not for loss of privacy.

The private right of action is helpful to plaintiffs and has been carefully excluded from other privacy laws. The important part of the law, however, is the $100 automatic damages if the consumer loses any personal information in a breach.

The damages portion of the law is crucial because many of the class action lawsuits could not survive a motion to dismiss because they didn’t have actual injuries. Now, if they fall under California jurisdiction, the case can get to the jury. They usually never get that far because the defendants will settle.

If the victim of a cybersecurity breach has actual damages, then the case can satisfy the prohibition in Spokeo. The plaintiff can show actual monetary injury. Damages are no longer speculative.

The other law that will cause problems for organizations is Illinois’ BIPA (Biometric Information Privacy Act). It allows for damages for private plaintiffs for any breach of the law.

A case last year cost Facebook $650 million. The BIPA has sparked several other states to pass similar laws, although private rights of action under these laws are forbidden.

This has not stopped the Texas attorney general from suing Facebook’s parent company, Meta, for allegedly using facial recognition technology on its users without their consent.

For most U.S. organizations, inaction has sufficed so far, but this cannot last. The simple reason is that about 86% of organizations believe they will suffer a cyber attack in the next year.

Until recently, organizations might not have felt much of an impact from a data breach, but that’s no longer true.

Regardless of your industry or your state, any cybersecurity problem will affect your reputation and your relationships with customers and partners. The best defense is to prepare for the inevitable, because the consequences are growing by the day.

What should you do?

For today’s organizations, which rely heavily on technology and, more to the point, the Internet to do business, cyber attacks are a very real threat.

Furthermore, the cyber threat landscape is complex and constantly changing, making it tricky to navigate: For every vulnerability fixed, another pops up, ripe for exploitation.

You can find out how to mitigate the risk by downloading our free guide: Cybersecurity and Business Resilience – Thinking strategically.

This green paper will help you plan appropriate cybersecurity defenses and understand the importance of business resilience.

We break down the process into its core parts, beginning with the risk assessment, which helps you identify weaknesses and determine appropriate information security controls.

Our expert guidance also describes the defense-in-depth approach and the key points to consider for preventing security incidents, detecting data breaches, and responding to threats.