A tightening regulatory climate
As data multiplies, so do the rules around collecting, using, and protecting other people’s personal, sensitive information.
As early as 2020, Gartner analysts forecast that by 2023, 65% of the world’s population will “have its personal data covered under modern privacy regulations” – a prediction that’s likely to come true. Over the last several years, the passage of data privacy legislation has accelerated around the world, and that pace only continues to quicken.
These efforts began as notable one-offs, such as Europe’s GDPR, but every few months a new law is rolled out, each with different requirements, levels of enforcement, and specific fines and sanctions.
The United States has almost 30 states with some form of privacy protection law in place or in draft for debate and passage. California implemented one of the first data privacy rules, and it remains the toughest state law on the books. Its 2018 CA Consumer Protection Act put strict obligations in place around the collection and sale of personal information and recent amendments push those rules even further. Beginning in 2023, California will be the first state to extend data privacy rules to HR data, among other new regulations.
In early 2022, U.S. federal legislators began work on the American Data Privacy and Protection Act (ADPPA), commonly considered an American version of Europe’s GDPR. The law already faces stiff opposition from many privacy advocates who argue for stronger enforcement. Whether or not the bill passes, it will most likely serve as a template for future efforts.
To the north, Canadian legislators continue to work at both the federal and provincial level. The 2022 Digital Charter Implementation Act clarifies the country’s long-standing PIPEDA compliance law, strengthening rules over consent and transparency. Canadian legislators’ stated goal has been to ensure federal standards match European GDPR rules, with a similar right to access but lacking European “right to erasure” and other provisions.
At the same time, Quebec lawmakers also passed a tough Law 25 bill that added to the scope of federal protections, including a right to be forgotten and:
- Mandatory annual Privacy Impact Assessments
- Updated guidance on holding and using de-identified and anonymized information
- New regulations about data use inside automated decision-making systems. This requires figuring out how customer data protection requirements change over time.
The complexity and complementary nature of new legislation can make compliance even harder. Which frameworks and laws apply depends on many factors, including how and where a business operates, the customers it serves, the number of assets under management, and more. Each law has nuanced and unique compliance requirements, and any organization to which they apply must meet them all.
Costly cautionary tales are everywhere
As the regulatory climate becomes more stringent, it becomes imperative to take compliance seriously. For those companies weighing whether or not to take action, according to the Ponemon Institute, the average cost of compliance ($5.47 million) is significantly less than the cost of non-compliance ($14.82 million). According to IBM, the cost of non-compliance also continues to climb year-over-year, jumping up 45% from 10 years ago and 12.6% from two years ago.
This total cost of non-compliance, as calculated by Ponemon, includes a combination of fines, penalties, and fees, as well as the indirect costs of business disruption, revenue loss, productivity loss, and reputational damage.
Expensive stories about failures to comply are everywhere. Nearly every month brings headlines about another major compliance event and its consequences:
- In 2021, JP Morgan was fined $125M for compliance control failures, mostly centered around poor recordkeeping and a lack of controls around the use of personal devices.
- In 2022, Morgan Stanley was fined a total of $60M for data privacy violations that took place in 2016 and 2019, settling both civil fines and a class action lawsuit over decommissioned data center equipment that hadn’t been properly wiped.
Finally, it’s not just current security posture that drives penalties, but also previous compliance behavior.
One Canadian case, Ari v. Insurance Corporation of British Columbia, held that punitive damages were appropriate where companies had failed to learn from past breaches. This means a single compliance event can incur penalties now as well as potentially leading to larger fines following a subsequent event, depending on how a company responds.
Calculating the hidden costs of non-compliance
In the event of non-compliance, regulators won’t be the only ones driving up dollar costs. There are many indirect costs that factor into lost revenue and opportunity costs, including:
- Business disruption: Time spent recovering from a breach is time spent not moving your business forward. Non-compliance also drives disruption through time lost to frantic preparation for an audit or other assessments, often by key staff members.
- Reputation damage: Consumers and businesses are increasingly concerned about how companies manage sensitive data, and non-compliance can have a corrosive effect on this trust. The 2021 Ponemon and IBM Cost of Data Breach report shows that about 32% of losses from non-compliance rise from reputation problems, including lost business, reduced goodwill, and cost of acquiring new customers.
- Revenue loss: In addition to direct losses from business disruption, non-compliance can impact future revenue as well. An intense focus on supply chain and “third party” risk means customers take compliance very seriously, and your inaction may cause you to be locked out of deals or taken off trusted supplier lists.
- Lawsuits: In addition to regulatory fines, businesses can face costly, high-profile lawsuits from impacted users and customers. Capital One settled a class action lawsuit for $190M over a 2019 breach for failing to protect user data, on top of $50M paid to regulators for the same incident.
Getting proactive: the sooner the better
As threats evolve and regulators react, the compliance environment will continue to tighten, and the cost of doing nothing will continue to rise. Qohash was designed to provide the foundational elements needed to meet data privacy regulatory requirements across North America.
Read about how one fund manager leveraged Recon to meet GDPR-style regulatory requirements here.
meet the foundational elements of meeting data privacy regulatory compliance requests. When the auditors show up—you’ll be ready.
Assess your landscape
Understand the regulations to which you’ll be subject.
- What regulations impact operations?
- Where do compliance frameworks overlap? Where do they differ?
This helps you fully understand the rules that dictate the data protection rules and controls that must be put in place.
Scan and prioritize sensitive information
Before running a data classification tool that can automatically sort the types of data across your business systems – cloud and on-premises – by regulation, configure your tool accordingly. Deciding what information will be regulated depends on your data classification strategy.
With classification rules in place, Recon enables an automated end to end scan of your data environment, discovering sensitive information and gathering critical context about classification. This enables you to build a big picture view of where sensitive data elements are at all times, and tagged data elements give you multiple ways to parse data elements, including:
- Data element view (passport number, credit card number)
- Governing framework (e.g., PCI or GDPR)
Build for automated, proactive data privacy
A robust data discovery serves as a baseline for automated scans and continuous ongoing risk detection and mitigation. Additionally, a comprehensive data inventory is fundamental to building and demonstrating stronger compliance controls, no matter how the rules change.
While the cost of non-compliance continues to rise, getting it right has never been more critical.
Your business, your brand, your bottom line—failure to act can put everything at risk.
