This article by Chris Olson, The Media Trust CEO, was originally published in Corporate Compliance Insights on December 18, 2017.
In a precedent-setting move, the High Court in the United Kingdom (U.K.) ruled that a company is liable for data breaches caused by employees, shedding insight into the future of data privacy regulatory enforcement. The speed and flexibility of today’s digital world require the adoption of risk strategies that address not only employee behavior but also the vendors executing on enterprise websites and mobile apps. The changing regulatory environment mandates better control of these digital assets and the role they play in collecting, storing and sharing consumer data.
In this situation, a disgruntled internal auditor for Morrisons, a U.K. supermarket chain, posted payroll data of almost 100,000 employees online and sent it to newspapers in an effort to purposefully damage the grocery store chain image. The case went to court when 5,000 employees filed a class action suit against the company and sued for compensation under the Data Protection Act of 1998.
While the High Court found that Morrisons was not legally at fault, the chain was found to be vicariously liable for the employee’s illegal acts. Though the Court agreed to allow an appeal, this initial ruling signals the intent to tighten the data privacy responsibility noose on corporates.
The Implications for US Businesses
The U.K.’s High Court findings against Morrison’s data breach is very telling for the future enforcement of data privacy regulations and standards. It’s clear that companies are ultimately accountable for the protection of consumer data, regardless of how it is collected, stored or accessed. And, the U.K. isn’t alone in this changing approach. Think of the global impact on digital data when the EU’s General Data Privacy Regulation (GDPR) goes into effect in May of 2018.
Imagine the difficulty of securing consumer data in today’s digital-first economy where organizations have no control over their websites and mobile apps, in which dozens, and possibly hundreds, of unknown vendors, not only execute, but also can covertly collect personally-identifiable information. To avoid regulatory scrutiny, enterprises need to update their vendor risk management strategies to include the digital environment, with specific attention paid to identifying all parties executing in websites and mobile apps. For most enterprises, this knowledge is limited to the software and hardware they purchase or license for use. Identification and control of these external resources are critical to developing a comprehensive security strategy for digital assets.
GDPR is a Digital Nightmare
With its complex, far-reaching nature, the upcoming GDPR regulation will prove to be a greater challenge for those organizations without a formal privacy or risk officer as it extends the definition or application of existing privacy norms. Not only does GDPR codify a penalty structure, but it also broadens personal data to include online identifiers (internet use and behavior) and applies it to the processing of any personal data while the individual is physically in the EU.
Many enterprises are still coming to grips with understanding the new regulations and haven’t made much progress in applying it to the dynamic nature of their digital environment. Regulations are difficult to enforce in the digital economy due to the ever-changing nature of web-delivered information and commerce. For the most part, large-scale enterprises that view their digital presence as a strategic channel (media publishers, e-commerce, travel, consumer banking, etc.) understand these complexities, but not necessarily the corresponding implications of GDPR. Their biggest challenge is connecting the (data) dots internally: advertising/revenue operations, website operations, security and privacy.
When Ignorance Isn’t Bliss
The evolving regulatory landscape will hit the U.S. shores in 2018, and prove to be a tiresome issue that will rise all the way to the CEO and Board of Directors. Senior leaders will need to be cognizant of their company’s risk and exposure, especially as it concerns their digital footprint, as the price for non-compliance could far outweigh the expenditure to put policies and procedures in place. While some companies think that enforcement of GDPR will be tough to carry out, it is still in the best interest of companies to use GDPR as a framework for establishing data privacy and security standards.
The best approach is to hammer out and implement a digital vendor risk policy that can be enforced through vendor contracts. This requires identifying all vendors—including third-party—executing on the corporate website, communicating your policy and blocking those that don’t comply. In the event of a digital breach in which customer data is exposed, corporations will be in a better place to defend themselves, especially if the cause is a wayward third party. While it may not be a complete panacea, a digital vendor risk strategy is a start towards protecting corporate interests as well as customers.