What's Next for Data Privacy?
By Kate Browne, Senior Counsel, BHSI and Sean Clifford, AVP, Underwriting for Cyber, Tech & MPL, BHSI
In 2018 when the General Data Protection Regulation (GDPR) was implemented, it shone a spotlight on the issue of data privacy. The legal and regulatory landscape for data privacy grows more challenging and complex every day. Today, as companies face the challenges of complying with new laws such as the California Consumer Privacy Act (CCPA) and the challenges of advancing technology, brokers, risk managers and insurers are devoting more time and resources than ever before to data privacy management. The purpose of this article is to scan the horizon with an eye toward predicting what the future of privacy may hold.
1. Compliance will become more complicated.
Since the introduction of the GDPR, more than 60 countries including Australia, Brazil, India, Japan, Kenya, Mexico, Panama, Singapore, Thailand and the United States have enacted or considered privacy and data protection laws.
The research company Gartner predicts that by 2023, “65 percent of the world’s population will have its personal information covered under modern privacy regulations, up from just 10 percent today.”
California’s 2018 passage of CCPA set off a chain reaction: the next year, some 25 states and Puerto Rico introduced data privacy legislation, including bills related to collecting biometric data, online privacy, data broker regulations and other consumer privacy issues. While the details of these laws vary, at their most basic, they all require organizations to understand how they are using personal data. Risk managers, in-house counsel, IT professionals and others must be able to explain how and why their organization’s data is collected, where it goes, who in and outside of the organization has access to it, how it is protected, and what happens when data is no longer needed.
In the future, compliance will become more complex. Data privacy will likely no longer be about complying with just a single law or adjusting data collection practices for a single group of clients or customers. Even the most sophisticated organizations have had difficulty complying with the patchwork of state breach notification laws, and have had to rely on outside counsel to act as a breach coach to navigate the various statutory requirements surrounding breach response and notification. The privacy rights and consumer protections granted by CCPA and GDPR are significantly more complex and burdensome to comply with. With more privacy-focused laws on the way and the possibility of federal legislation in the United States, it is probably only a matter of time before nearly every company is affected by one or likely more data privacy regulations and the need for specialized expertise in navigating the terrain will grow.
2. Compliance will increasingly be a competitive advantage.
Data privacy will become an increasingly significant factor in consumers’ buying decisions. On the heels of numerous high-profile data breaches, with state and federal lawmakers bringing greater focus to data privacy legislation, consumers are educating themselves on how companies are using their data – and may be willing to walk away from those they believe may be using it irresponsibly.
On the other hand, organizations that support and invest in data privacy have an opportunity to build consumer trust and loyalty over competitors that do not. For example, to show its support for privacy protections, Microsoft voluntarily extended the CCPA’s consumer rights for its U.S.-based customers and the GDPR’s data subject rights for customers across the globe. During the 2019 World Series, Apple’s television ads promoting its new iPhone focused not on cameras or screen size but on data privacy features.
Similar to how “organic” and “free trade” labels have driven sales in the food and beverage space, we expect privacy to become a sought-after differentiator, with organizations that are willing to prioritize data protection capturing a competitive advantage.
3. Privacy will get more attention in the C-suite and boardroom.
In the B2B world, companies are increasingly incorporating data privacy compliance reviews of potential business partners into standard due diligence practices. In M&A deals, acquirers are seeking evidence of strong data privacy programs from potential targets, with good reason: In a recent survey of M&A professionals by Merrill Corporation, 55% of respondents cited the target company’s data privacy practices as the primary reason the transaction failed. For organizations looking to grow or partner with European Union-based entities, GDPR compliance is on the agenda and we expect to see similar focus on CCPA.
In an effort to protect both their reputation and bottom line, board members and others will demand more transparency and discussions around their entities’ cybersecurity and privacy postures, especially in countries where regulators are increasingly focused on employee accountability.
4. Privacy and cyber security will be even more closely integrated and automated.
As data privacy laws and regulations require companies to ensure data security and impose financial penalties for a breach or non-compliance, privacy and data security teams will continue to work together to identify privacy risks and design enterprise-wide controls to effectively manage these risks. In the not so distant past, the goal was to protect servers and desktop computers. Today however, with the proliferation of “smart devices” in homes, offices, and mobile phones, the “attack surface” is larger than ever and companies will need to integrate data privacy best practices into both traditional and new technology applications. We anticipate a growth in artificial intelligence-powered automated data management solutions to help companies rise to the challenge of creating and maintaining a strong data privacy compliance policy without sacrificing agility or productivity.
5. Data privacy will fundamentally change product engineering.
Data privacy will become increasingly nuanced as society moves away from an “all or nothing,” opt-in/opt-out model of data collection and incorporate data privacy into products in more sophisticated ways. Software programmers and developers may begin to consider privacy on a sliding scale and create products that deliver personalized protection. In the future, software systems may let organizations adjust and manage the type and amount of user data they collect by removing different levels of personally identifiable information.
Website and app developers may build products that allow users to “point and click” to customize how much privacy they want, and understand how different levels of data sharing will impact and shape the experience they receive in return. In addition, more companies will begin to use differential privacy. Differential privacy is technology that supports the collection and sharing of aggregate information about an individual user’s habits but protects the privacy of the user by adding random statistical “noise” to the aggregate data. Apple used differential privacy in iOS 10, adding noise to individual user inputs. As a result, Apple can track a user’s most frequently used emojis, but the emoji usage of any one individual user is masked. Implementing “privacy by design” is critical as organizations move forward. This allows companies to embed privacy into the development of products and infrastructure. It will require close collaboration between developers and privacy counsel to help anticipate and prevent potential privacy issues before they arise. Having this foresight will not only minimize risk, it will improve products and enhance the overall experience of the consumer.
6. Managing the risks posed by third parties will be a major focus.
A key driver of increasing privacy laws is the number of high-profile third-party breaches and incidents. Laws such as the GDPR and CCPA demand significantly more transparency around data shared with third parties and how it is used. Ultimately, however, in the event of a breach, organizations are held responsible for the handling of their data by vendors and contractors. As a result, we will see organizations enhance their assessments of the security practices and procedures of vendors to create risk profiles before deciding what (if any) data should be shared.
7. The cyber insurance market will continue to adapt and respond.
As cyber-related exposures and regulations evolve, the cyber insurance market will adapt and respond to keep pace. Most recently, policies have adapted to expressly address regulatory fines and penalties arising from violations of privacy law such as CCPA or GDPR. Historically, regulatory coverage was limited to violations arising from a breach. Now, regulatory coverage extends not only to unintentional disclosure of data, but also to issues arising from how organizations themselves handle data. BHSI’s cyber team takes a thoughtful and forward-looking approach to underwriting cyber exposure, considering the measures customers have taken to ensure compliance and working closely with our customers to understand the data they have and how it flows through their organization.
With the 2020s, we are embarking on a new era in our digital and increasingly data-rich world, one that promises transformational advances in the legal and regulatory environment and the emergency of new technology to power computing and connected devices and to manage data flow. Privacy risk management will continue to elevate as a discipline all its own as organizations increasingly focus on data stewardship in a holistic manner. There is new, exciting terrain ahead. And BHSI stands ready to navigate it with our customers.
For more information, contact firstname.lastname@example.org.
Berkshire Hathaway Specialty Insurance (www.bhspecialty.com) provides commercial property, casualty, healthcare professional liability, executive and professional lines, surety, travel, programs, accident and health, medical stop loss, and homeowners insurance. The actual and final terms of coverage for all product lines may vary. It underwrites on the paper of Berkshire Hathaway's National Indemnity group of insurance companies, which hold financial strength ratings of A++ from AM Best and AA+ from Standard & Poor's. Based in Boston, Berkshire Hathaway Specialty Insurance has offices in Atlanta, Boston, Chicago, Houston, Indianapolis, Irvine, Los Angeles, New York, San Francisco, San Ramon, Seattle, Stevens Point, Adelaide, Auckland, Brisbane, Cologne, Dubai, Dublin, Hong Kong, Kuala Lumpur, London, Macau, Madrid, Melbourne, Munich, Paris, Perth, Singapore, Sydney and Toronto.
The information contained herein is for general informational purposes only and does not constitute an offer to sell or a solicitation of an offer to buy any product or service. Any description set forth herein does not include all policy terms, conditions and exclusions. Please refer to the actual policy for complete details of coverage and exclusions.