2021-02-09 Patrick Walsh
Originally published at www.infosecurity-magazine.com.
The New Economics of Holding Personal Data in 2021
In the last few years, we’ve seen the rise of nearly 100 new and significant privacy laws around the world. The most significant of these are the GDPR, Europe’s General Data Protection Regulation, which went into effect in 2018, and CCPA, California’s Consumer Privacy Act, which went into effect this year.
Note: As of November 2020, CCPA has been strengthened into CPRA, the California Privacy Rights and Enforcement Act, which removed loopholes and expanded protections that previously covered the sale of data to also cover the sharing of data. But we’ll be focusing on what happens when data is lost or stolen and for that, we’ll just reference CCPA.
Have you been offered free identity theft protection insurance? If a company leaked your data, then you probably have. I’ve had the misfortune of getting free identity theft protection almost a dozen times now as my former health insurer, my current bank, Equifax, and others have coughed up my data to hackers.
But have you ever wondered why companies offer this insurance to their impacted customers? The goal is to hobble any potential class action lawsuits.
In a class action suit, the plaintiff has to show damages. Identity theft protection is insurance against damages from identity theft. If a plaintiff can’t show damages, there’s no basis for a class action lawsuit.
The offered insurance typically only lasts one or two years, but your data stays out there forever. These companies gamble that if your identity is stolen two years from now, it will be very difficult to prove that it’s their fault.
CCPA includes a little remarked clause that allows people to sue companies that lose their data even if they can’t show damages. This is the private right of action clause, and its implications are huge.
One of the authors of the original CCPA language, Alastair MacTaggart, told me that the Equifax breach happened while they were drafting the initial version of the privacy law. He was upset that Equifax could pay as little as $2 per user, barely a dent in their revenue, and potentially even make money off of that breach (they sell identity theft insurance and were using the breach to build a userbase that would auto renew after a free period). So MacTaggart added the private right of action to CCPA to make the consequences of being careless with sensitive data much stronger.
If a company is breached and a court determines that it was preventable, then CCPA’s private right of action damages come into play. The law requires judges to award at least 100 and up to750 per user unless actual damages are higher.
Note: This is separate from the fines that the California Attorney General or the forthcoming California Privacy Protection Agency can level for privacy violations. Those start at $1000 per user.
Let’s look at that Equifax breach that inspired this and pretend it happened after CCPA went into effect. That breach impacted 148 million people nationwide. They initially set aside about 300m for the breach, but ultimately it cost them1.4bn or around $9.50 per person. Note: that’s by their accounting, which doesn’t subtract the new credit monitoring business they picked up as a result of the breach.
California has 31 million adults and if we assume that 56% of them were impacted and joined in the class action then we'd have a lawsuit with 17.36 million plaintiffs.
Given that the congressional report on the breach said it was “entirely preventable,” it’s likely a judge would have ruled in favor of the plaintiffs and awarded damages. In fact, if you read that report, you might come to the conclusion that Equifax was criminally negligent and should be hit with the maximum. Regardless, the awarded damages under CCPA would be between 1.7bn and13bn.
At the end of 2017, Equifax had 4.3bn in cash. With CCPA, the breach would have cost them between3.1bn and $14.4bn dollars. That could have ended Equifax.
Since the initial mad scramble to become GDPR compliant in 2018, we’ve heard remarkably little about this law. There have been a few cases and a few fines, but nothing significant and attention grabbing. But GDPR allows for fines of up to 4% of global revenue or €20m, whichever is greater. This is pretty substantial.
For example, a maximum fine leveled against Google (not Alphabet) would be $6.4bn. And Equifax, which did have operations in Europe, could have faced fines there under GDPR in addition to the California privacy fines, the CCPA class action suits, fines from the US FTC, and other breach-related costs such as the post-breach investigations.
You might wonder if this increase in costs will actually hit companies or if it will instead be covered by insurance. If insurance covers the difference then has anything really changed in terms of incentives?
Lawyers are telling their clients to discuss CCPA coverage with their insurance companies and to push for coverage. It isn’t clear yet if insurance companies are doing this or will do it or what they might extract in return.
But when it comes to California, there’s an interesting wrinkle. California law prohibits insurers from covering expenses that were leveled to punish an organization. So in California, you can’t get insurance that will cover the cost of Government-levied fines.
But what about class action damages under the private right of action? Are those considered remedies aimed to punish?
This hasn’t been tried yet, but the spirit of the CCPA provision is clearly to punish companies who don’t protect consumer data. It’s entirely possible that an insurance company, even if they were willing to pay for the class action damages, would not be allowed to under California law. And they could use that law to shield themselves.
The complexity of multitudes of cloud apps, services, networks of vendors, partners, remote employees and so forth makes the chances of sustaining a breach higher than ever. At the same time, the cost of a breach is set to skyrocket.
Sometime in the next two years, we’ll have a mega-breach with price tags that jolt the industry and cause radical recalculations of risk equations. The writing is on the wall.