WHAT THE PRIVACY SHIELD TREATY MEANS FOR TEXAS BUSINESSES
By Matt Goulet
In late June, UK voters took to the polls to weigh in on their future as members of the European Union. Britain’s exit from the EU (“Brexit”) left markets wavering as the world wondered what it would all mean for the global economy. While Brexit was in the spotlight, however, another economic agreement involving the EU was being enacted. That agreement is the EU-U.S. Privacy Shield, a treaty that reconciles the differences between European and American data security and management laws and regulations by providing a framework under which grievances may be resolved in the event violations occur. For Texas enterprises with active or future plans across the Atlantic, the agreement may have serious implications.
Even for local or national businesses that aren’t directly affected by Privacy Shield, the agreement cannot be overlooked, as it is indicative of the importance of data in today’s worldwide marketplace. Secretary of Commerce Penny Pritzker recently told the New York Times that $260 billion dollars’ worth of privacy-centric, trans-Atlantic business between the U.S. and European partners is dependent upon the secure transfer of data to and from our borders.
Data is valuable, and vital to the success of any business — local, national or global — and there are expensive consequences when it’s not properly secured and managed. According to the most recent research by the Ponemon Institute, the average cost of a data breach is now $4 million dollars. That includes fines and penalties, administrative and legal fees, and lost business opportunities due to reputational damage.
What Kind of Data Requires Protection?
Generally speaking, there are three types of data that require protection:
- Personally identifiable information (PII), is defined by the federal government as “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as a date and place of birth, mother’s maiden name, etc.”
- Protected health information (PHI) includes data related to medical records and current or previous physical conditions, and that could be created or compiled by an insurer, employer, hospital or clinic, government agency, school or other organization.
- Intellectual property (IP), is defined by the World Intellectual Property Organization as “creations of the mind, such as inventions, literary and artistic works, designs, and symbols, names and images used in commerce.” IP can include things like business plans, product designs, internal memos or any other non-public information that is important to the success of the business.
Data Security Laws Vary Overseas
Texas companies must already abide by a number of state and federal laws mandating the protection of PII and PHI, as well as laws pertaining to the citizens of other states whose information resides with organizations based in Texas. Federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) establish standards for managing and protecting sensitive health data; industry standards like the Payment Card Industry Data Security Standard (PCI DSS) are used for securing credit, debit and other forms of payment; and intellectual property pertaining to corporate governance for publicly traded companies may fall under the Sarbanes-Oxley Act (SOX).
Although the challenge of understanding and following the data protection and privacy rules for the various states and federal agencies may seem daunting, the guiding principles are similar. For companies doing business overseas, however, the approach to data protection is typically different and so compliance with even the strictest of U.S. laws may not satisfy EU law. What’s more, updated data security rules go into effect in Europe in 2018 and the penalties for violating those laws can be severe — as much four percent of total global annual revenue or €20m, whichever is higher.
The Data Breach Threat Is Real
Cases of security failures are all too frequently featured in headlines. According to the Privacy Rights Clearinghouse, there have already been more than 260 reported data breaches in 2016, resulting in the loss of sensitive, regulated data. Organizations and brands like Texas Health and Human Services, Medical Colleagues of Texas, the Eye Institute of Corpus Christi, Hard Rock Café, the Democratic National Committee, Walmart, the FDIC and many more have been affected, and with them the PII and PHI of nearly four million people compromised. Victims are at risk of crimes like financial fraud and identity theft.
Each Business Is Responsible For Its Own Security Standards
Brand trust must be transferrable across international borders in order to tap into overseas markets, just like the data businesses rely on. Companies must recognize they are responsible for their own actions and for building trust when it comes to data protection. Doing the minimum in an attempt to simplify the process or save a few dollars is a short-sighted strategy. Rather, business leaders must recognize that, no matter what laws or agreements are in place, investments in security will pay dividends in brand trust — whether dealing with a cross-town customer or an overseas partner. Last year the total spending on information security eclipsed $75 billion, according to a recent Gartner report.
It’s important to understand that technology alone cannot accomplish the task. Data security is a three-legged stool that requires people and processes working in concert with technology in order to maintain vigilance for the data that has been entrusted to an organization. That means recognizing that, as business leaders, we are responsible for making sure our organizations respect and protect the data that is entrusted to us, no matter what laws are in place. It’s not an easy task, but compliance and the ongoing maintenance of trust takes effort and involves training people, developing comprehensive security and governance programs and investing in the tools required to protect data.
These investments of time and money must also be documented in order to demonstrate to the appropriate regulating authorities that operations are compliant with the law and with binding contracts. Considering the stakes, this documentation is crucial should privacy violations be alleged. And, of course, all of this should be done with the guidance of legal counsel that understand the laws involved both at home and abroad, and are familiar with a company’s appetite for risk.
In both the U.S. and the EU, compliance should be regarded as a floor, not a ceiling. That means companies should set high standards for protecting and managing data and for demonstrating respect for the individuals and organizations whose data they’ve been entrusted with. That foundation is the only way we’ll be able to build and maintain trust among our customers and for our brands for now and the long term.
Matt Goulet is President and CEO of San Antonio-based Globalscape