In one of the biggest data breaches in the Information Age, a hacker accessed personal details of 106 million Capital One consumers. Through this breach, the hacker was able to gain access to 1 million Canadian Social Insurance numbers, 140,000 Social Security numbers and 80,000 bank account numbers. The US Department of Justice also noted that the hacker, who was a former Amazon employee, accessed an undisclosed number of people’s names, addresses, balances, credit limits and credit scores. The data included personal data details of peoples who applied for Capital One products.
Although the alleged hacker was arrested in July 2019 after boasting online about the breach, this event highlights the vulnerability and value of data protection. Capital One said that the hacker had gained access by exploiting a configuration vulnerability of a web application firewall.
While Capital One’s Chairman offered his apologies for the “understandable worry this incident must be causing those affected,” the company’s stock was down 5% in premarket trading on 30 July after the news broke. Less than 24 hours after this event, Capital One was hit with a lawsuit accusing it of serious “security failures.” The proposed class action was filed at the US District Court for the District of Columbia and accuses the company of negligence for failing to safeguard personal data. The lawsuit claims the company had “ample warnings of weaknesses and risks to its system.” It is difficult to predict how this lawsuit – and others that have followed since this incident – will fare in court given that Capital One acted fairly quickly after the discovery. Despite this, the US Government Accountability Office has stated that data breaches used by thieves to open financial accounts, receive government benefit and open credit lines in another person’s name are “the most harmful because it often takes some time for the victim to become aware of the theft.”
In a similar case, where credit bureau Equifax was hacked in 2017 and did not notify its customers for a month after the data breach, the legal bill to resolve most of the aftermath issues was upwards of $650 million.
The Evolution of Data Protection Laws
In the Information Age, where borders are blurred and companies work across many states, it is useful to understand the laws of the jurisdictions where one operates. For example in the case of Capital One where both American and Canadian individuals were involved it will be interesting to see how the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the multitude of American laws (both State and Federal) will protect the consumers in this case.
While the law in the US regarding data protection is still evolving, the EU has taken a more proactive role in defending consumers. Specifically, while the right to privacy is a fundamental human right according to the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7), the EU has taken the view that data protection is an extension of such right and has enacted the GDPR to enforce data privacy.
The Information Commissioner’s Office (ICO) said that “the GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” As such, companies that do business in the EU are advised to:
- implement data protection audits and data breach support;
- develop data protection training;
- appoint a Data Protection Officer (DPO) or consider DPO outsourcing;
- ensure the DPO registration is in compliance with the national supervisory authority;
- carry out a Data Protection Impact Assessment (DPIA) where planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of individuals”;
- seek regulatory advice when dealing with data collection/processing of EU subjects;
- maintain a Data mapping and Record of Processing Activities (ROPAs);
- ensure there is an adequate Data Subject Access Request (DSAR) support for timely and legally compliant responses;
- and in cases where the appointment of DPO is not required, companies should think about Data Protection Support Services to ensure compliance with the GDPR.
The UK Information Commissioner, Elizabeth Denham, has noted that “personal data has a real value so organisations have a legal duty to ensure [data] security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Similarly to the EU, where data protection is envisioned as both an extension of fundamental human rights and property rights, California has passed the California Consumer Privacy Act of 2018 (CCPA), which comes into effect on 1 January, 2020.
Both laws further expand consumer rights with respect to the use and collection of personal information and impose damages when these rights are infringed. As such, the services of data protection professionals are a must in order to comply with legal requirements both in the EU and beyond.