by Daniel J. Solove
Are privacy and security laws being enforced effectively? This post is post #2 in a series called Enforcing Privacy and Security Laws. See the end of this post for links to other posts in this series.
What kind of sanctions do privacy and security laws use for enforcement? In this post, I will discuss the various tools that are frequently used in the enforcement of privacy/security laws.
The Enforcement Toolkit
There are a variety of enforcement tools that are provided for in various privacy and security laws or that are used by agencies in their enforcement.
Entities can be fined for violating privacy laws. HIPAA, for example, has fines of up to $1.5 million per violation.
Agencies can require organizations to take certain actions to comply with the law. This can involve being ordered to delete data, or to notify consumers, and make changes in privacy policies, among other things.
Organizations can be required to submit to routine auditing by an independent auditor. FTC consent decrees, which often last 20 years, require such auditing. This auditing can be quite expensive.
Organizations required to notify individuals in the event of a data breach must pay to send out the letters, as well as set up the supporting infrastructure, such as a center to field calls. This can be quite costly for breaches involving a lot of people.
Private Rights of Action
Some statutes authorize private rights of action where aggrieved individuals can sue. Sometimes there are statutorily-defined damages for each person affected. One of the biggest costs of the lawsuits is the cost of litigating the case.
Walls of Shame
Many agencies publicize enforcement actions on their websites. The HHS website with information about cases against HIPAA violators is famously dubbed the “The Wall of Shame.” Being listed on these sites can injure reputation. Reputation doesn’t just matter in the eyes of the general public, but also in the eyes of other organizations that might be more reluctant to do business and share data with an organization that has a reputation for having violations.
In some instances, there can be criminal penalties for violations.
All Sticks and No Carrots?
One complaint I sometimes hear from organizations is that there are no breaks or get-out-of-jail-free cards for organizations that have good privacy and security compliance programs. An entity can do 99 out of 100 things to protect data and do them very well, but when one thing goes wrong, then the agencies are out with their sticks.
The view from the agency side is somewhat different. What regulators from a number of agencies have often said is that an entity’s overall privacy/security compliance matters, and good practices will make a difference on whether an enforcement action is brought as well as on the severity of the sanctions.
Why is the story so different from each side? The answer is probably due to the fact that there aren’t many formal safe harbors in the law for good practices. Perhaps there should be.
Sometimes having a good program means that problems get exposed, and entities fear the irony of being punished for having a good program. For example, if an entity does risk assessments, violations might be found. Compare that to the really bad entity that doesn’t bother to do any risk assessments. Files could be thrown into a dumpster or data could be at risk and nobody would even know about it. The good entity turns over the stones and sees what’s crawling underneath and does something about it. Sometimes that means that a breach is discovered.
Perhaps agencies could develop guidelines for how to identify situations more formally where there would be a presumption against bringing an enforcement action, even for a violation. Such guidelines could be that it is a first time offense, that the overall data protection compliance program is exemplary, that the entity has taken corrective steps of its own, that any harm has been addressed and compensated, and so on.
Of course, there are legions of cases where entities have flaunted the law, where they have routinely engaged in bad practices, where they have not taken compliance seriously, and where they haven’t invested adequate resources in their compliance programs. These entities should be punished. But there are cases of entities really doing great things, and they should get some kind of credit for it. Sometimes carrots can work as well as sticks.
* * * *
Enforcing Privacy and Security Laws: Other Posts in this Series
2. The Privacy Pillory and the Security Rack: The Enforcement Toolkit [this post]
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter