Director, FTI Consulting
Read any survey of the challenges small and mid-sized business leaders face, and you’ll see an array of worries over managing cash, retaining customers, competing and keeping up with technological change. Chances are that regulatory compliance and data privacy aren’t making those lists of issues keeping SMB owners up at night. In fact, the majority of SMBs (80% according to one survey) know very little about whether and how data protection laws affect their business. Nevertheless, many data protection regulations are indiscriminate when it comes to organization size, and with consumers paying increasing attention to data privacy, the issue has become very real in the SMB arena.
Today, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are two of the most pressing privacy regulations that introduce implications for SMBs. The CCPA and CPRA both include annual revenue thresholds of $25 million, but companies under that figure may still be impacted if they have more than 50,000 consumers, earn 50% of their revenues from selling or sharing consumers’ personal data or buy, sell or share data of more than 100,000 consumers/households. Also of note is that a business may be subject to the law even if it does not have a physical presence (but is conducting business) in California. The California Department of Justice estimates that 75% of businesses in the state will be subject to its privacy laws, including between 50-75% of those generating less than $25 million.
The General Data Protection Regulation (GDPR) in Europe, HIPAA, the NYDFS Cybersecurity Regulation, and dozens of pending state legislations are also in play. Contrary to popular belief, these laws do not apply only to large corporations. HIPAA, for example, does not offer any carve-outs based on organization size or revenue, and some pending state regulations are drafted to govern all businesses that transact with consumer data, regardless of volume.
CCPA penalties can reach $7,500 per violation—so a single breach impacting 50,000 consumers could cost up to $375 million.
The cost of compliance with these laws may overwhelm some businesses to the point of turning a blind eye. Indeed, the initial expense of complying with CCPA is estimated at $50,000 for businesses with 50 or fewer employees and $450,000 for those with between 100-500 employees (per the standard regulatory impact assessment (SRIA) issued by the California DOJ). A HIPAA impact assessment may cost upwards of $75,000. Still, when compared to the costs of penalties for non-compliance, or brand damage incurred for failing to adequately protect consumer data, the cost of compliance may be the lesser of two ‘evils’.
An up-front investment of $100,000 for privacy compliance may be a difficult commitment, but in the long run, it could save the organization significant financial hardship. CCPA penalties can reach $7,500 per violation—so a single breach impacting 50,000 consumers could cost up to $375 million. While it’s not likely that an SMB would face such a severe penalty, even a lesser fine could easily exceed the cost of compliance. In 2019, the average HIPAA fine was more than $1.2 million. Under HIPAA, in addition to fines, companies that are found in violation are required to take remedial actions, which incur costs for hiring legal counsel, making policy and technological adjustments and submitting to mandatory third-party auditing.
Several recent HIPAA enforcements serve as stark examples of the impact these laws can have on small and mid-sized businesses. A private neurology practice in New York paid $100,000 for a single right of access violation, and a gastroenterologist in Utah paid $100,000 for a data breach and failure to “conduct a risk analysis.”
At FTI Consulting, our teams have encountered numerous clients in the mid-sized range that have unknowingly overlooked data privacy risks—processing or collecting personal information, but unaware of their regulatory requirements around those activities. Moreover, data breaches are quite common among SMBs. The Verizon Business 2020 Data Breach Investigations Report found that 28% of data breaches in 2020 involved small businesses. SMBs are so intensely focused on growing (and through 2020, merely surviving the current crisis), that they often feel they can’t make the time or find the resources to deal with their data. This has to change. To protect brand integrity and avoid regulatory fallout, data privacy must be added to the list of top SMB considerations.
Identify the regulations that your business is subject to and the types of data you collect. Your privacy program will depend on the laws in the regions and industries in which you do business, and whether you are collecting financial, health or other types of personal information. For most businesses, the scope of privacy-sensitive data is likely to include various forms belonging to customers, partners and employees.
From an industry perspective, businesses in health care and financial services have specific rules to follow. To date, California, Nevada and Maine have comprehensive data privacy laws, and roughly 20 additional states have similar legislation in progress. Businesses with a footprint in Europe must also consider GDPR. Beyond comprehensive privacy regulations, many states have laws that apply to the use of biometric and other sensitive data, and all U.S. states now have data breach notification laws. These are in constant flux, with new data types and guidelines being added all the time.
Understand the nuances between (and risks of) buying, selling and sharing data. The ways personal data passes between parties are governed differently from law to law. CCPA focuses on selling (which may include sharing for valuable consideration in lieu of money), while CPRA adds buying and sharing into the mix. HIPAA allows for data sharing, but only with certain controls in place. It’s important to understand if your organization is engaging in these activities, and if so, to what extent, and with which parties. Even if your business is not subject to a regulation on data sharing, if you are exchanging consumers’ personal information with third parties, the risk of a breach or other privacy incident increases.
Design a tailored program. There is no one-size-fits-all program for data privacy. Your program will be nuanced depending on the regulatory environment and other elements determined in your initial assessment. For example, some businesses will be able to manage their privacy practices using existing tools in email, spreadsheets and SharePoint, whereas others may require a specialized privacy platform. Businesses subject to CCPA will require additional processes and technologies to respond to data subject access requests.
In any case, a successful privacy program must include support from a knowledgeable person who can manage it and adequate budget and resources to fulfill the business’s privacy responsibilities. Third-party experts in data privacy can be a useful resource for supporting risk assessments, developing programs and providing a data protection officer in cases where budgets do not allow for additional, permanent employees.
It’s important to note that perfection does not need to be the standard. Regulators often assess the severity of a penalty on the seriousness of the breach and the organization’s overall position toward compliance. Those that have demonstrated efforts to implement controls will be more likely to earn a degree of leniency in the event of a violation.
Define privacy values. Once a framework is built out, business leaders can begin asking: what does privacy mean to my organization? This is an opportunity to build a culture around privacy, align your brand with consumer trust and leverage that as a competitive advantage.
The regulatory environment around data privacy will continue to ramp up on a state and federal level in the coming years. A strong position on data protection and consumer trust will continue to be viewed as a brand strength. SMBs will be increasingly impacted by the resulting challenges and opportunities. Privacy is an issue that can no longer be ignored—businesses can either build programs now, or face penalties down the road (and still have to invest in a program).