In recent years, high-profile cases have brought the problem of data privacy and security to the forefront of public debate. Unfortunately, efforts to enact universal regulations controlling consumer privacy and data security are falling well short of expectations. Instead, the United States and other countries should follow Europe's lead and establish a legal framework that provides clear rules of conduct for companies.
In May 2018, European Union (EU) lawmakers voted down an effort to create a single, unified data protection law for everyone within the EU. The vote was a disappointment to those who had hoped for greater privacy protections after several major data breaches in 2017. However, it did signal a shift toward a more pragmatic approach to regulation, one that takes into account the need for innovation while still providing clear guidelines for responsible behavior. As such, the vote may help facilitate increased cooperation between U.S. and EU companies operating on both sides of the Atlantic.
Currently, individuals can seek damages if they believe their personal information has been compromised. Penalties include awards up to $100 million US or 2% of annual global revenue, whichever is higher. In addition, the Federal Trade Commission (FTC) can pursue civil actions against companies that violate data protection laws. However, there are no criminal penalties for data security violations.
There are also no federal standards for computer security.
This white paper explores the evolution of data privacy laws in the United States as a continual balancing act, with security considerations on one side and individual rights on the other. It also looks at how these laws are changing to meet modern needs and technology advances.
Data protection rules are altering the way firms manage client data all across the world. The healthcare business, in particular, is under investigation as a result of an increase in high-profile hacks targeting some of the largest healthcare providers. Data protection laws such as the European Union's General Data Protection Regulation (GDPR) require any organization that collects personal information to take steps to protect it. Firms that fail to do so could be punished by severe fines.
In addition to being subject to more intense scrutiny from regulators, data privacy is now seen as a key differentiator by customers. Healthcare companies that don't adopt robust data protection practices risk falling behind their competitors who will be able to offer services that they cannot.
Some large health systems have decided to get out of the business entirely rather than comply with increasingly stringent regulatory requirements and reduce their market share. For example, Community Health Systems, which was formerly known as Health Management Associates, announced in February 2018 that it would be merging with Academy Health, a leading provider of health care management services, to create the largest health system in America. The combined company will remain headquartered in Chicago but will have operations in 34 states and the District of Columbia.
The reason for this move by Health Management Associates was that it did not want to be subject to the new data protection regulations when they took effect in May 2018.