CCPA...The Most Significant Impact on Litigation Since FRCP
I have a simple question for all the GCs, CPOs, and CISOs out there: Are you ready for the California Consumer Privacy Act (CCPA)? Because it’s coming, whether you’re ready or not, on January 1, 2020. (And ten other states will soon follow suit with similar, but different, regulations.)
Depending on the timing, polling group, and survey methodology, reports suggest somewhere between 45% and 86% of companies will not be ready or do not even plan to be ready by then.
If you ask me, those figures are probably optimistic. I suspect that most organizations who expect to be ready aren’t as close as they think. Why? Here’s my thought process.
Do you know how long it will take to fulfill a single data subject access request (DSAR)? They require more resources than you might think. You’ll need to verify the data subject’s identity, access and search a comprehensive and accurate data inventory, collect the resulting data, review and redact confidential information about other subjects and deliver it to the subject within 45 days. According to a Gartner survey cited in its white paper How to Prepare for the CCPA, 83% of respondents “needed a full working week or more time to respond to each single request.”
What will you do if you get 10 requests? 100? 1000? With 240 working days in a year, you would need to process 4.1 complete requests per day to meet the demand from 1,000 requests. How many FTEs can you dedicate to fulfilling DSARs?
Consider what happened to Microsoft when it opened its self-service DSAR portal in compliance with the EU’s General Data Protection Regulation (GDPR). In its first year, it received 18 million data requests.
Guess how many came from the United States. 6.7 million. How many DSARs can organizations expect in response to the CCPA, the most stringent privacy law in the US so far? What will happen when more states and the federal government enact privacy laws based on the CCPA?
Of course, there are only a few organizations with the client base of a Microsoft, Google, or Facebook. What would be a reasonable figure for number of DSARs you’d receive? We had a client who received 15,000 requests in the first month after GDPR took effect.
I don’t want to do the math to figure out how many FTEs you’d need to fulfill those DSARs manually. Frankly speaking, I don’t think you want to do that math either.
I will do a little math for you, though. That same Gartner study found that organizations were spending “on average $1406 per SAR.” At that price tag, the cost of a mere 15,000 requests would run to approximately $21 million in one month!
But it’s not just about cost. It’s also about time. Organizations are under the duty to respond to a data subject access request in just 45 days. 45 days! Legal departments will hard pressed to meet that deadline for 15,000 requests, but can you image 50,000?!
It’s fair to say such an expense and risk is not sustainable. Organizations must be ready with a scalable, defensible, automated solution to this looming crisis.
There is uncanny amount of similarity between the e-discovery and privacy worlds. If you’ve never seen a data subject access requestjust ask your e-discovery team. They are essentially fulfilling DSARs but just in a different formvia the e-discovery production requestwhich makes it even simpler to solve the privacy and DSAR problem via technology. Re-purpose e-discovery technology for the privacy world.
Here’s the requirements as I see them for a technology solution to solve the DSAR problem.
Firstyou’ll need a portal for requestors to file DSARs. But it should be more than just a user-friendly online interface. It needs to route as many requests as possible directly into the fulfillment workflow.
Nextyou’ll need to automate (as much as possible) and manage this workflowfrom authenticating the requestor’s identity to findingreviewingand producing their data to them. This automation isn’t really optional; it’s a necessity given the volume of requests you can expect. Your database may not be as large as our client’sbut is it really reasonable to expect less than 1000 requests a year? What happens if you suffer from a data breach? How many requests do you anticipate getting thenwhen compliance is going to be all the more critical to your reputation and your bottom line?
Importantlyyou’ll need an accuratecomprehensive data inventory. Thisafter allis the foundation of the entire process. It gives you the ability to find all responsive information in your control. You should be able to easily update this inventory as your company evolves. It should find not just where data belongs—but also where it actually is. After allif a birthdate is tied to a nameit is considered “personally identifying information.” So if an assistant somewhere has a spreadsheet of employee’s birthdates for party planningyou’ll need to know that—or at least be able to find it.
You obviously also have to be able to act on the data. That starts with examining it before collecting itbut it also includes knowing retention schedulesdata volumes across disparate locationsthird parties accessing the dataand where duplicate data is stored. You’ll need to be able to remediate datawhether that means to move it to where it belongsto delete itor to lock it down for preservation due to an internal investigation or legal hold. The system will need to understand the complexat times conflictingrequirements to retaindeliverand dispose of data based on regulations like CCPA and HIPAAthe legal obligations of e-discovery under the Federal Rules of Civil Procedure (FRCP)and then act on those requirements accordingly.
Ideallyyou’ll have time to use this inventory to get your house in order before the regulations take effect. So much of the data most organizations retain is ROT: redundantobsoleteor trivial. The wealth of storage the cloud affords has created a massive digital landfill. While this data’s business usefulness may be debatableit does increase cost and risk. A sensible program of data minimizationsupported by ongoing data retention policies combined with the ability to cross reference all the litigation holdscan further reduce the risk posed by GDPRCCPAand all-but-certain future data privacy regulations in more and more jurisdictions.
The Future of E-Discovery and Data Privacy
Laid out this waythese challenges may seem daunting—perhaps even existential for an organization that has not adequately prepared to address them. And while they are very seriousby no means are they impossible to overcome.
In 2007when I founded Exterro with three friends and colleaguesI saw a similar challenge facing legal departments at largemultinational enterprises. As a consultant helping clients like US BankStandard Insuranceand GM align their technology systems with their business needs and processesI became more and more convinced that General Counsel’s offices had a near-universal need for better process managementsupported by technology. I believed that process optimization and data science could fundamentally transform how in-house legal teams operate.
Thirteen years laterI feel vindicated. E-Discovery operations have increasingly moved in-house at these enterprisesand teams that embrace a proactivedata-drivenprocess-oriented approach are saving moneytimeand achieving better legal outcomes. And Exterro has ridden this wave to achieve dramatic growthas Global 2000 organizations have turned to us for their e-discovery technology.
Buteven with our incredible and sustained successI haven’t achieved my complete vision. Exterro has focused on e-discovery alonewhich is one segment of the larger legal governanceriskand compliance (GRC) sector we’re now addressing. In Legal GRCI see three sets of challenges that are converging—and one solution that can address all of them.
Under governanceorganizations must manage their retention and disposition of data. How much is to be kept? Where is it stored? What are the legal and regulatory requirements? How much data can be disposed ofonce its business value is diminished and it creates more risk? How do organizations balance their regulatory and legal hold requirements?
As for riskwhat are organizations’ capabilities to reduce the likelihood of data breaches? What is your ability to ensure third parties you share data with are compliant? Are your legal processes defensible according to the FRCP and case law?
In terms of compliancedo your business processes and systems comply with the FRCPGDPRand CCPA? What are the potential costs of non-compliance?
And what is the solution I’m proposing? All of these challenges can be met with technology that puts the appropriate capabilities into the hands of legal GRC professionals. Built on a foundation of an accurateactionable data inventoryincorporating process orchestration and a workflow enginetechnology currently in use for e-discovery operations and privacy can meet these needs. The Exterro e-discovery platformwith the addition of Jordan Lawrence’s technologymanages complex requirements for data retention and disposition; orchestrates workflows across disparate teams; provides deepactionable insight into data; integrates with all common (and many uncommon) enterprise data sources; and allows for searchingcollectingreviewingand producing data on demand.
CCPA and GDPR are just the starting point of a new age in terms of our relationship with data. State legislatures in TexasNew Yorkand many more states are actively debating consumer privacy laws. Being able to fulfill DSARs efficiently will be table stakes for companies in just a few years.
The challenges of this new age of data privacy are many. But for organizations with the right technology and processes in place nowthey represent more of an opportunity than a threat.
I look forward to sharing more of my thoughts and vision for how Legal can more effectively manage your governancerisk and compliance challengesand welcome your thoughts or feedback. Please reach out if you’d like to discuss this with me.
To learn more about how Exterro can help you address your DSAR challenges head onclick here.
