That it's not "if" a data breach hits your organization but "when" it does is a familiar refrain by now. If that's true, preparedness is — while essential — perhaps not always enough. But there's another reality privacy professionals may now be preparing for: whether a chief privacy officer can be held personally liable for that inevitable breach instead of the company itself.
That's because of a recent court decision in South Korea in which, in fact, a privacy officer was found personally liable. The case invites the question: Is this a harbinger? A foreshadow of a to-be-seen trend? Or is this case unique and unlikely to repeat itself?
"It was really quite shocking to see a fine personally against a privacy officer," Refinitiv CPO Vivienne Artz said. "The reason being is that, as a privacy officer, you have responsibilities, but I’ve never seen anything like this before. It sets a new precedent around personal liability. It certainly makes you sit up, but it creates a new challenge for privacy officers."
Jan. 6, the Seoul Eastern District Court charged a South Korean privacy officer with negligence under the Personal Information Protection Act, which resulted in a 10 million won fine against the officer. The charge stemmed from the officer's role and alleged shortcomings related to a 2017 data breach that affected 494,000 people.
"We always knew that the potential for personal liability was a possibility (in South Korea)," Artz said. "It’s had its data protection law for a while, and it is regarded as one of the strictest out there. It’s also a difficult jurisdiction to navigate from a privacy perspective with challenges to process and share data."
Reading the headlines, it would be understandable for privacy officers to wonder if the same charge could come against them someday. That question has no clear-cut or universal answer due to varying regulatory regimes. The variances are by region in some instances and by nation in others.
The Asia-Pacific region falls under the nation-to-nation differences, according to a Chinese privacy practitioner from the region who wishes to remain anonymous.
"In general, there is no consistent picture on (CPO) liability across the region that can be pointed to," the practitioner said. "Each country’s legal and governmental infrastructure — and enforcement pattern — follows its own model, and there is no single overarching framework to unite them."
In China's scope, the practitioner said, the China Cybersecurity Law has "a considerable amount of clauses" that open up the possibility of individual liability for "mishandling or misappropriation of personal information." However, the practitioner added that charges against individuals have not come "as a result of their service in the capacity of CPO."
The chances of liability charges against a U.S. privacy officer are unclear. There's no federal privacy legislation in place to dictate whether charges can be pursued or issued. Archer Daniels Midland Company CPO Katherine Licup, CIPP/E, CIPP/US, CIPM, FIP, doesn't think it's out of the realm of possibility in the future.
"There are some models for that already here in the U.S.," Licup said. "For example, there are U.S. sentencing guidelines that hold chief compliance officers, anti-money laundering officers and CEOs responsible for failures within their organization. With more obligations clearly placed on data protection officials in organizations, the trend will be to hold personal liability for failing to fulfill their duties."
WilmerHale Cybersecurity and Privacy Practice Group Co-Chair Reed Freeman mentioned the Dodd–Frank Wall Street Reform and Consumer Protection Act and Section 5 of the Federal Trade Commission Act as both having models for finding officers personally liable. Whether provisions or clauses on personal liability could end up in potential federal privacy legislation is unclear, but Freeman believes it would be a hard addendum to current discussions.
"Getting through reaching a deal on privacy legislation that includes an altogether new paradigm for holding officers, directors and senior-level employees liable would be a departure from where we've been so far," Freeman said. "I'm not so sure it's appealing to the business community, so I'm not sure a deal with those terms could be done. I suspect it will be an issue for discussion."
In the EU, Artz pointed out that Article 39 of the EU General Data Protection Regulation discusses a data protection officer's responsibilities but noted it has no language regarding personal liability.
“(DPOs and CPOs) are certainly independent and able to call things out, but at the end of the day, it is the management and the board that are responsible for company behaviors,” Artz said. “Responsibilities as articulated in South Korea’s legislation go a lot further than the GDPR, so I don’t think we’ll see the same things in the U.K. or EU. However, it does raise some concerns for countries with evolving legislation.”
Artz and Licup both noted strong privacy programs and incident response deriving from shared privacy responsibilities across an organization are essential. The concept of privacy being a collective effort makes personal liability less comprehensible.
"Data protection is the responsibility of everyone in the organization, not just a handful or clutch of experts. With larger companies, you’re able to set up a program and structure. Decision making shouldn’t sit with a specific individual. It should be how the business operates," Artz said.
To address any risk of personal liability, Licup would first ensure the line of communication between management and the privacy officer is a strong one.
"What scares me is not having the opportunity to do the right thing," Licup said. "It doesn’t unnerve me if I get a report, in a timely way, that something has occurred. I’ll know what to do. But if an organization is not keeping the privacy officer or the DPO in the loop, or they’re not being sufficiently empowered, that scares me. That’s a real important factor when officers consider taking a job."
Artz added that organizational checks and balances to avoid personal liability would work best for smaller companies rather than large organizations because they have "a concentration of decisions being made in one place." Generally, Licup sees a better checks-and-balances model through greater proactivity from regulators.
"Where we’re at in the data protection regime is we’re only seeing the enforcement after something bad happens," Licup said. "In order for us to turn the corner on strong data protection, we’re going to need to see a strong culture of supervision and examination that offers more up-front guidance on what needs to be do before an error occurs."
Discounting personal liability also carries ethical and moral components, according to Artz.
"Even if you’ve got the best training and technology out there, the Achilles heel for all organizations is human error," Artz said. "It doesn’t matter how robust all the practices, policies, procedures, technologies or investments are. How do you ever guard against someone’s mistake or error to compromise security? You can’t."