What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Sanctions are applied to the business entity and vary by law, including:
- Fair Credit Reporting Act (FCRA): allows for recovery of actual or statutory damages or penalties of $100-$1,000 per willful violation. Punitive damages may also be imposed for willful violations.
- The federal Wiretap Act: provides for civil liability including damages equal to the greater of actual damages, $100 per day of violation, or $10,000. Punitive damages and reasonable attorney’s fees and costs may be obtained.
- State Breach Notification Laws: include varied penalties. For example, in Massachusetts, the law is enforced by the Attorney General who can seek injunctive relief, $5,000 for each violation, and reasonable costs and attorneys’ fees.
- HIPAA: provides for administrative penalties for noncompliance based on the level of intent and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for repeated violations of an identical provision.
- ADA, FMLA and GINA: permit civil claims to recover actual damages.