Privacy, Data Protection and Cybersecurity Lessons from the Latest IPOs
Privacy Plus+
Privacy, Technology and Perspective
Privacy, Data Protection and Cybersecurity Lessons from the Latest IPOs. This week, let’s consider how Wall Street assesses privacy, data protection and cybersecurity risks by reviewing the prospectuses associated with three recent initial public offerings (IPOs): DoorDash, Inc. (DASH), Airbnb, Inc. (ABNB) and C3 ai, Inc. (AI). For reference, links to each company’s respective prospectus follow:
Let’s start by noting that the terms “privacy,” “data protection” and “cybersecurity” are intermingled in these filings. More precisely (and in plain English):
- “Privacy” risk means the risk associated with the collection, processing, storage, use, and disclosure of personal information;
- “Data protection” risk means the risk associated with the collection, storage, use, and disclosure of confidential, sensitive, and/or proprietary business information; and
- “Cybersecurity” risk means the risk to a company’s technology systems, processes and controls.
These types of risk overlap, and generally fall into five broad categories:
1. System failures, data loss, service interruptions, security incidents, and data breaches. Failures to patch, failures in redundancy, cyberattacks, ransomware attacks, denial-of-service attacks, business email compromises, malware, viruses, social engineering (including phishing) and unauthorized access to data are all prevalent risks faced by companies that collect, process, store and transmit large amounts of data. This rule is true whether data is personal in nature (i.e. personal information) or confidential, sensitive, and/or proprietary business information, and is also true whether the company is collecting that data directly from consumers (DASH and ABNB) or from other businesses (AI). Generally, contractual and/or legal obligations require companies to notify relevant stakeholders of security incidents and data breaches. Such security incidents and data breaches may result in material harm to the companies, affecting their operations, reputation, brand, and financial condition, especially in connection with resulting claims, litigation, governmental inquiries, investigations, and other proceedings (see #5, below).
2. Reliance on third-party service providers. When companies rely on third-party service providers to process some or all of their data, or otherwise to provide software or applications on which the companies depend, any failure by such service-provider to secure such data or ensure the full functionality of the software or applications can have similar consequences to #1, above.
3. Acquisition of new companies. When companies acquire other companies, they become responsible for the privacy and data protection practices (as well as the security breaches) of the target company. Without complete access to and review of the full operating history of the target company, it is difficult to be certain that there have not been security breaches or other privacy issues prior to the acquisition. (We touched on this topic in last week’s post, which you can read by clicking on the following link: https://www.hoschmorris.com/privacy-plus-news/privacy-in-due-diligence.)
4. Evolving laws and regulations governing privacy, data protection, cybersecurity, the Internet, e-commerce, digital content, web services, and artificial intelligence technologies. Numerous local, municipal, state, federal, and international laws and regulations address privacy and data protection. Just some of the laws specifically referenced in the subject prospectuses follow:
- Section 5 of the Federal Trade Commission Act;
- Gramm-Leach-Bliley Act of 1999 (“GLBA”);
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”);
- Telephone Consumer Protection Act of 1991 (“TCPA”);
- California Consumer Privacy Act (“CCPA”);
- California Privacy Rights and Enforcement Act of 2020 (“CPRA”);
- California Online Privacy Protection Act;
- EU’s General Data Protection Regulation (“GDPR”);
- EU’s ePrivacy Directive (which may be replaced by the ePrivacy Regulation);
- Canada’s Personal Information Protection and Electronic Documents Act;
- Canada’s Anti-Spam Law;
- Australia’s Privacy Act; and
- China’s Cybersecurity Law.
Changes to those laws, along with any actual or perceived failures to comply, may adversely affect companies. Further, the compliance requirements themselves are often ambiguous, uncertain, and inconsistent among so many countries and cultures, making compliance efforts expensive, and the efficacy of such efforts uncertain. So despite best efforts to comply, companies may still face allegations that they have failed to meet all requirements. Accordingly, increased enforcement also poses a significant risk of additional liabilities.
5. Claims, litigation, governmental inquiries, investigations, and other proceedings may adversely affect operations. Because of the complexities presented across a distributed regulatory environment, multinational companies are regularly subject to scrutiny by regulators and others for alleged violations of laws, regulations, and even contracts. Such claims carry attendant legal costs and threaten disruption of operations, diversion of management resources, negative publicity, and, of course, uncertainties. DASH’s prospectus specifically references the potential for fines under the CCPA, for instance, which provides for fines of up to $2,500 per violation (or $7,500 if intentional). ABNB’s prospectus notes that failure to comply with the GDPR may result in fines of up to 20 million Euros or up to 4% of the annual global revenue of the infringer, whichever is greater.
None of these five categories is surprising, really, nor is any particular risk a head-turner. It only makes sense that as more robust data privacy, data protection and cybersecurity legislation becomes effective and as regulatory vigilance and enforcement increases, the degree and complexity of multinational companies’ risk exposure will expand accordingly; and we believe it is still too early to tell what those expanding risks will really mean for these companies’ bottom lines.
What does leap out to us as striking, however, is Risk Factor No. 2 above (risks that attend dependence upon a vital internet service provider). That’s an important risk factor for any (single) company. What’s striking about it is when you compare all three (3) prospectuses side by side.
All of these companies depend on the same service provider in one way or another -- namely, Amazon Web Services (AWS):
DASH: “We primarily rely on Amazon Web Services to deliver our services to users on our platform, and any disruption of or interference with our use of Amazon Web Services could adversely affect our business, financial condition, and results of operations.”
ABNB: “We rely primarily on Amazon Web Services in the United States and abroad to host and deliver our platform.”
AI: “We have established strategic relationships with technology leaders including Amazon Web Services…”
(emphasis added.)
We fully appreciate the value of AWS’ security and data-protection protocols and realize that its scale and mass allow for broader and better protection than smaller organizations might ever provide on their own. But we wonder if there’s a “second order” risk factor for each of these companies – and for uncounted others who also rely on AWS, and a “third order” risk for everyone else who doesn’t. That would be the risk to competition in the market, the antitrust risk of AWS simply becoming too big and too dominant to an extent that precludes effective competition and development.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.