Keeping up with data and privacy protection regulations is an on-going challenge for companies that do business, especially with the high bar set internationally by GDPR. The trend has moved stateside as the California Consumer Privacy Act (CCPA) has been introduced bringing stringent regulations similar to the GDPR to the U.S.
The CCPA, which goes into effect in January 2020, has prompted a wave of data privacy bills across the country. At least 14 other states have introduced data privacy legislation, including Texas, Washington and New Jersey (to see the status of legislation by state, check our interactive map below). By one count, state legislatures have considered more than 90 privacy-related bills. Even some cities and municipalities are getting in on the act. Last fall, San Franciscans approved a ballot measure requiring the city to place personal data protection requirements on third parties that do business with the city.
As concern mounts over this emerging patchwork of different, and sometimes conflicting, laws, businesses are urging Congress to pass federal regulation that could streamline and standardize requirements. While several bills have been introduced, the chance of passing a federal law is decreasing as attention turns toward the 2020 election.
Meanwhile, companies continue to worry about keeping up with the shifting regulatory landscape and the fines that can be levied if they are found to be in violation. The CCPA, for example, gives the state’s attorney general authority to impose fines up to $7,500 for each intentional violation and $2,500 for each unintentional violation, if they are not corrected within 30 days. In addition, the California law could spark a wave of class-action lawsuits, says Humberto Gauna, a consultant with BTB Security.
So how can businesses protect themselves?
“If companies practice good data security hygiene, then regardless of what legislation comes down the pike they won’t need to stress about it,” he says. “The risk of their business being subjected to fines or lawsuits decreases significantly.”
That means understanding what personally identifiable information (PII) they have, how it will be used, and then implementing a life-cycle plan including how and where data is stored, for how long, and when it will be deleted. Data privacy best practices are already defined in existing industry-specific regulations like PCI, HIPAA and GLBA. In fact, one bill in Congress – the American Data Dissemination Act of 2019 – is based on practices from those regulations, says Gauna.
In any event, new laws are unlikely to be more stringent than the CCPA, he advises. So rather than waging what’s likely a losing battle to keep up with the latest proposals, companies can use the California law as a guide.
And they should be acting now, if they haven’t already. The CCPA has a look-back provision that essentially means companies should have been protecting PII since January 2019, Gauna notes.
Remember, too, that “compliance is not security,” he says. Simply following rules, without an overall and complete security program, can leave networks and data vulnerable. That’s why companies need experts who understand the regulations and can institute best practices that not only comply with rules, but also ensure ongoing security.
“Compliance may dictate that you need to do a penetration test and vulnerability scan once a year,” he says. “But that does no good unless you remediate any problems you find. Identifying the same unlocked window every year does nothing to protect your business. You have to lock it down.”
To learn more about how the CCPA impacts IT security, see the BTB Solution Guide - CCPA
Click on the states with regulatory activity (orange, blue, or dark gray) to view up-to-date information on each bill's status.