Data Privacy Regulation is Increasing
The increasing push for formalized U.S. data privacy legislation will certainly force a course correction for security teams handling personally identifiable information (PII) and other sensitive data.
Last week, the first U.S. tech company since GDPR took effect, Google, was hit with a $57 million fine. Last year, the intersection of security and data privacy collided with two high profile cases: Facebook and Cambridge Analytica harvesting users personal data for political purposes and Marriott suffering one of the largest data breaches in history.
Big Corporations Are Starting to Embrace Data Privacy Regulation
Data privacy regulation has been met with corporate resistance in the past. However, some large Internet companies and tech giants are endorsing the idea of a U.S. privacy law. California already passed the California Consumer Privacy Act (CCPA) of 2018. The proposed Consumer Data Protection Act (CDPA) potentially allows for a U.S. data privacy law in 2019.
First, some U.S.-based, global companies have already embraced European Union data privacy legislation. For example, to increase their users confidence in how they are using their data. Second, the CCPA gives residents more control over the information businesses collect on them and impose penalties on businesses lacking compliance. In addition, the CDPA would apply to companies with revenue over $50 million, allow consumers more data control, and provide the Federal Trade Commission (FTC) policing authority.
Review Your Organization’s Data Policies, Types, Protection, and Tools
Security teams that pivot now will be more adequately prepared to address data privacy legislation. They will also enhance their cybersecurity posture.
The following actionable recommendations can help strengthen your organization’s data protection posture:
1. Ensure your data privacy management policies and procedures are up-to-date. Do you know what your company policies are for handling PII? When will they be reviewed? Who is responsible for updating them? Include any new data privacy laws and regulations as they take effect and apply in unique ways to your organization.
2. Evaluate and make hard decisions about what types of data your organization truly needs to conduct business. Identify how much that type of data is worth to your organization’s mission and business objectives. Then, determine how to best protect it. Work with your legal team to draft end user agreements that allow your organization to use that data.
3. Conduct a cybersecurity assessment focusing on data protection. Does your organization have adequate data protection in the case of a breach? As a result, a data protection assessment strengthens your organization’s ability to safeguard your most sensitive information from corruption, compromise, or loss. Similarly, it helps you work towards local, federal, and international legal compliance. The unprecedented amount of data created and stored supporting business operations leaves little tolerance for downtime. Above all, every U.S. state now has data breach laws that your company must follow.
4. Conduct a privacy assessment on proposed tools. As a result, you will gain increased awareness of a tool’s privacy issues before they are implemented in your organization. Introducing new tools and solutions into your architecture while ensuring privacy can be challenging. For instance, you may discover that a tool will collect data violating user privacy laws. This requires an adjustment to your data protection strategy.
No Industry Will Remain Immune to Data Privacy Regulation
In conclusion, true data privacy and protection is unique from organization to organization. There is not a ‘one size fits all’ or silver bullet solution. In some cases, small to medium-sized businesses stand to lose the most from suffering a data breach involving PII. Who will be the next U.S. company to suffer the consequences of a data privacy law fine?
Contact GPSG at cyberteam@gpsg.co for a free consultation on encryption and integrity controls to strengthen your data privacy protection posture.