The European Union passed sweeping broad-based legislation over two years ago that is serving as a beacon for many of the 50 states attempting to deal with the complex issues of cybersecurity and data protection. The legislation is called The General Data Protection Regulation (GDPR). It was enacted this past May and is the most sweeping and comprehensive data protection law currently active in the world . . . for now at least. Two of aspects that make GDPR so unique are the following:
• GDPR doesn’t just apply to companies that reside within the borders of the EU. It applies to any organization that processes or stores the personal data of its citizenry. In other words, it is not directed at companies, but at the data and information of the EU citizens it serves.
• The potential fines are mind blowing. Companies can be fined as much as 4% of annual global revenue or €20 Million (whichever is greater) for the most serious infringements. A lower tier levies a fine of 2% or €10 Million for lesser infractions.
If your U.S. company deals with the personal data of EU citizens, then you must comply with GDPR regulations. But don’t think that the repercussions of GDPR will not affect your organization regardless. GDPR is only the beginning for this landmark policy that is serving as the new regulatory benchmark that other governments will copy and adapt.
California passes its own sweeping data privacy law
A few months ago, the California state legislature passed the California Consumer Privacy Act of 2018. Call it GDPR 2.0 or GDPR west coast. The legislation will go into effect January 1, 2020 and will be the strictest data privacy law of its type amongst the 50 states. CCPA will enforce data privacy protections that are similar or even broader than those imposed by GDPR. Like GDPR, it paints with a broad brush when it comes to defining personal data. According to CCPA, personal information includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This can include not only online identifiers, government ID numbers and contact information, but web browsing history, geolocation and biometric information as well.
Like GDPR, CCPA is not restricted to the companies that reside inside its borders. It follows the data of its state residents which means that national companies that serve California based customers must comply with the regulations as well. In fact, one issue will be what multi-regional corporations decide to do; silo and treat the personal information of California residents separately from their other data, or adapt CCPA regulations universally.
CCPA does not specify data breach notification requirements as the state already has a security breach notification statute. Although there are no fines levied by its enforcers, it does create a private right of action to recover potential damages of $100 to $750 for each affected consumer in a risk class action suit.
Other states following suit
Although California’s new legislation is the most encompassing of its kind, other states are hurriedly creating their own directives when it comes to data protection.
- Oregon recently amended its breach notification rules which went into effect on June 2. The new regulatory act expands the scope of those who must provide notice of a breach to affected Oregon residents within 45 days of breach determination.
- South Carolina emboldened its current breach notification and security requirements for the insurance industry. All breaches must be reported to the Insurance Commissioner within 72 hours of a security breach.
- South Dakota enacted its first data breach notification law that went into effect on July 1 of this year. The law requires affected individuals to be notified within 60 days of the discovery of the breach involving unencrypted data.
- Alabama passed its first data breach notification law while
- Arizona updated its existing statutes. Both directives involve $500,000 fines for a breach for an entity that knowingly violated or failed to comply with the law provisions.
The list of states is extensive. A list of all state cybersecurity directives created or modified in 2018 can be found here.
No worries for those who practice Duty of Care
It is evident now that GDPR was indeed only the beginning. With all of the newly created data protection provisions emerging from legislative capital buildings, it is understandable for any CIO or CISO to be anxious when it comes to meeting all of these directives. In fact, it can be a challenging task just keeping up with the stream of modifications that lawmakers are regularly unveiling.
There is no need for incessant apprehension if your cybersecurity team follows the guiding principle of Duty of Care. Just as companies have a duty of care involving the safety of their employees, they have a responsibility to perform their due diligence when it comes to protecting the personal data of employees, customers and third parties. This doesn’t mean that a company must implement the latest, greatest and most expensive security tools money can buy. It means that a company must implement effective procedures to comply with data protection obligations that are “reasonable” and “appropriate” for its business. Following the simple directive of notifying those whose information was compromised in a timely manner is an example. Not permitting employees to carry personal data on USB sticks and unencrypted mobile devices is another.
Duty of care begins by conducting a risk analysis.
You can only protect what you know you have. A risk analysis outlines allows you to identify and evaluate:
• Critical information assets in your organization
• Potential risks to those data assets as well as rate and compare them
• Security gaps to determine how to shore up those gaps
• Security best practices that can be enacted by employees and how to instill them
• Potential security controls to determine the financial viability of them to the business
Yes, the law is the law, but even more important is what a reasonable person would have do when it comes to protecting against and reacting to a data breach. Duty of care is not bound by state or national borders; it is a sense of obligation that is universal of people of all nationalities. GDPR is changing the rules governing data protection. By following the principles of duty of care, organizations can manage, minimize, or avoid potential legal liabilities, regardless of what border they reside behind.