301.519.9237 exdirector@nesaus.org

In the absence of a federal data protection law, states have taken it upon themselves to pass legislation designed to provide consumer protections similar to those seen in Europe with GDPR.
(IMAGE COURTESY BIGSTOCKPHOTO.COM)

5.16.19 – SIW – SCOTT GIORDANO

How states are taking privacy law into their own hands and what it means for your business.

In the age of Big Data and IoT, the production, capture and analysis of data is occurring at unprecendented rates. Correspondingly, the requirements and ethics around utilizing this data have become increasingly rigorous. Recent changes to law — both at an international (think GDPR) and state level (such as CCPA) — have dictated new processes and requirements for organizations of all types as they address their data privacy and security obligations. Ultimately these regulations can come from a variety of sources, whether it is from governing entities, or simply stemming from organization aspirations.

Despite the urgency that has led other regions of the world, like the European Union or Brazil for example to enact legislation around the protection of sensitive data, the U.S. has yet to take this step on a national level. Therefore, where federal laws fall short, many states are taking matters into their own hands — starting a quiet revolution. So where do these changes leave your organization — and how can you prepare for the future of data security and compliance?

As more requirements fall into place, it is helpful to first paint a picture of the current data privacy and security compliance landscape. By now, you have probably heard of the General Data Protection Regulation (GDPR) in place in EU. This set of new rules requires organizations to implement significantly stricter processes for collecting and using user data, as well as provide users with easier controls to opt out of having their data stored. On the U.S. state level, California followed this up by passing the California Consumer Privacy Act (CCPA) of 2018. Similar to GDPR, California’s new law gives consumers specific rights to protect personal information, requires businesses to be upfront in the disclosure of what information they are collecting and how it will be used, and mandates stricter information security controls.

Many others are also coming down the pipeline. Ohio recently passed the Data Protection Act that requires business to create, maintain, and comply with a written cybersecurity program that will help protect user’s information. Colorado has also passed a similar law (H.B. 18-1128) stating that companies must have a written policy that addresses the disposal of personal information as well as specific security measures for third-party service providers that handle personal information. If a security breach occurs, companies are required by law to notify the attorney general within 30 days.

These are just a few specific examples of the kinds of legislation falling into place both globally and in the U.S. As consumers grow increasingly wary of the ways their data is collected and stored, you can expect similar rules to come to fruition in the near-term future — and you should not take these regulations lightly. In fact, all of these data and security measures are serious business, with some of the fines measured not in thousands, but millions of dollars. Some of the biggest names in business and tech have already faced the wrath of improperly adhering to GDPR and racked up massive bills such as Google, Uber and Facebook. So what can you do to help protect your customers data while keeping your business in compliance with new laws?

The first step is to stay informed. While we specifically discussed GDPR and regulations in California, Colorado and Ohio, did you know that Nebraska, South Carolina, Vermont, Iowa, Alabama and a handful of other states have proposed similar or even stricter laws regarding cybersecurity and data privacy? New bills are up for vote and it is increasingly important that you stay in tune with the changes. Furthermore, it’s not just necessary to have a grip on what is happening in your local jurisdiction, but anywhere you do business. As many U.S.-based companies are finding out, it doesn’t matter if they aren’t headquartered in the European Union — the consequences apply to any organization conducting business within those countries. Make sure you are staying up to date on the latest laws where you conduct business and act accordingly.

As a business leader, you should also be intentional about acting as a champion in your organization for adhering to strict data privacy laws and helping to enact the cultural change that can come with these new rules. By helping communicate the importance of data privacy to everyone in your organization, you can prevent data breaches or mishandling of consumer information.

The most important step you can take as a business leader is rethinking how you use your consumers data. There are a few general rules that will get you very far in terms of staying in compliance. These don’t cover everything, but can help when you’re unsure. They are:

  1. Don’t collect a user’s data unless you really need to, and when you do collect it, tell them what you’re storing and why (transparency is key).
  2. Give your users an easy way to opt out and let them make the decision if they want to opt in.
  3. Don’t store any info any longer than you need to.

With these three rules in mind, a better understanding of existing and new laws coming to life, and a commitment to help champion data protection and cybersecurity in your organization, you can come a long way towards future-proofing your business and avoiding costly fees and litigation.

About the Author:

Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management. Prior to joining Spirion, he served as Director, Data Protection for Robert Half Legal and established the global privacy program for Esterline Technologies Corporation in Bellevue, Wash.