An Overview of States Passing Privacy Laws

An Overview of States Passing Privacy Laws

Any Intro to Civics course teaches that lawmakers exist to enact the will of the people. Moreover, since “the people” have recently become very concerned with the security of their data and the privacy of their online activity, it’s perhaps reassuring to see the recent nationwide bloom of state-based digital privacy legislation.

California’s CCPA got the headlines because of the size of the market and the easy comparison to Europe’s GDPR. However, in other states across the country, legislators have quietly passed, or are in the late stages of passing bills that parallel California’s Privacy Law. In some cases, the measures are even more far-reaching. This article examines recent legislative updates in Nevada, New York, Vermont, South Carolina, and Colorado. It demonstrates how privacy regulation is not confining to the West Coast and is very much concern US-wide.

DISCLAIMER: It’s important to note that the landscape is rapidly evolving in the area of privacy regulation. It’s a dynamic, exciting area. So even though what follows is an accurate synopsis of the state of play in late September 2019, don’t be surprised if this list gets dated quickly. As always, this article shouldn’t get interpreted as actual legal advice!

Nevada: Senate Bill 220

Nevada has already passed a new piece of privacy legislation, Senate Bill 220. It will go into effect on October 1, 2019, three months before it’s better-known neighbors enact their CCPA. Many observers believe Nevada’s law is more onerous. It requires a broader range of businesses to offer consumers an opt-out regarding the sale of their personal information. Since it’s going into effect before the CCPA, this will make Senate Bill 220 the first in the U.S. to grant opt-out rights to consumers.

In some aspects, Nevada’s bill is a little more lenient than the CCPA; for instance, it doesn’t add new notice requirements for website owners. However, the per-violation fine amount is $5,000 – twice as high as California’s. So getting privacy wrong in Nevada state lines could prove even more costly to a business.

New York: Stop Hacks and Improve Electronic Security (SHIELD) Act

New York signed the SHIELD Act into law on July 25, 2019, and the bulk of its provisions go into effect on October 23, 2019. The SHIELD Act is more incremental in scope than the other pieces discussed previously. It doesn’t carry any language around opt-out rights, and it’s less concerned with day-to-day online activities. Instead, it focuses on defining and setting processes around actual data breach events.

To this end, the SHIELD Act expands the scope of information subject (to include biometric information) and the scope of possible breach scenarios. It also updates the procedures that companies must follow in the event of a data breach. Lastly, the SHIELD Act creates data security requirements that scale according to the size of the business. This part of the Act goes into effect on March 21, 2020.

Conscious NYPA is dead/on hold right now but probably worth mentioning? HERE is a good summary of the main points that were considered even more aggressive than CCPA and also why it got killed by lobbyists.

Vermont

Vermont became the first state in the union to regulate “data brokers” with a piece of legislation. It came into effect on January 1, 2019. Vermont’s law has a comparatively narrow application. In their case, “data broker” denotes “a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” This direct relationship provision means that if a business is, for example, selling directly to consumers online, they’re not bounding by the constraints of this law.

That said, once an entity is considered a data broker, there are quite rigorous processes that must get followed. Data brokers must register annually with the Vermont Secretary of State for a fee of $100 and provide a substantial amount of information to the state regarding the robustness and security of its data operation. Failure to do so can result in a fine up to a maximum of $10,000 per year. 

South Carolina

South Carolina also joined the cohort of states taking data protection into its own hands, with a law that came into effect on January 1, 2019. The South Carolina Insurance Data Security Act is focused on the insurance sector and seeks to establish standards and processes that insurers – deemed licensees – must follow in the event of a cybersecurity breach. 

Licensees are now legally required to formally document a data security program. Upon conducting a thorough audit and risk assessment of their operation, the plan must cover risk management. Additionally, it must cover cybersecurity event investigation and reporting, notification, and ongoing compliance certification. 

Colorado

Lastly, we come to Colorado, which was the very first state to put a signature modern digital privacy law into effect. HB 18-1128 requires organizations to put controls in place for managing PII (including biometric data). The commands needed fall under these broad areas:

  • The storage of PII
  • The destruction of physical and electronic materials that contain PII
  • Investigation and notification in the event of data breaches
  • Liaising with the Colorado attorney general in the investigation and reporting in certain data breach circumstances

Conclusion

This brief overview shows that data privacy isn’t just a concern for businesses operating in California, despite what the news headlines would lead one to believe. Data privacy should be treated as a United States-wide concern for any business, as the trend is very visibly towards state-by-state regulation, each with broad thematic consistency but essential variations in focus and scope. The complexity will only increase as more states get up to speed on the topic. Worth mentioning that state by state is the trend in the short term, but the conversation for a federal law has already started to avoid more complex state by state regulations. 

Published from our Privacy Magazine – To read more, visit privacy .dev

A Framework for Privacy Risk Self-assessment

A Framework for Privacy Risk Self-assessment

With the recent raft of worldwide privacy legislation and much more to come, organizations of all shapes and sizes are becoming forced to evolve the way they do business. Those SMEs that can’t bring their operations into compliance with the GDPR, CCPA and other data privacy laws worldwide will be at a significant competitive disadvantage, and may even find that continued non-compliant operation merely is unsustainable. 

In this “adapt or die” scenario, the essential first step to getting compliant is for SMEs to perform a rigorous self-assessment of their present-state data operation.

There are three basic formats to self-assessment:

  1. Business units can analyze their practices.
  2. Different groups within the agency can review and analyze each other.
  3. A single appointed party can assess each unit in the business.

At Ethyca, we believe in empowering a Data Protection Officer to be a real focal point for all data-related business operations. So if scale permits, we recommend delegating full responsibility for the exercise to a DPO. Of course, each organization’s privacy self-assessment will be inherently different. However, the following aims to provide a framework that will serve as an excellent starting point for any business looking to evaluate its path to data privacy compliance: 

First: Plan the Objective of the Assessment

Is your organization trying to determine whether existing policies ensure regulatory compliance? Deciding the specifics of what to assess is a critical first step. 

Second: Conduct a Personal Information Inventory Check Across All Business Units 

It involves answering the following questions: 

  • What personal information does the business unit collect?
  • How do you collect personal information and in which situations?
  • Why do you collect personal information?
  • Who in the company uses personal information?
  • Who has access to it?
  • Where and how do you store personal information?
  • What methods are used to ensure it is secure?
  • Is it disclosed outside the company? If so, to whom and why is it disclosed?
  • How long is the personal information kept, and when and how is it disposed?

Only by answering these questions can businesses understand the work needed to bring themselves into a state of regulatory compliance. It’s vital to cross-check these answers against provisions in the GDPR, CCPA, and other relevant pieces of regulation by the DPO. Additionally, you should actively cooperate with internal or retained legal counsel proficient in privacy law. The exercise should result in a set of tasks or processes to accomplish to reach the desired level of privacy compliance. 

Last: Review Past Privacy Complaints 

Finally, we recommend reviewing privacy complaints as part of a privacy self-assessment. Especially those that have arisen in the recent past, three years is a sufficient window. It will give you insight into where potential privacy pain points exist between your business and the consumer. That way, you can pay extra attention to these areas as you’re revamping them to be regulation-compliant. So if your organization doesn’t keep logs of such complaints, we’d like to say congratulations! You’ve uncovered another process that needs revamping to survive in the new competitive landscape! 

Published from our Privacy Magazine – To read more, visit privacy .dev

How To Assess Vendors For Data Privacy Compliance

How To Assess Vendors For Data Privacy Compliance

When small-to-medium enterprise (SME) team members begin to consider how the business landscape is changing to increased data privacy regulation, the procurement process is not usually high up on their list of answers. However, SMEs focusing too purely on in-house practices miss a key point. Both the GDPR and CCPA place new responsibilities on data controllers. In other words, the company or another body determines the purpose and means of personal data processing. They need to ensure all third-party vendors who touch their data are behaving in a compliant manner. 

In short, the controller continues to hold responsibilities for compliance, even when outsourcing processing duties. The in-house compliance will not suffice. It’s now incumbent on SMEs to ensure that the vendors they work with also adhere to worldwide privacy standards. 

Furthermore, the auditing process should optimally take place upfront in the procurement stage. Contracts signed without the requisite due diligence can be difficult to back out of if it later. Especially if it becomes revealed a third-party vendor is operating in an incompliant fashion. Businesses with deep existing ties to third-party vendors may not be able to start this audit process from a procurement stage. Although, experts highly recommended that existing relationships be revisited and assessed from a compliance perspective. 

With all that said, here are some of the questions that all SMEs should be asking their partners, whether it be during procurement due diligence or in the revisiting of an existing relationship:

First: Does the vendor have a Data Protection Officer?  

Under GDPR, DPOs are now legally required for companies processing large amounts of data. It’s almost a certainty that vendors who specialize in data processing infrastructure are operating at a scale to necessitate a DPO. Failing to cover off on this necessary compliance measure should be a disqualifying red flag in any SME’s procurement process.

Second: How often are the vendor’s policies for storing and processing data on behalf of partners reviewed and updated? 

Data compliance is rapidly changing and continually evolving. A telltale sign that a vendor lacks data privacy rigor is a lack of process for regular policy updates. This field is the opposite of “set it and forget it.” SMEs should be on the lookout for this when auditing vendors for suitability.  

Third: Does the vendor use their sub-processors for the work they do on your behalf? 

If so, what measures have they taken to ensure those entities operate in a compliant fashion? The data privacy chain extends to every processor that runs underneath the data controller umbrella. It includes “partners of partners.” If a vendor has others to help them do their work, they should be able to demonstrate the partners’ compliance. 

Fourth: Does the vendor have tools in place to rapidly identify and communicate a data breach? 

Under the auspices of GDPR and CCPA, data controllers now have a strict obligation to respond to data breaches concerning their data subjects, but if third-party vendors are slow to recognize and report a violation, controllers may have no chance of handling data breaches in a compliant fashion. Thus, reaction and response time is a crucial concern when evaluating a partner for suitability. 

Last: What happens to data ‘subjects’ information at the end of the partnership? 

Without a clear-cut process for erasing subject data in a compliant fashion, it’s a possibility a data controller gets stung by vendor negligence, even after their business relationship has ceased to exist. For this reason, it’s essential to have data sunsetting processes built into third-party agreements upfront. Otherwise, controllers have no legal recourse if vendors mistreat their data after completion of the contract. 

Published from our Privacy Magazine – To read more, visit privacy .dev