The Divided States of America(n Data)

The Divided States of America(n Data)

This Is Why We Can’t Have Nice Things – Like Our Own Version of GDPR.

The American Data Divide

Across the ocean, a much-publicized piece of holistic privacy legislation called the GDPR has transformed the relationship between citizens, businesses, and personal data. In 2019 it’s time to ask: why can’t the USA produce its own unified piece of federal data privacy regulation?

Data regulation in the United States is still a work in progress. At present it’s a patchwork quilt split along state and industrial sector lines, and for most consumers, it’s impossible to penetrate. Businesses are similarly hamstrung by the lack of harmonious regulation. Those that decide to play by the rules burn copious resources and frustrating man-hours just to understand what those rules are. And even after that expending all that effort, many (if not most) businesses still struggle to be compliant.

The Roadblocks to Reform

Why can’t Congress do something about it? The short answer is that there just hasn’t been enough momentum to get something passed federally. The FTC has long recommended that Congress enact a comprehensive set of privacy laws. The Obama administration, in its early days, even tabled a set of proposals for a Consumer Privacy Bill of Rights. Privacy practitioners lauded the document. But it quietly died as Silicon Valley ingratiated itself into the D.C. political machine over the first half of the decade. And although the new president is an avid social media user, the Trump administration has shown little appetite for data regulation.

It’s also possible to make a deeper cultural reading into the different data trajectories of the US and EU. The European Union has been, since its inception, a body with the power to legislate dynamically in reaction to the world around it. On the other hand, US legal and political culture remains staunchly Constitutionalist. Legislating for an issue like data privacy, nonexistent at the time the Constitution was written, can be slowed by the challenge of remaining faithful to the spirit of a document that’s over 200 years old.

The Prospects for Change

However, in 2020 there will be a presidential election and possibly a new administration in the White House. Have the dynamics changed sufficiently to inspire another tilt at federal regulation? The voting population seems more concerned than ever about the way companies use personal data. However, a vocal watchdog organization (à la MADD or the NAACP) has yet to emerge. We’ll return to this later.

The real change that’s taken place lies in the business community. Among business leaders, regulatory certainty is emerging as a key concern – even beyond getting favorable laws. Businesses just want the rules of the game to be consistent. And there’s a deeper acceptance that federal laws represent a huge efficiency improvement over the uncertainty and instability of state-by-state regulation. 

One unified piece of legislation would provide a single target on which to concentrate lobbying efforts, debate, and discussion. Consequently, many business leaders are already urging Washington to take action. Earlier this year 51 CEOs from some of the biggest tech and industrial companies in the world signed an open letter to Congress urging them to act on a “comprehensive consumer data privacy law.” 

Will Citizens Step Up?

Were it up to these business leaders, a federal data law would be a done deal. But legislators appear wary of acting while there’s an empty seat at the table. If anything is slowing federal data regulation down in 2019, it’s the lack of a high-profile citizen’s rights group that could sit down with political and business leaders and get the ball rolling.

To conclude, the landscape looks to be more conducive to a federal data privacy law in 2019. But wondering “why doesn’t it exist yet?” may be the wrong question for individual citizens to be asking. In the absence of a highly-invested consumer protection lobby in Washington DC, the correct question to ask may be: “how can we get a seat at the table?”

What’s the Difference Between Data Security & Data Privacy?

What’s the Difference Between Data Security & Data Privacy?

“Data Privacy” and “Data Security” are two terms that can sometimes be used interchangeably. Especially by those who aren’t in the field of data protection. However, in this particular sector of the industry, they mean two very different things. Understanding the relationship between them is essential for grasping the complexity of regulatory compliance. This article is a quick primer that illustrates how privacy and security differ and how they work together as building blocks of regular data operation.

Data Security vs Data Privacy

In simple terms, security means securing data against unauthorized access. Privacy is about managing and defining authorized access. Data security is a technical issue that involves building robust defense mechanisms in your digital infrastructure. Data privacy is questioning and tackling legal and legislative spheres.

One of the most important relationships to note is that data privacy pre-supposes security. The GDPR doesn’t contain prescriptive instructions for how organizations should fortify their network because the only way for its privacy provisions to get followed is with data security. If a cybercriminal steals someone’s PII, it’s evident they are violating someone’s privacy rights.

So, data privacy assumes data security. Does the reverse hold? Does data security include data privacy? No, but organizations fall into the trap of making this assumption often. In so doing, they can avoid taking necessary regulatory compliance steps.

Conclusion

It’s not enough to protect data from outside attacks. Managing and enforcing internal permissions – i.e., managing privacy – is a vital piece of the puzzle for any business to be compliant with the latest data regulation. Internal privacy controls can be complicated and time-consuming in a large company. Something as simple as employees copying files onto personal flash drives can sink a carefully constructed operation. However, the effort to keep data processes watertight is an essential cost of doing business in 2019. Moreover, the cost of failing to invest in both security and privacy can prove disastrous.

An Overview of States Passing Privacy Laws

An Overview of States Passing Privacy Laws

Any Intro to Civics course teaches that lawmakers exist to enact the will of the people. Moreover, since “the people” have recently become very concerned with the security of their data and the privacy of their online activity, it’s perhaps reassuring to see the recent nationwide bloom of state-based digital privacy legislation.

California’s CCPA got the headlines because of the size of the market and the easy comparison to Europe’s GDPR. However, in other states across the country, legislators have quietly passed, or are in the late stages of passing bills that parallel California’s Privacy Law. In some cases, the measures are even more far-reaching. This article examines recent legislative updates in Nevada, New York, Vermont, South Carolina, and Colorado. It demonstrates how privacy regulation is not confining to the West Coast and is very much concern US-wide.

DISCLAIMER: It’s important to note that the landscape is rapidly evolving in the area of privacy regulation. It’s a dynamic, exciting area. So even though what follows is an accurate synopsis of the state of play in late September 2019, don’t be surprised if this list gets dated quickly. As always, this article shouldn’t get interpreted as actual legal advice!

Nevada: Senate Bill 220

Nevada has already passed a new piece of privacy legislation, Senate Bill 220. It will go into effect on October 1, 2019, three months before it’s better-known neighbors enact their CCPA. Many observers believe Nevada’s law is more onerous. It requires a broader range of businesses to offer consumers an opt-out regarding the sale of their personal information. Since it’s going into effect before the CCPA, this will make Senate Bill 220 the first in the U.S. to grant opt-out rights to consumers.

In some aspects, Nevada’s bill is a little more lenient than the CCPA; for instance, it doesn’t add new notice requirements for website owners. However, the per-violation fine amount is $5,000 – twice as high as California’s. So getting privacy wrong in Nevada state lines could prove even more costly to a business.

New York: Stop Hacks and Improve Electronic Security (SHIELD) Act

New York signed the SHIELD Act into law on July 25, 2019, and the bulk of its provisions go into effect on October 23, 2019. The SHIELD Act is more incremental in scope than the other pieces discussed previously. It doesn’t carry any language around opt-out rights, and it’s less concerned with day-to-day online activities. Instead, it focuses on defining and setting processes around actual data breach events.

To this end, the SHIELD Act expands the scope of information subject (to include biometric information) and the scope of possible breach scenarios. It also updates the procedures that companies must follow in the event of a data breach. Lastly, the SHIELD Act creates data security requirements that scale according to the size of the business. This part of the Act goes into effect on March 21, 2020.

Conscious NYPA is dead/on hold right now but probably worth mentioning? HERE is a good summary of the main points that were considered even more aggressive than CCPA and also why it got killed by lobbyists.

Vermont

Vermont became the first state in the union to regulate “data brokers” with a piece of legislation. It came into effect on January 1, 2019. Vermont’s law has a comparatively narrow application. In their case, “data broker” denotes “a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” This direct relationship provision means that if a business is, for example, selling directly to consumers online, they’re not bounding by the constraints of this law.

That said, once an entity is considered a data broker, there are quite rigorous processes that must get followed. Data brokers must register annually with the Vermont Secretary of State for a fee of $100 and provide a substantial amount of information to the state regarding the robustness and security of its data operation. Failure to do so can result in a fine up to a maximum of $10,000 per year. 

South Carolina

South Carolina also joined the cohort of states taking data protection into its own hands, with a law that came into effect on January 1, 2019. The South Carolina Insurance Data Security Act is focused on the insurance sector and seeks to establish standards and processes that insurers – deemed licensees – must follow in the event of a cybersecurity breach. 

Licensees are now legally required to formally document a data security program. Upon conducting a thorough audit and risk assessment of their operation, the plan must cover risk management. Additionally, it must cover cybersecurity event investigation and reporting, notification, and ongoing compliance certification. 

Colorado

Lastly, we come to Colorado, which was the very first state to put a signature modern digital privacy law into effect. HB 18-1128 requires organizations to put controls in place for managing PII (including biometric data). The commands needed fall under these broad areas:

  • The storage of PII
  • The destruction of physical and electronic materials that contain PII
  • Investigation and notification in the event of data breaches
  • Liaising with the Colorado attorney general in the investigation and reporting in certain data breach circumstances

Conclusion

This brief overview shows that data privacy isn’t just a concern for businesses operating in California, despite what the news headlines would lead one to believe. Data privacy should be treated as a United States-wide concern for any business, as the trend is very visibly towards state-by-state regulation, each with broad thematic consistency but essential variations in focus and scope. The complexity will only increase as more states get up to speed on the topic. Worth mentioning that state by state is the trend in the short term, but the conversation for a federal law has already started to avoid more complex state by state regulations. 

Published from our Privacy Magazine – To read more, visit privacy .dev