Light Dark
September 21, 2018 By Kacy Zurkus 4 min read
Data Protection
Fraud Protection

As enterprises around the world deal with legislative backlash following years of unfettered data collection, companies are confused about how to achieve compliance not only with the General Data Protection Regulation (GDPR), but also with California’s Consumer Privacy Act (CCPA). If you are one of them, rest assured that you are not alone in your confusion — and you’d better believe there’s more to come.

Several months after GDPR went into effect, 27 percent of companies reported that they had yet to start the GDPR compliance process, according to GDPR.Report. Still, the threat of additional regulations looms.

When the California legislation goes into effect on Jan. 1, 2020, more than 500,000 American businesses will be subject to the CCPA, according to a recent report from Varonis. In addition, 58 percent of companies have more than 100,000 folders open to everyone. Sensitive data is at risk, and in 15 months, companies will be required to allow consumers to review the data they have collected on them, demand deletion of data and opt out of having the data sold to third parties. Organizations face fines of $7,500 for violations.

Navigating the ‘American GDPR’

Since Labor Day weekend, two new state law amendments have come into effect. In its privacy statute, Colorado expanded the terms of what data will be protected. Additionally, the statute now includes a mandated 30-day breach notification. The clock starts ticking the moment the company discovers the breach. New York’s department of financial services similarly updated its cybersecurity guidance under NY State 23 NYCRR 500 Law.

The new requirements mandate risk assessments by application, as well as limits on data retention. The revisions added information access monitoring requirements and stipulated that all private information be encrypted, both at rest and in transit.

“The web of cyber data privacy laws continues to grow both in volume and complexity,” said Pravin Kothari, CEO of cloud security vendor CipherCloud, in an email interview. “These sort of regulations will need to be handled by Federal omnibus. The expense and risk to businesses in attempting to implement a rolling thunder of different regional and/or state data privacy laws will be overpowering.”

With increasing focus on regulations, the burden is falling on companies to manage and secure sensitive data while also providing customers greater control over their sensitive information. As if complying with GDPR and CCPA were not complicated enough, additional legislation is likely forthcoming in the U.S. — other states are bound to introduce their own laws, which sets a high bar for U.S. companies when it comes to data privacy.

There’s Still Time to Prepare for the Consumer Privacy Act

The good news is that Jan. 1, 2020 is still about 15 months away. While companies are all over the spectrum in terms of how far they have to go, there is still time to work through some of the confusion the market is sensing to iron out the compliance wrinkles.

“Determining the best practices for compliance with the upcoming laws depends in large part [on] how risk-averse companies are,” said Arshad Noor, creator and chief technology officer (CTO) of StrongKey. “Those companies that are already compliant with GDPR will find themselves well-prepared to deal with new acts across the U.S. in different states.”

While GDPR defines a data subject as a human being and any data above them, California defines the person as a human, business, entity or object, according to Noor.

“We tend to think of consumer privacy as my information, name, date of birth, gender, but California has created categories of data which include metadata, IP addresses and more,” Noor said. “It’s an interesting notion about privacy that I don’t think anyone has thought of.

Between now and 2020, a lot will be clarified about the different categories of data and the fundamentals of what needs to be protected. But don’t wait for clarification to begin moving toward compliance. The first step is to establish a policy that guides the company’s day-to-day practices. Once that policy is defined, Noor said, “Look at specific requirements of the law. Companies will have to have a link or button on the home page that allows a consumer to say ‘Please delete all my information.'”

Currently, the law requires that websites or businesses dealing with California customers allow those users to make a direct request of their right to be forgotten. That will be mandatory, so processes must be in place for compliance. Others stipulations are not as explicitly stated, so now is the time to start thinking about what companies should be doing. The law does provide for companies to collect data they need for doing business, which is why each organization needs to be able to identify what information they actually need.

Take a Minimalist Approach to CCPA Compliance

To start your CCPA compliance journey, identify where and how your organization’s data is stored and then begin the process of permanently deleting any clutter out of those systems and clearing it up.

“If it’s not necessary to conduct business, consider getting rid of that information,” Noor advised. “They need to know which applications use what data and where they have stored it. So, they should begin to take an inventory of the data, starting now.”

In addition, there may be residual information left after your cleanup, so it’s important to think about protecting what is left. At a minimum, companies should encrypt the information and eliminate user passwords from web applications. Many applications may have sensitive information, so companies need to identify that data and choose whether to keep what they have collected.

“They should define how they use the data and make that visible in their policy as well as in their notices to consumers,” Noor explained. “Be clear about what information is being collected, how it is used and to whom it is sold.”

Improving Compliance — and Guidelines

Once a policy is in place, the next step is to implement procedures. Identifying appropriate procedures requires asking questions such as:

  • How do I address requests from consumers in my ecosystem?
  • How do consumers delete their data?
  • What is the process for identifying all information across all systems?

By addressing these gaps now, you can keep from getting caught in the regulatory cold.

When California’s data breach prevention law was made public, most jurisdictions didn’t want to go anywhere near it. The legislature didn’t take long to issue federal law. While the U.S. government could choose not to propose federal privacy protection legislation, businesses should be working with congress to try to bring uniform law. Waiting for congress to act may take too long and could result in 48 more different pieces of legislation. Talk about a compliance nightmare.

Download the Forrester Study: “Data Privacy is the New Strategic Priority”

 |  |  |  |  |  |  | 
Kacy Zurkus

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature