Data Privacy Laws To Blanket The U.S. From Coast To Coast

On January 1, 2020, the state of California’s new regulatory requirement for data privacy - the California Consumer Privacy Act (CCPA), enacted in 2018 – will take effect. The CCPA follows GDPR as a new public sector attempt to address increasing data privacy concerns in managing citizen data in a digital world beset with data breaches.

As a result of the law, citizens of California will be given greater rights and control over their data, even though that data may be located almost anywhere. According to the fact sheet from the Office of the Attorney General of California, consumers have “the right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.”

From a business perspective, however, the CCPA will impact data security and privacy for businesses that meet any of the following criteria:

• A for-profit company doing business in California earning at least $25 million in revenue per year
• Selling 50,000 consumer records per year
• Deriving at least 50% of annual revenue from selling personal information

Data privacy is not limited to the West Coast

Data privacy laws have broad implications for both consumers and businesses, which is why the national conversation around consumer data security and privacy has created a wave of action across both U.S. coasts.

In March 2020, the New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD) will take effect. The NY SHIELD Act will be broader in terms of who it impacts - every company that has any customers in New York - whether the company is based in another state or another country. Essentially, any medium- and enterprise-size company with even one New York customer needs to implement this new policy.

“New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing,” said Brian Cesaratto, advising in the National Law Review. “Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020.”

Both laws are similar in that they can impose fines if businesses do not safeguard their data, and if events like data breaches occur. In the case of the CCPA, if a business fails to cure alleged noncompliance within 30 days following notification from the state, it could be considered in violation and charged a civil penalty of up to $7,500 per violation. Any business operating in California that isn't compliant with CCPA could face civil damages of up to $750 per violation, per user.

In addition, this opens businesses up to potential litigation brought by consumers. For the NY SHIELD Act, the New York State Attorney General can seek up to $250,000 for violations by a company. Clearly, these regulations can have a significant material impact on organizations! It’s probably a good bet that similar acts of legislation on a state-by-state basis will continue to proliferate and there is always the chance that the U.S. will adopt a nationwide, federal law approach similar to GDPR.

As states become more involved in how companies safeguard consumer data, intelligent management of data for competitive advantage and potential risk is not a nice-to-have; it’s an imperative.

How can businesses comply with data privacy law?

Conduct a content inventory: With any content initiative, it’s important to understand the scope of relevant enterprise data. What repositories does the company manage, what is the business purpose of the data, how long is it retained for, what controls govern its access and security and who consumes and utilizes this data?

This recommendation is backed by Shahryar Shaghaghi, a CCPA expert at CohnReznick Advisory, who notes, "In order to be compliant with CCPA you need to carry out a data mapping exercise so you can see where you get your data from, and where it goes. And if a customer requests its deletion then you have to respond in a certain amount of time, so you have to be able to understand what data you have and how you delete it."

On the surface this appears to be a very simple exercise, but working with organizations of every size, there are bound to be surprises!

Leverage e-discovery practices and technologies already in place: Data security and privacy use cases including GDPR share a few similarities with e-discovery, where there is a need to identify relevant content often relating to an individual or transaction, the scope of which can be difficult to surmise. Refining search results, culling down to the essentials and reviewing are all part of the equation.

In addition, this often takes place against the backdrop of massive amounts of digital data and timeline constraints. Utilizing an enterprise archive that can contain, deduplicate, protect and preserve mission critical data is the foundation of privacy governance efforts; leveraging a case review application to conduct intensive searches, apply legal holds and perform extracts/exports is the next layer. These are just the technical foundations and should be the easy part. Good information governance also requires the necessary people, collaboration and corresponding processes (such as enforcing retention policies) to be successful over the long run, not just case-by-case.

Planned data minimization: There are so many reasons to engage in strong retention management practices. Keeping everything forever is a strategy, but increasingly, not a good one. Data privacy laws are going to really make organizations question why they retain information, and for what purpose. The larger the surface area, the greater risk of a breach and on a related basis, a larger opportunity for discoverable data during litigation and other governance events. This is not to say there is no reason for extended retention of business data, but organizations should be clear that “why?”- “in case I might need it” is not a good enough answer considering the potential financial, reputational and legal risk. Be systematic with retention policies- collaborate as necessary to create them, make sure they are consistently applied, and choose the right archive technology to enforce them.

In the next installment on privacy, we will examine how a holistic cybersecurity program can help comply with the new wave of data security and privacy.