Meeting the Next Wave of U.S. Data Privacy Regulations

A draft bill that has been decades in the making would set a national standard for data privacy regulation in the United States. The bill would limit the collection and sharing of personal information as it also establishes minimum data security and protection standards, information retention and disposal limits, and training obligations.[1]

To date, the United States has had a patchwork of data privacy laws. The Privacy Act of 1974 sets requirements for federal agencies that collect and disseminate personal information,[2] while several industries are subject to their own regulations. The Federal Trade Commission first recommended a baseline privacy law in May 2000, but Congress failed to act.[3] In the meantime, California has passed its own Consumer Privacy Act (CCPA), while four other states have laws going into effect in 2023 and nearly three dozen others have introduced data privacy bills of some type.[4]

Addressing a Patchwork of Data Privacy Regulations 

As a result, organizations have grown accustomed to complying with different sets of rules at the same time. According to a recent white paper from Osterman Research, Privacy Compliance in the United States: Status and Progress in 2022, two-thirds of U.S. companies are subject to three or more privacy regulations. 

Even with a comprehensive national law in place, this complexity is unlikely to go away. U.S. organizations with foreign customers will still be subject to international laws such as Europe’s General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Meanwhile, Politico reports that existing state laws, namely CCPA, would not be preempted by a new federal law. Plus, industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) for financial institutions will also remain in place. 

The Osterman Research report, sponsored by Mimecast, suggests that organizations are in danger of falling behind. Only 47% are fully compliant with existing data privacy regulations, and only 38% describe their approach to regulations going into effect in 2023 as “mature” or “fully mature” (these regulations include the California Privacy Rights Act (CPRA) as well as similar laws in Colorado, Connecticut, Virginia and Utah). It does not help that the specifics of rules such as CPRA have yet to be finalized.

This immaturity emphasizes the need for organizations to develop a data privacy framework that positions them to address existing and upcoming requirements while building best practices for data privacy into business decision-making. As companies strengthen their approach to data privacy, the Osterman Research report provides five short-term to-dos and identifies five strategies for improving governance, data management, and overall business practices.

5 Quick Wins for Data Privacy Compliance 

In the short term, Osterman Research advises companies to take the following steps:

• Determine your motivation. The consequences of failing to protect personal data vary widely. A regulatory fine has a monetary cost, but harming one’s reputation or losing customers’ trust might be even more damaging, erasing decades of hard work in a brief moment.
• Locate sensitive personal data. Only 55% of organizations have conducted a data audit and know where sensitive personal data is located. This is a critical step — especially as remote work increases the likelihood that data is being stored in unapproved cloud services, mobile apps, or even personal devices. And keep in mind that email systems contain treasure troves of personal data that needs to be protected.
• Improve personal data discovery. Going a step further, fewer than 40% of organizations can discover personal data stored in chat tools, personal computers, or spreadsheets. Fewer than 25% can discover personal data in cloud apps. This leaves organizations especially vulnerable. 
• Classify corporate-owned data. Classification helps organizations identify which data sources are subject to data privacy regulations and therefore require additional protection. Unfortunately, only 16% of organizations have classified 100% of their data, while half have classified 76% of it. 
• Define privacy compliance oversight. For too many organizations, it is unclear who is responsible for data privacy compliance. At 18% of organizations, no one has officially been given this responsibility. On the other hand, 47% of organizations rely on two or more oversight groups, which can lead to uncertainty and stifle progress.

5 Strategies to Improve Data Privacy Compliance in the Long Run

For the longer term, here’s what organizations are advised to do:

Implement data access controls across the organization. More than 50% of organizations are not confident in their ability to track and control who has access to personal data. The inability to do this means that even the strongest data governance and access policies are largely ineffective, since there is no way to verify that the individual exercising their access rights is the actual individual who has those rights.

Addressing this concern is a matter of implementing organization-wide identity and access management controls. Practices such as multi-factor authentication, segregation of duties and role-based access help to ensure that only the individuals who need to access personal information for their work can access the applications or databases with that information.

Leverage real-time data protection controls. There are three technology-driven controls for protecting sensitive personal data: 

• Discovery of data assets at the point of creation.
• Ongoing monitoring and management of privacy risk.
• Real-time or near real-time mapping of data assets.

With these capabilities in place, organizations are better positioned to identify and mitigate data privacy risks before they can become large-scale issues. The majority of organizations are not yet taking advantage of these tools — relying instead on manual processes that provide only partial and retrospective insights due to the time and effort entailed. 

Get more business units involved in compliance efforts. Traditionally, employees and executives from five core business units lead compliance efforts: Information security, privacy and security, IT, compliance, and risk management. As data privacy regulations touch additional parts of the business, it is important for organizations to get additional groups involved. Here are just a few examples:

• Auditors need to update their compliance assessment practices.
• Human resources may want to factor data privacy expertise into hiring and promotion decisions.
• Procurement should scrutinize third-party service contracts for data privacy considerations.
• Marketing teams must reexamine everything from data collection practices to opt-out and unsubscribe language in outbound emails.

Strengthen data breach protection. Companies are not confident in their abilities to identify data breaches and ensure that personal information remains in safe hands.

• Only 36% of organizations could identify a data breach in real time and prevent it from happening.
• Just 38% could identify a breach as soon as it was successful. All told, fewer than two-thirds could identify a breach within a week.
• Only 32% of organizations said that breached data would be unreadable to the attacker who had been able to access it.

This calls for significantly stronger data breach protections. Real-time intrusion detection coupled with employee training, for example, can stop a data breach attempt in flight — and save an organization the time, energy, and effort that is required to notify regulators as well as customers that a breach has occurred. Meanwhile, data masking techniques such as encryption, tokenization, and pseudonymization protect personal data in systems and applications in transit, at rest, and during use. 

Deploy a range of solutions for privacy compliance. Attackers pose many threats, so it is imperative that companies take as many steps as they can to protect personal data and ensure data privacy compliance. Important solutions to consider include privacy and security awareness training, governance, risk and compliance (GRC) strategies, data discovery, and data management. 

Together, these solutions help organizations understand where personal data is both created and stored. The more readily this insight is available, the more robust an organization’s policies for information governance, data retention, and role-based access. Only half of organizations have this full set of tools in place, which makes it difficult and time-consuming to perform fundamental data privacy tasks.

The Bottom Line

All told, Gartner estimates that nearly two-thirds of the world’s population will be covered by data privacy regulations by the end of 2023.[5] A range of state laws — and, possibly, a new federal law — will apply to organizations based in the United States by the end of next year as well. It is therefore imperative that organizations continue to take personal data privacy seriously and fill in any critical gaps in their data protection strategies and toolkits. The Mimecast product suite includes a range of solutions that help organizations protect their data, their employees, and their brands from attacks that target personal data.

[1] Bipartisan draft bill breaks stalemate on federal data privacy negotiations, Politico

[2] “Privacy Act of 1974,” U.S. Department of Justice

[3] After 20 years of debate, it’s time for Congress to finally pass a baseline privacy law, Brookings

[4] 2022 Consumer Privacy Legislation, National Conference of State Legislatures

[5] Gartner Says By 2023, 65% of the World’s Population Will Have Its Personal Data Covered Under Modern Privacy Regulations, Gartner