A lack of strong US federal laws and regulations on how organizations collect, manage, and use consumer data is leading state governments to implement their own to give consumers more control over their personal information. To help navigate this increasingly complex network of regulations, RANE spoke with Matthew Bernstein, Founder of MC Bernstein Data; Lynn Molfetta, Co-Partner and IG Specialist at MC Bernstein Data; and Dr. Maxine Henry, President of Cyvient LLC.
Increasing concern over cybersecurity failures is driving interest in strengthening cybersecurity infrastructure across the country. Several states have introduced or expressed interest in cybersecurity laws that set expectations around organizations’ information security practices — from the frequency of password updates to breach response protocols.
- Like many other legislative initiatives, data privacy bills have not been immune to COVID — many have stalled, died, or been otherwise de-prioritized. As states begin to resume normal operations, these bills are starting to move again, making it critical that organizations remain current on the movement of working bills that affect their operations.
- Henry argues that the pandemic hasn’t slowed down enforcement of data privacy laws in states like California, where regulations are active and have associated penalties. Since the passage of CCPA, for example, there have been several major breaches, and dozens of cases remain pending.
What to know
Around the world, over 130 countries have data protection and privacy laws in place at the national level. While these laws vary in their scope and intended purpose, they allow companies to streamline their practices under a country-wide set of regulations that make compliance in a single market straightforward.
The United States, however, has made remarkably little progress toward a comprehensive data privacy law that covers consumers’ personal information. Existing data protections at the federal level are “sectoral” or highly targeted in the types of data they cover. Examples include:
- The US Privacy Act of 1974, which applies to data held and handled by the government.
- The Health Insurance Portability and Accountability Act (HIPAA), which governs personal health care and insurance information.
- The Gramm-Leach-Bliley Act (GLBA), which protects personal information collected for financial services purposes.
- The Children’s Online Privacy Protection Act (COPPA), which governs the collection of personal information from minors.
While these laws set boundaries regarding certain categories of consumer data, their limited scope does not address the many types of data collection, storage, and handling taking place in 2021.
- While bills have been introduced recently at the federal level, little progress has materialized as the pandemic and other issues have occupied much of Congress’s attention.
- Even before the pandemic, however, the various Congressional committees attempting to address the rapid rise in consumer data collection at the federal level failed to put forth a well-coordinated, passable effort.
In the absence of nationwide consumer data protections, states began to address the issue in their own legislatures. California was the first, initially enacting the California Consumer Privacy Act (CCPA) in 2018 and replacing it with the California Privacy Rights Act (CPRA) in 2020.
- The CCPA governed what businesses with California operations could do with consumers’ personal data. Though the CCPA only came into effect on 1 January 2020, several problems arose in its implementation, resulting in its replacement by the more comprehensive CPRA regime. Henry points to streamlined language, expanded consumer protections, and increased enforcement capacity as improvements over the CCPA.
- Bernstein cites the expanded consumer rights in the CPRA, similar to GPDR, as a response to aggressive actions by the original proponents of CCPA. Consumer advocates are not standing still.
- Most state-level data privacy laws are either copies of the CCPA or CPRA, or loosely based on them.
- Many state-level bills still working through legislatures are at various stages of development, and many have stalled or died. Still others have been amended extensively and sent back for re-approval.
- New provisions may arise that differentiate a new bill from others. The constant state of change makes it especially important that companies remain current on new developments in any jurisdiction where they operate.
State Data Regulations
What to think about
Many data privacy laws — from international agreements to federal and state regulations — have common elements. Bernstein notes eight elements common to provisions of most data privacy laws:
- How organizations gather and record consumer information,
- When organizations must alert consumers to data collection,
- How organizations can use consumer data,
- How organizations can transfer consumer data to third parties,
- What is an organization’s responsibility for protecting consumer data from potential unauthorized access or theft,
- How organizations respond to a consumer’s request regarding their data,
- What are an organization’s responsibilities in the event of a data breach, and
- What are an organization’s documentation requirements.
Despite the commonalities between different regulatory regimes, a number of states included specific provisions in their data privacy laws that are unique to their state. Organizations will have to understand local provisions to ensure they are in compliance wherever they have operations.
- Most bills set thresholds determining which businesses are required to comply — ranging from all businesses collecting consumer data in that state to only those collecting data on 100,000+ households or generating tens of millions of dollars in revenue, and many points between. Companies will have to understand not only the thresholds in place wherever they have local operations, but also whether their local operations meet those thresholds.
- Some bills include “cure provisions,” under which companies are given the opportunity to remediate any concerns regarding improper storage, handling, or use of data. Where they exist, these provisions range from days to months, so organizations must have the appropriate mechanisms in place to address any issues in time to avoid a penalty.
- Different bills approach penalizing violators differently. Some provide for damages, while others do not, and regulator-enforced fines range from hundreds to thousands of dollars per offence. Bernstein cautions against reading too deeply into the size of penalties and recommends focusing instead on understanding their potential implications in the event of a large breach. He notes that different laws can define breaches very differently, and that companies handling massive quantities of data could incur hefty fines if violations are defined in a way that considers each individual’s data affected during a breach to be a separate violation.
The new data privacy regulations currently working through state legislatures draw a lot of attention for the wide array of issues they address, but many states already have pre-existing laws that address data privacy in some way. While those laws are typically more defined in their focus — covering issues such as security measures or the storage of specific types of information — organizations must ensure compliance with all local regulations applicable to consumer data privacy and protection.
- Bernstein notes that states are using the current crop of data privacy bills to plug holes in their consumer protections, which may take different forms in different states depending on what protections they already have on the books — therefore, the exclusion of certain provisions from a bill does not mean that there aren’t other laws that cover the same topic already active in that state.
- One important type of legislation that already exists in every state is a breach notification requirement. While breach notification laws vary widely from state to state, every organization should have a breach notification process in place that meets all local requirements in the event of an incident.
What to consider
Bernstein, Henry, and Molfetta suggest a number of practices that minimize an organization’s exposure to risk brought on by the changing consumer data privacy landscape.
- Bernstein recommends that organizations operationalize their data privacy practices —identifying and addressing deficiencies in practices or staffing that may prevent them from fulfilling those responsibilities, and working toward an overall compliance program based on the common regulatory obligations an organization is responsible for meeting, rather than “point solutions” that can become unrealistic when so many different regulatory regimes are in play. Bernstein suggests that participation in membership organizations such as the International Association of Privacy Professionals (IAPP) can help companies focus their efforts.
- Henry stresses the importance of mapping consumer data extensively; this includes understanding where it is stored, who is storing and handling it, and how it is being used. She points out that a failure to understand the data makes it difficult to respond to consumer requests or breaches in a timely manner.
- Henry also recommends shoring up data protections wherever possible — successfully doing so requires an understanding of who is legally liable for the data in the event of a breach. This differs by jurisdiction, so diligence is required based on local operations.
- Molfetta notes that companies should be proactive in their data privacy practices to avoid shortfalls — or at least to address them before incurring fines or other penalties. The failure to develop mechanisms within the organization to handle data and address issues in a proactive way leads to compliance failures.
In the United States, any future federal data privacy law could supersede state bills. Whether a state law is nullified by a federal one will depend on which imposes greater requirements on organizations, as well as whether the incoming federal law has preemption, which is uncommon among federal data privacy laws.
- Henry points to the Biden administration’s openness to data privacy legislation, and suggests that more stringent federal regulations that bring US consumer protections in line with strict foreign regulatory regimes like the GDPR could render existing and developing state-level data privacy legislation obsolete.
- Bernstein notes that federal bills historically focus on a particular purpose (as in the cases of HIPAA or COPPA), and that some measures of any potential federal bill, such as a private right to action, could be excluded for being too politically contentious.
About the experts
Matthew Bernstein is the Founder and an Information Governance Strategist at MC Bernstein Data, where he leverages his more than 20 years of information management experience to help companies assure compliance with data privacy, regulatory retention, and other information governance requirements.
Dr. Maxine Henry is the President of Cyvient LLC, where she leverages her 27+ years of experience in program management, security, infrastructure, GRC, and organizational management. Dr. Henry specializes in business transformation, compliance, CRM, data privacy, ERP, GRC, HRIS, instructional design and training, organizational management, PMO setup and management, risk management, security infrastructure, and strategy development.
Lynn Molfetta is a Principal and Information Governance Specialist at MC Bernstein Data, where she leverages her more than 20 years of experience leading global transformation projects and operating functions. Molfetta specializes in risk management, business analysis, records management, financial services, program management, SDLC corporate governance, and IT strategy.
RANE (Risk Assistance Network + Exchange) is an information and advisory services company that connects business leaders to critical risk insights and expertise, enabling risk and security professionals to more efficiently address their most pressing challenges and drive better risk management outcomes. RANE clients receive access to a global network of credentialed risk experts, curated network intelligence, risk news monitoring, in-house analysts and subject matter experts, and collaborative knowledge sharing events.