Loading...

HALOCK's privacy policy   ©2018 HALOCK Security Labs. All rights reserved.

The European Union passed sweeping broad-based legislationover two years ago that is serving as a beacon for many of the 50 states attempting to deal with the complex issues of cybersecurity and dataprotection. The legislation is called The General Data Protection Regulation(GDPR). It was enacted this past May and is the most sweeping and comprehensivedata protection law currently active in the world . . . for now at least. Two aspects that make GDPR so unique are the following:

 

  • GDPR doesn’t just apply to companies that reside within the borders of the EU. It applies to any organization that processes or stores the personal data of its citizenry. In other words, it is not directed at companies, but at the data and information of the EU citizens it serves.

  • The potential fines are mind blowing. Companies can be fined as much as 4% of annual global revenue or €20 Million (whichever is greater) for the most serious infringements. A lower tier levies a fine of 2% or €10 Million for lesser infractions.

 

If your U.S. company deals with the personal data of EUcitizens, then you must comply with GDPR regulations. But don’t think that therepercussions of GDPR will not affect your organization regardless. GDPR isonly the beginning for this landmark policy that is serving as the newregulatory benchmark that other governments will copy and adapt.

 

 

California passes its own sweeping data privacy law


A few months ago, the California state legislature passedthe California Consumer Privacy Act of 2018. Call it GDPR 2.0 or GDPR westcoast. The legislation will go into effect January 1, 2020 and will be thestrictest data privacy law of its type amongst the 50 states. CCPA will enforcedata privacy protections that are similar or even broader than those imposed byGDPR. Like GDPR, it paints with a broad brush when it comes to definingpersonal data. According to CCPA, personal information includes “informationthat identifies, relates to, describes, is capable of being associated with, orcould be reasonably linked, directly or indirectly, with a particular consumeror household.” This can include not only online identifiers, government IDnumbers and contact information, but web browsing history, geolocation andbiometric information as well.

 

Like GDPR, CCPA is not restricted to the companies thatreside inside its borders. It follows the data of its state residents whichmeans that national companies that serve California based customers must complywith the regulations as well. In fact, one issue will be what multi-regionalcorporations decide to do; silo and treat the personal information ofCalifornia residents separately from their other data, or adapt CCPAregulations universally.

 

CCPA does not specify data breach notification requirementsas the state already has a breach notification statute. Although there are nofines levied by its enforcers, it does create a private right of action torecover potential damages of $100 to $750 for each affected consumer in a riskclass action suit.

 

 

Other states following suit

 

Although California’s new legislation is the mostencompassing of its kind, other states are hurriedly creating their owndirectives when it comes to data protection.

 

  • Oregon recently amended its breach notification rules which went into effect on June 2. The new regulatory act expands the scope of those who must provide notice of a breach to affected Oregon residents within 45 days of breach determination.

  • South Carolina emboldened its current breach notification and security requirements for the insurance industry. All breaches must be reported to the Insurance Commissioner within 72 hours of a security breach.

  • South Dakota enacted its first data breach notification law that went into effect on July 1 of this year. The law requires affected individuals to be notified within 60 days of the discovery of the breach involving unencrypted data.

  • Alabama passed its first data breach notification law while Arizona updated its existing statutes. Both directives involve $500,000 fines for a breach for an entity that knowingly violated or failed to comply with the law provisions.

 

The list of states is extensive. A list of all statecybersecurity directives created or modified in 2018 can be found here.

 

 

Less stress for those who practice Duty of Care

 

It is evident now that GDPR was indeed only the beginning.With all of the newly created data protection provisions emerging fromlegislative capital buildings, it is understandable for any CIO or CISO to beanxious when it comes to meeting all of these directives. In fact, it can be achallenging task just keeping up with the stream of modifications thatlawmakers are regularly unveiling.

 

There is no need for incessant apprehension if yourcybersecurity team follows the guiding principle of Dutyof Care. Just as companies have a duty of care involving the safety oftheir employees, they have a responsibility to perform their due diligence whenit comes to protecting the personal data of employees, customers and thirdparties. This doesn’t mean that a company must implement the latest, greatestand most expensive security tools money can buy. It means that a company mustimplement effective procedures to comply with data protection obligations thatare “reasonable” and “appropriate” for its business.Following the simple directive of notifying those whose information wascompromised in a timely manner is an example. Not permitting employees to carrypersonal data on USB sticks and unencrypted mobile devices is another.

 

Duty of care begins by conducting a risk analysis. You can onlyprotect what you know you have. A risk analysis outlines allows you to identifyand evaluate:

 

  • Critical information assets in your organization
  • Potential risks to those data assets as well as rate and compare them
  • Security gaps to determine how to shore up those gaps
  • Security best practices that can be enacted by employees and how to instill them
  • Potential security controls to determine the financial viability of them to the business

 

Conclusion


Yes, the law is the law, but even more important is what areasonable person would have do when it comes to protecting against andreacting to a data breach. Duty of care is not bound by state or nationalborders; it is a sense of obligation that is universal of people of allnationalities. GDPR is changing the rules governing data protection. Byfollowing the principles of duty of care,organizations can manage, minimize, or avoid potential legal liabilities,regardless of what border they reside behind.

Quickly Creating

New Data Protection Legislation

States are

 

 

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
View