New York and California recently passed expanded data privacy regulations that some observers say will move the US closer to the breach reporting standards the GDPR brought to the European Union. Though it remains to be seen whether this approach actually spreads to other states, it does reflect the increasingly popular opinion of both experts and the general public that more data custody laws are required.
A recent article in the Harvard Business Review goes a step further and calls for a globally accepted standard of breach reporting. As the authors point out, countries besides the USA have already adopted more comprehensive, collaborative and universal disclosure obligations which enable organizations to share relevant data on cyber attacks. With these precedents having been established, it seems inevitable that some type of universal reporting standard will be passed in the near future.
Here are the most important to know about the new regulations and how they may affect your business:
California Consumers Privacy Act (CCPA) – American GDPR?
The CCPA was passed in 2018, but compliance and enforcement does not go into effect until January 2020. With stricter boundaries for personal data usage and steeper fines for violating consumer privacy under these terms, it has been compared to the EU’s General Data Protection Regulation in purpose and scope. In the latter case, given the size of California and its economy, its impact is expected to extend well past state lines with remote sellers and residents increasing dependent on interstate commerce.
New York SHIELD Act
Earlier this year the Stop Hacks and Improve Electronic Data Security Handling Act (SHIELD Act) was passed to improve data security for consumers due to the increased number of cyberattacks going on in the country. For companies that maintain or process New York residents’ personal information (PI) they will need to comply with the new changes. Three new categories of data security and breach notification requirements were introduced:
- Financial account and payment card numbers that “could be used to access an individual’s financial account without additional identifying information, security code, access code, or password”
- Biometric information, “meaning data generated by electronic measurements of an individual’s unique physical characteristics”
- A “user name or email address in combination with a password or security question and answer that would permit access to an online account.”
The goal is to broaden what is considered Private Information within New York’s general business law and state technology law. These increased data breach reporting requirements will go into effect on March 21, 2020. In order to meet these requirements companies will have to evaluate their data security programs to determine if they will need to increase the level of security going forward.
Most Americans Want More Data Protection Regulations
75 percent of American respondents told a Pew research group that they want to see the federal government do more to protect their data – specifically from businesses. Almost 80 percent said they have no confidence “…companies will take responsibility when they misuse consumer data.” The report makes clear three things: US citizens do not trust commercial interests with personal information, they feel no control over their personal information, and they believe that laws should be passed that puts that control back in their hands.
While some of the most flagrant abuses of customer data have been penalized, many have criticized the government – including voices within the government – saying that it has not been enough. This is exactly why states like California and New York have begun passing their own data privacy laws, and given the influence both these examples have on the national and international economies, the standards they apply are likely to spread.
Get Ahead of Compliance with Data Security Best Practice
Growing popular favor means that a comprehensive federal data privacy regulation is bound to appear sooner rather than later. As new laws and regulations for compliance are introduced to protect user data the task can become more and more daunting for SMBs. Don’t let compliance needs become an added stress to your business.
Download SWK’s free Cybersecurity Tips eBook, and for more in-depth answers you can contact us to learn about the options you have to be protected and make sure you have your compliance needs fulfilled.