More State Privacy Laws Are Coming. Are You and Your Vendors Prepared?

By Aaron Kirkpatrick

Privacy and data protection laws are the talk of the town these days. Are you aware of what your state is considering for new privacy and data protection laws? Do you even realize that your state could be considering this? You and your vendors need to be prepared.

Within two years, the California Consumer Privacy Act has gone from the mind of Alastair MacTaggart, the person behind CCPA’s creation, to law and regulation ready to be enforced and taken advantage of by legal counsel looking to cash in on the included private right of action option. CCPA, which became effective on Jan. 1, 2020, is intended to ensure Californians’ personal data is protected. When this article went to press, at least eight states—Connecticut, Hawaii, Massachusetts, Mississippi, New Jersey, New Mexico, Rhode Island, Texas—had seen proposed legislation similar to CCPA, and even more states had seen approaches less intense than CCPA.

For example, some states don’t include CCPA’s private right of action under which consumers can sue companies for monetary compensation should their data be negligently handled. Other states, such as Nevada, have chosen to only include organizations that sell personal data under the law’s umbrella.

Most aren’t ready for consumer privacy law and regulation

The CCPA arrived quickly and went into effect before many businesses were truly prepared. Polling a room of approximately 200 privacy professionals in September 2019, just three months before the law went into effect, just two percent were comfortable in saying that they were fully prepared. How do we improve that statistic for the states yet to fall under such a law? Above all, privacy and security professionals need to be aware of what is on the horizon within their sphere of applicability.

Very few privacy and security professionals are aware of what is on the legal horizon within their own state. This sets the stage for the unfortunate replication of the panicked state of many Californian organizations. Many may think that California is just being California. (By that I mean the thought that you might not need to take seriously a state that puts cancer warning labels on products like coffee.) However, all joking aside, it’s important to understand that we as professionals in the privacy and security industry aren’t hearing about what the legislative branches of many states are working on. We’re all focused on CCPA and understanding its Gramm-Leach-Bliley Act exemptions, or just keeping up with existing regulations and standards, yet privacy laws and regulations are in the works in many more states.

Many organizations just went through exercises related to the European Union’s General Data Protection Regulation, effective in 2018. Many thought GDPR would cause the sky to fall, and luckily it didn’t. Most of us heard about the regulation and its effects, though, unlike the lack of coverage being given to states looking to replicate California’s actions to protect their states’ citizens.

The initial CCPA outlook and reasonable security

Enforcement of the CCPA will be constrained by resources within California’s attorney general’s office, but the attorney general is not what many who fall under CCPA fear most. Many CCPA-subject firms fear the public, more specifically California residents, who hold the private right of action in the case of a breach where the victim organization may not have maintained the “reasonable security” that is now required under CCPA.

The phrase “reasonable security” is one that security professionals either loathe or laugh at. How can an organization be fined hundreds of millions of dollars based on a phrase with no actual definition? It’s kind of like the CFPB’s UDAAP standard, with its long-undefined “abusive” term. Without a definition, expectations become blurry. It’ll likely come down not to whether an organization had “reasonable security” but whether that organization’s security was not reasonable, based on the current industry trends and the risks posed to that information by the organization.

States considering similar regulations

If you’re in one of the states considering legislation like the CCPA, or a subset of it, what steps should you take? Here are three places to start:

Research proposed laws. What laws have been proposed within your state and the states you serve clients in?
Review your internal control environment protecting personally identifiable information of any type. Don’t just think social security numbers. Dig deeper and think about IP addresses, names, biometric, location and so many other types of data that may possibly be tied to an individual. The definition of PII is no longer the same with these new and proposed privacy and data security laws. Ask yourself if you’ve implemented a control environment that your security and privacy professionals feel covers the industry’s expectations based on types of data held and potential threats.

Talk to your peers. We’re all going to be in this together. We should assist each other with understanding the depth of controls that make up reasonable security as well as share our vetting and vendor experience as it’ll likely take additional vendors to achieve the desired state. The topic of privacy won’t be pushed aside as a concern after 2020. I expect the public’s awareness of privacy issues to continue to grow as large breaches continue to occur, and as we see those numbers and their impacts grow every year.

Look into joining privacy groups and organizations. Speak to your peers and share your research with one another and with your local privacy and security groups. More state privacy laws are coming. Don’t let them surprise you and your bank.

Aaron Kirkpatrick is chief information security officer at Venminder.