GDPR has changed the way organizations approach protecting consumers’ personal data. The U.S. is taking some baby steps to follow up on improving American privacy rights. The California Consumer Privacy Act (CCPA) is getting all the press right now, but several other states are considering legislation with the goal of protecting consumer information.
With that in mind, Jim Varner, president and CEO of SecurityFirst, answered some questions with his opinions on where America is heading with privacy protections.
SMP: Do you think CCPA will up the ante for other states and the federal government?
JV: CCPA highlights that legislators across the U.S. are being asked by citizens to protect personal data, or in the case of California, the voters planned to protect themselves via a ballot proposition.
The passage of CCPA, right on the heels of GDPR going into full effect, builds upon data privacy as a fundamental right and gives consumers means to control their personal information. California, Vermont, New York and Colorado have current or pending legislation for data privacy, and we should expect other states to follow their lead. Will other states take notice and implement similar legislation? I hope so!
SMP: Government leadership has been slow overall about addressing cybersecurity and privacy, largely because of backlash from corporate entities and lobbyists. What changed?
JV: The world is watching; unfortunately, they’re watching hacks and ransomware attacks compromise everything from personal data to disrupting critical city and state services. We don’t hear about the good stuff like effective blocks to critical attacks. What we hear about are the successful attacks.
People are also watching how their state and local leaders are reacting to these events. SecurityFirst commissioned a study with YouGov around cybersecurity and local governments after the massive impact of ransomware attacks in Baltimore and Atlanta this past April. When looking at the potential loss of critical community services from a cyberattack, 71 percent of the responders said it is important to spend public funds now on cybersecurity, even if the chance of attack is low. It also showed that 74 percent say politicians need to take the protection of their personal data more seriously, and 59 percent said they’d likely support a politician that makes data protection one of their top priorities.
The other change is financial. Legislation like CCPA and GDPR brings the ability to impose large fines for noncompliance. In my discussions with several businesses – they are absolutely taking the threats seriously – these regulations bring home the point – via stiff penalties.
SMP: CCPA gets all the headlines, but California isn’t the only state looking at improving its data privacy for residents. What are some of the other initiatives that are out there, and what kind of impact do you think they will have?
JV: Currently almost every state has some legislation around protecting data with requirements for breach notification. There are other focused regulations, such as New York’s 23 NYCRR 500 that requires specific data security actions just for banking, insurance and financial services companies licensed to do business in the state.
The intended goal, of course, is data privacy, but what I’ve heard from customers and even state agencies is confusion. Most large corporations do business not just across multiple states, but globally. Keeping up with everchanging and various requirements is a major challenge.
SMP: When we talk about privacy legislation, we tend to talk about data privacy and data protection as interchangeable, but they are two different concerns. How are they similar and how do they differ? Does it matter where the legislative emphasis should be and why?
JV: Data privacy centers around only using collected data for the purpose it was intended and only for the time it is needed, as well as recognizing that the ultimate owner is the data subject themselves. It really is about monitoring authorized access and use of personal data.
Data security is all about the technology and processes to manage authorized access and prevent all unauthorized access. In some ways, data protection is simple – figure out how to lock it up, usually through some level of encryption. The challenge for data privacy is how and where it is locked up and who has access to it.
Most of the legislative focus has been on data privacy. While recommending specific techniques to protect data such as identity and multi-factor access controls, encryption and access monitoring, the data security measures are less defined. Unfortunately, in my discussions with customers and partners, that lack of specifics has made it more confusing for companies to implement security by design and default.
SMP: In your opinion, what needs to be the next step for better privacy regulations? Is CCPA the step in the right direction?
JV: Absolutely – CCPA is a good step in the right direction. But in my opinion, it could have gone a lot further. Cost-effective privacy protection solutions are in the market today that can mitigate and help recover from attacks, all while preventing disclosure of data. Defining privacy rights and procedures in legislation like CCPA is critical, but it’s time that standard cyber terms and technologies be included in legislation to help drive specific actions, and not ignore the problem of how to keep private data private.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba