The increasing number of data security regulations has raised privacy concerns globally. Gartner’s industry analysis predicts that by 2023, about two-thirds of the world’s population will have personal data covered by modern privacy laws.
Despite numerous attempts to coordinate a unified approach to data privacy, the United States still lacks a comprehensive federal data privacy law. However, some states have taken it upon themselves to pass their comprehensive data privacy laws, partially inspired by the European General Data Protection Regulation (GDPR).
Below are summaries of three newer privacy regulations to watch – some of which will set the tone for forthcoming legislation in other states.
California Consumer Privacy Act
Inspired by the GDPR, the CCPA went into effect early last year and applies to for-profit entities that collect personal information from California residents and meet any of the following thresholds:
- At least $25 million in California-based gross annual revenue;
- Receives, processes, or transfers annual 50,000 data volume;
- Derives more than half of its yearly revenue from the sale of personal information.
The law regulates the sale, process, and transfer of personal data, defending:
- data to be used to identify another;
- individuals;
- those within a household;
Personal data is protected via stiff data penalties for non-compliance, and consumers are provided with an automatic private right-of-action checklist to peruse business CCPA compliance. In 2023, the California Privacy Rights Act (CPRA) will boost consumer protection, and a distinct privacy entity will enforce its laws.
Health Insurance Portability and Accountability Act
The U.S. Department of Health and Human Services Health Insurance Portability and Accountability Act regulates health insurance. It also requires ongoing protection for patients’ personally identifiable information, which is increasingly attractive for cyberattacks. HIPAA data security requires that covered entities:
- continually monitor file and perimeter activity and access to sensitive data;
- access control–re-compute/revoke permissioning on need-to-know business rights;
- maintain written records–detailed activity records for all data user objects.
HIPAA’s Privacy Rule and the FTC Act, discussed next, are similar, and healthcare organizations should understand how to follow both for comprehensive data security properly.
Federal Trade Commission Safeguards Rule Updates
The Federal Trade Commission – independent of presidential control –prohibits unfair competition. It has been the chief federal agency on privacy policy and enforcement since the 1970s when it began enforcing one of the first federal privacy laws – the Fair Credit Reporting Act. Since then, rapid changes in technology have raised new privacy concerns, but the FTC’s overall approach has been consistent: The agency uses law enforcement, policy initiatives, and consumer and business education to protect consumer’s personal information and ensure that they have the confidence to take advantage of the many benefits of the marketplace.
The FTC’s overseeing role for financial institutions protects information from foreseeable security and data integrity threats. The Gramm-Leach-Bliley Act requires that financial institutions share and safeguard customers’ private information, and the FTC’s Gramm-Leach-Bliley Act Safeguards Rule requires covered financial institutions to develop, implement, and maintain a comprehensive information security program that complies with FTC requirements. Among the updates that we can expect to see are:
- more specific orders requiring that organizations implement broad, process-based data security programs;
- improved third-party assessor accountability to review required data security programs;
- companies presenting their governing body with a written security program;
- senior officers provide annual compliance
The FTC’s Business Center has tips and advice demonstrating:
- a sound security plan, collect only what you need;
- free business resources, any size;
- Consumer and Business Blog Series.
Most states and D.C. have laws requiring businesses to own, license, or maintain personal information. This permits residents of that state to expect businesses to maintain “reasonable security procedures and practices” for personally identifiable information. (PII). New personal data security laws have doubled since 2016 — from unauthorized access, destruction, use, modification, or disclosure — by PII.
At a minimum, twenty-five states and D.C. have laws and conditions addressing the following:
- data security laws applying to state agencies or governmental entities;
- governments’ vast amounts of data regarding citizens;
- state databases attracting cyber criminals;
- laws enacted within the last few years;
- recent security/oversight statewide enactments.
An entire cybersecurity latticework among states is in reach, technical background or not. In the coming years, expect to see a continued flurry of activity: new consumer privacy laws such as those that will take effect in Colorado, Virginia, and California in 2023; Utah’s Cybersecurity Affirmative Defense Act, which provides organizations with a safe harbor for data breach notification in limited circumstances (also 2023); Nevada’s broadened privacy law about the sale of personal data to third parties; and more. Still, however, no comprehensive federal data privacy law is in the works.
Guest blogger Barry McPhee is a freelance writer based in Vermont.