Another Data Privacy Law? No Problem

Written by

California became the first state to pass a data privacy law last year with the California Consumer Protection Act (CCPA), which will go into effect January 1, 2020. CCPA will enforce restrictions about how companies can collect and use California residents’ data.

Tech giants and other lobbying groups have been battling CCPA, as consumers will be granted control over their data such as the right to be forgotten, right to say no to one’s information being shared or sold to others, right to sue companies that fail to safeguard consumers’ data and more. However, it is not surprising that consumer data privacy rights continue to gain regulatory support.

There were reportedly 100 data breaches in June 2019 that compromised a total of 24,644,872 records, according to research from the Identity Theft Resource Center. While these attacks can negatively impact a business’ bottom line, consumers suffer the brunt of data leaks. 

The introduction of the New York Privacy Act (NYPA) in May 2019 is the Empire State’s first step to place more power in the hands of consumers and inspire businesses that collect New York citizens’ data to make safeguarding that data a priority. Companies will need to be crystalizing their strategies for how to collect, store, share and protect consumer data, and ensure they have the level of control to quickly adapt and ensure compliance. 

NYPA will require businesses of all sizes to make protecting consumer data and handling it responsibly a priority, even ahead of their own profit margins. According to the New York State Senate’s website, the purpose of NYPA is to require companies to disclose their methods of de-identifying personally identifiable information (PII), place safeguards around data sharing, allow consumers to obtain the names of all entities with whom their information is shared, require companies to obtain consent from consumers before they sell information and more.

While this may seem similar to CCPA, there are a few key differences that place NYPA in a league of its own:

  • NYPA grants New Yorkers the right to sue companies directly over privacy violations, while CCPA leaves enforcement to California’s state attorney general.
  • NYPA applies to businesses of any size while CCPA only applies to organizations that make more than $25 million in annual gross revenue.
  • NYPA would require businesses to act as data fiduciaries that legally bar businesses from using data in a way that benefits their respective companies if it comes at the expense of financial or physical well-being of users to whom that data belongs.

While it is not likely that NYPA is passed exactly as currently drafted, these provisions are indicative of how data privacy laws across state lines (and even potentially a federal data privacy law) could be shaped in the future. You can bet all of these regulations will have slightly different provisions, adding complexity for companies struggling with compliance.

Businesses will be required to reasonably secure individuals’ information and inform them of data breaches if one occurs. As companies undergo digital transformation, they must make security a priority not just to comply with data privacy laws, but to protect consumer information, which is what these laws are (at least in part) designed to do.

The adoption of new technologies can create as many risks as it does opportunities. However, with the right guardrails in place, organizations can continue to leverage new technologies to obtain a competitive edge while remaining secure.

For example, organizations are increasingly embracing the dynamic, self-service nature of cloud and container infrastructure to bring new products to market faster, innovate and deliver more value to their customers. However, the speed of workload deployment, rate of change and an ever-increasing number of users can quickly overwhelm a company’s ability to keep corporate data secure and maintain compliance.

NYPA will inspire companies to invest in methods like automated cloud security solutions that perform real-time, continuous discovery of infrastructure resources to identify risks and threats to the integrity of customer data. Premier automated cloud security solutions can even integrate with out-of-the-box (i.e. HIPAA, GDPR, CIS, PCI DSS, NIST CSF, etc.) and custom cloud-native policy guardrails to detect and alert security professionals of violations, and even automate the enforcement and remediation of those policies.

Such solutions are critical, as compliance with the growing number of regulations and enterprise standards in fast-paced, ever-changing cloud environments is all but impossible. For example, these solutions can: enforce standard tagging on all cloud resources for identification, accountability and application of appropriate policies, limit cloud footprint to only approved regions to ensure data sovereignty requirements are met (i.e. GDPR), and even ensure encryption and data retention policies are enforced across all clouds and cloud accounts.

Even though the NYPA is far from being passed into law, it has elements that can make it an effective piece of legislature to ensure the safety of consumers' information.

With the enactment of CCPA being more pertinent and recent settlements that Equifax and Facebook reached with the FTC, it is clear that safeguarding customer data and being transparent about how it is used are becoming national priorities. It will not be surprising if other states, as well as the federal government, follow California and New York’s lead by introducing their own data privacy laws.

What’s more, these laws are bound to evolve over time. Organizations will need to adopt flexible solutions and strategies to ensure that they are able to quickly adapt and comply with new laws while doing what the laws are meant to do in the first place: keep consumers’ information safe.

What’s hot on Infosecurity Magazine?