Currently, no federal data protection legislation exists in the United States. The federal government regulates a select group of industries such as the health industry or financial industry. They leave all other data protection governance to state governments. The Council on Foreign Relations describes the current system as “a patchwork of existing protections” and writes, “The United States lacks a single, comprehensive federal law that regulates the collection and use of personal information. Instead, the government has approached privacy and security by regulating only certain sectors and types of sensitive information (e.g., health and financial), creating overlapping and contradictory protections.”
In January 2020, the Californian State government plans to enact the California Consumer Privacy Act (CCPA). They introduced a motion for the CCPA in 2018, shortly after the EU implemented the GDPR. The CCPA collected the necessary votes and they signed the bill in June of 2018. The CCPA offers consumers the ability to reassume control over their personal data. CPO Magazine summarizes the CCPA in a brief paragraph, “The CCPA in its current form authorizes lawsuits by private individuals whose “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” § 1798.150. A plaintiff must give 30 days’ notice of the claimed breach with an opportunity for the notified company to cure the breach. The private right of action allows plaintiffs to seek civil penalties of $100 to $750 per “per consumer per incident,” or actual damages, whichever is greater. Cal. Civ. Code §1798.194 instructs courts that the new law “shall be liberally construed to effectuate its purposes.”” Essentially, the CCPA empowers consumers to know and choose how companies use their data. It prevents the sale of customer information to third parties without their consent and holds companies responsible for the actions of companies who receive data from them.
How to Prepare My Company
With the GDPR enacted, the CCPA looming, other states planning new legislation, and the federal government soon to follow, start preparing for data protection legislation now. Failure to comply with the GDPR results in fines significant enough to ruin some small businesses. Although less severe, fines for the CCPA still cost companies a decent amount of money. These high cost fines seem standard in data protection laws to incentivize compliance. Take precautionary steps and begin the refinement of you company’s network security and data protection now. Proactively preparing now reduces the problems that come with rapid change. It allows for ample time to test any new systems and make necessary adjustments without rush.
- Monitor Networks – Remain vigilant and monitor your network often. Many companies neglect the consistent monitoring of their network. They set and forget their security systems and then other operations consume their time. Regularly analyze reports and systems for red flags or discrepancies that point to a possible breach.
- Penetration Testing – Hire a third-party company to perform a penetration test on your network. It tests for any vulnerabilities or failures in your network security and allows for a fix before any serious breaches occur. Experts recommend pentesting at a minimum of once per year, preferably more. Companies avoid frequent pentesting because of the cost but it helps keep your network operating at the highest level of security possible. If a breach occurs, pentesting costs pale in comparison to the legal fees and recovery costs.
- Compliance – Stay up to date on the regulations for each state or country you do business in.
- Data Management – You should always know where your clients’ data is, know who has access too it, and keep it properly encrypted or protected. In most of the laws, customers posses the right to request access to their information and you must comply and deliver it to them in a timely manner. Keep it organized and protected to save time and money.
- Act with Integrity – Communicate honestly to your customers how you collect their data and its intended use. Offer the option to opt out of data sales. Many companies take advantage of customer’s data, a main reason for the GDPR and CCPA. Acting with integrity when handling consumer data validates your genuine intentions to provide the most value for them. People value genuine businesses above all in the twenty-first century.
Winter is Coming
In the popular television and book series Game of Thrones, the Stark family has a motto, Winter is coming. The Starks dwell in the cold, north of Westeros and winter affects their territory the most. A pragmatic family, they know winter always comes, so they must always prepare for winter. They view life the as winter, something to prepare for. Something in life always is coming, just like winter, so they prepare for the unforeseeable and predictable circumstances of life. Take a page from the Stark’s book. Winter is coming and by winter, we mean legislation. The GDPR heralded the age of data protection laws. California’s CCPA started the trend in the United States. Both Nevada and New York plan to implement data protection laws within the next year. Different states with different data protection laws create messy interstate business interactions. The United States Federal government must intervene and standardize regulations or watch as the economy suffer the consequences. Beat your competitors and start planning for the inevitable data protection legislation now. Develop procedures and processes for handling customer information properly. Communicate with your IT team on the new requirements for your network security. Preform frequent penetration testing to assess the state of your security. Don’t wait around for new laws, prepare for them.
We know that data protection laws seem overwhelming. We would love to provide you with answers to your questions and help develop the best plan for preparing for complying with the GDPR, CCPA, and other laws that affect your company. Reach out to us on our website with any questions!
Did you find this blog post informative? Like our Facebook page for weekly blog posts on the information technology industry.
*** Fair Use Legal Disclaimer
This blog post contains copyrighted material which has not been specifically authorized by the copyright owner. Origami Technology Group Inc. claims none of the quotes or images used in reference to the HBO show, Game of Thrones, as their own. There is no relation between Origami Technology Group Inc. and HBO. HBO does not support or endorse any of the above content. Origami Technology Group Inc. utilized the material with the intentions of educating small business owners on data protection regulations in concordance with Title 17 U.S.C. Section 107. No copyright infringement was intended. ***