The proliferation of data security regulations has increased in recent years, galvanizing privacy concerns worldwide. According to industry analyst Gartner, by 2023, nearly two thirds of the world’s population will have its personal data covered under modern privacy laws.
In the United States, there is no comprehensive federal data privacy law, despite many attempts to coordinate a unified approach to data privacy. In the absence of a framework, some states have charged ahead to pass their own new comprehensive data privacy laws – inspired in part by the European General Data Protection Regulation (GDPR).
Listed below are summaries of three newer privacy regulations to watch – some of which will set the tone for forthcoming legislation in other states.
California Consumer Privacy Act
Inspired by the GDPR, the CCPA went into effect early last year and is applicable to for-profit entities that collect personal information from California residents and meet any of the following thresholds:
• at least $25 million in California-based gross annual revenue;
• receives, processes or transfers annual 50,000 data volume;
• derives more than half of its annual revenue from the sale of personal information.
The law regulates the sale, process and transfer of personal data, defending:
• data to be used to identify another;
• individuals;
• those within a household;
Personal data is protected via stiff data penalties for non-compliance, and consumers are provided with an automatic private right-of-action checklist to peruse business CCPA compliance. In 2023, the California Privacy Rights Act (CPRA) will boost consumer protection, and a distinct privacy entity will enforce its laws.
Health Insurance Portability and Accountability Act
The U.S. Department of Health and Human Services’ Health Insurance Portability and Accountability Act regulates health insurance. It also requires ongoing protection for patients’ personally identifiable information, which is increasingly attractive for cyberattacks. HIPAA data security requires that covered entities:
- continually monitor file and perimeter activity and access to sensitive data;
- access control–re-compute/revoke permissioning on need-to-know business right;
- maintain written records–detailed activity records for all data user objects.
HIPAA’s Privacy Rule and the FTC Act, discussed next, are similar, and healthcare organizations should understand how to properly follow both for comprehensive data security.
Federal Trade Commission Safeguards Rule Updates
The Federal Trade Commission – independent of presidential control –prohibits unfair competition and has been the chief federal agency on privacy policy and enforcement since the1970s when it began enforcing one of the first federal privacy laws – the Fair Credit Reporting Act. Since then, rapid changes in technology have raised new privacy concerns, but the FTC’s overall approach has been consistent: The agency uses law enforcement, policy initiatives, and consumer and business education to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits of the marketplace.
The FTC’s overseeing role for financial institutions protects information from foreseeable threats to security and data integrity. The Gramm-Leach-Bliley Act requires that financial institutions share and protect customers’ private information, and the FTC’s Gramm-Leach-Bliley Act Safeguards Rule requires covered financial institutions to develop, implement and maintain a comprehensive information security program that complies with FTC requirements. Among the updates to that we can expect to see to this are:
- more-specific orders requiring that organizations implement broad, process-based data security programs
- improved third-party assessor accountability to review required data security programs
- companies presenting their governing body a written security program
- senior officers provide annual compliance.
The FTC’s Business Center has Tips & Advice demonstrating:
- a sound security plan, collect only what you need;
- free business resources, any size;
- Consumer and Business Blog Series.
Overall, most states and D.C. have laws requiring businesses to own, license or maintain personal information. This permits residents of that state to expect businesses to maintain “reasonable security procedures and practices” for personally identifiable information. (PII). New personal data security laws have doubled since 2016 — from unauthorized access, destruction, use, modification or disclosure — by PII.
At minimum twenty-five states and D.C. have laws and conditions addressing:
- data security laws applying to state agencies or governmental entities;
- governments’ vast amounts of data regarding citizens;
- state databases attracting cyber criminals;
- laws enacted within the last few years;
- recent, security/oversight statewide enactments.
A full cybersecurity latticework among states is in reach, technical background or not. In the coming years, expect to see a continued flurry of activity: new consumer privacy laws such as those that will take effect in Colorado, Virginia and California in 2023; Utah’s Cybersecurity Affirmative Defense Act, which provides organizations with a safe harbor for data breach notification in limited circumstances (also 2023); Nevada’s broadened privacy law pertaining to the sale of personal data to third parties; and more. Still, however, no comprehensive federal data privacy law is in the works.
Guest blogger Barry McPhee is a freelance writer based in Vermont.
