This article was written by Jamie Normand, Security Consultant - FoxPointe Solutions
Data privacy and protection regulations are becoming increasingly common worldwide. This month marks four years since the European Union’s General Data Protection Regulation (GDPR) took effect. During the GDPR’s first four years, more than $1.5 Billion in fines have been assessed. In addition, several states have passed data protection laws with punitive fines. Two such examples are the California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD). Determining which of these laws apply to your organization as well as how to properly safeguard client data, and yourself from fines, can be a difficult task. Let’s look at each of these laws briefly.
The GDPR is a Set of Laws and Regulations That Strive to Safeguard the Data of EU Residents
Can these laws apply to US-based organizations? Yes, absolutely. Is the determination of compliance black and white? Not really. As a rule of thumb, the GDPR states that their laws apply if “…the organization set out to offer goods and services to people in the EU.” This includes marketing in languages foreign to your organization but native to EU countries and accepting payment in euros. If your business is deemed to be catering to European countries, you may have to follow GDPR laws regardless of your place of incorporation. It is worth noting that having the occasional customer within the EU does not necessarily open your organization up to GDPR regulations.
What is California's CCPA?
California’s CCPA was the first major US state legislation to address consumer data privacy. This act gives all California residents certain rights regarding their data. California residents have the right to request all data that a company has on the resident as well as what the data was being used for. The resident can also request that their data not be sold or that it be deleted altogether. When the data is first being collected by the company, residents of California have the right to know what data is being collected and how it will be used.
The CCPA applies to for-profit businesses that operate in California and meet any of the following criteria. The business has a gross annual revenue of over $25 million. The business buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices. The business derives 50% or more of their annual revenue from selling California residents’ personal information.
What is New York’s SHIELD Act?
New York’s SHIELD Act, unlike the GDPR and CCPA, focuses more on the steps an organization must take in the wake of a data breach. SHIELD adapts and updates New York’s existing Information Security Breach and Notification Act, and therefore applies to any organization that has New York resident data and suffers a data breach. SHIELD provides examples of safeguards that should be used by persons and businesses that maintain personal information. Whether or not your organization satisfies these safeguards is not always easy to determine as there is not an exhaustive example list provided. Organizations must have reasonable administrative, technical, and physical safeguards that are in keeping with the spirit of the law as well as policies and procedures to properly deal with the aftermath of data breaches.
The laws selected and summarized above are just a few examples of data protection acts. States with upcoming data protection legislation include Colorado, Utah, and Virginia. As more states and countries enact and revise consumer data protection laws, it will become increasingly difficult, and important, to know how your organization fits into the myriad of frameworks and jurisdictions. It is vital that all organizations that use consumer data have finely tuned and frequently reviewed IT/cybersecurity policies and procedures.