Why data privacy matters
Data is an incredibly important asset, and collecting and sharing data can be big business in today’s digital economy. But for a business to safely and successfully take advantage of the data they’re collecting, they need to have safeguards in place to ensure data is under tight lock and key and consumers aren’t subject to uninvited surveillance.
As businesses collect growing amounts of information on their customers, those customers have begun to see the potential downsides to this data collection. Data privacy is more important today than ever before, and businesses should be highly concerned with their data privacy policies and procedures for a few different reasons.
At this time, the regulatory landscape has created new complications for businesses of all types. Data privacy regulations such as California Consumer Privacy Act (CCPA) and EU’s General Data Protection Regulation (GDPR) have significantly impacted how businesses can collect, store and handle such personal information from consumers. These legislations are comprehensive and designed to provide a level of legal protection to covered consumers that was not previously available.
Meanwhile, businesses today are often at risk of unintentionally violating these data privacy regulations, because their security measures aren’t keeping up with the ever-evolving cyber risk landscape. Organizations are vulnerable to an increasing array of cyber attack schemes from cyber criminals, hackers and state-sponsored cyber terrorists. According to the Imperva 2019 Cyberthreat Defense Report, It’s expected that 57.6% of Government organizations, 73.5% of educational organizations, and 74.5% of retail organizations are at direct risk of suffering data breaches or compromises. In 2019, we saw organizations like Equifax, British Airways, Fortnite, Marriott Hotel Group pay settlements in the millions for data breaches.
As a business, your obligation to safeguard data has never been greater. Not only do you have to collect, store, process and discard data in ways that are compliant with regulations, you also need to have strong information security policies and practices that protect your clients’ data from malicious or unauthorized use.
In this guide, we’ll discuss why businesses need to pay attention to data privacy, the key data privacy regulations affecting U.S. based businesses, and key steps businesses need take to adhere to these regulations and adequately protect their critical assets and their reputation.
Data privacy vs. data security
Data privacy is comprised of the policies and processes that dictate how your business collects, shares, and uses data. Data privacy is often informed by state or federal laws that apply to businesses in a certain location or industry.
On the other hand, data security protects your company’s data from being accessed or used maliciously. Data security is unique from one business to the next and will depend on the amount and types of data being collected and stored.
Both data privacy and data security are crucial to a bulletproof data protection policy. Without both of them in place, you will have an incomplete program that leaves you vulnerable to attacks or costly mistakes.
Data privacy regulation types
Data collection regulations provide guidance for how and when businesses can collect data about consumers and, in some cases, whether people have to be notified that their data is being collected.
Data breach regulations tell businesses what they must do in the event of a data breach, such as notifying agencies and customers, tracking information about the breach, and taking steps to ensure a similar breach doesn’t happen in the future.
Data access regulations provide guidelines for 1) how internal access of information should be handled, and 2) the levels of access consumers are entitled to.
Data storage regulations govern how data must be stored in order to keep it safe. Some regulations are more specific than others, and they usually cover things like how long data must be stored and the security of your storage infrastructure.
Data privacy training regulations give guidance on who your business has to train on data privacy. Usually, this is something that every employee needs to be trained on in order to meet the regulations.
The most common data privacy regulations
Health Insurance Portability and Accountability Act (HIPAA) sets the standard for how patient’s information has to be handled by doctors’ offices, hospitals, insurance companies, and other businesses that handle personal health information. HIPAA requires that businesses that process patient data and providers (e.g., hospitals) safeguard patient information and only allows it to be disclosed in certain situations.
HIPAA provides four general rules that businesses must abide by, which are:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The General Data Protection Regulation (GDPR) was enacted in 2018 to protect the rights of citizens in the EU when it comes to data collection and privacy. GDPR applies to companies that meet the following criteria:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
This means it effectively applies to almost all companies. It gives customers the right to know what data is being collected and sets requirements for how and when businesses must report breaches.
GDPR is one of the toughest data privacy regulations to comply with. It does allow for a tiered approach to fines and penalties based on the relative seriousness of the offense, but businesses shouldn’t count on leniency; in 2019, British Airways was fined $228 million and Marriott International was fined over $124 million for exposing millions of records of personal data.
Payment Card Industry Data Security Standards (PCI-DSS) is somewhat unique, as it isn’t a government regulation and is imposed and enforced by an independent regulatory body, the Payment Card Industry Security Standards Council. Any business that accepts, stores, or transmits cardholder data is subject to PCI-DSS. This regulation requires businesses to have policies and processes in place to protect their customers’ information and ensure they’re properly handling and storing credit card data. This even applies to businesses that use third-party vendors to handle credit card payments. All businesses involved in ecommerce need to be well versed in these requirements and prepared to make sure their vendors are too.
The Sarbanes-Oxley Act of 2002 (SOX) was enacted in response to the Enron scandal, and it is required that publicly traded companies be in compliance. It is designed to prevent the kinds of fraud that occurred by setting requirements for retaining and storing business records and penalties for destroying, altering, or falsifying records.
This involves not only accounting to ensure that records are accurate, but also the IT function to store records correctly. SOX also requires a system for tracking changes to records and storing the right records for the right length of time.
The California Consumer Privacy Act (CCPA) applies to companies that do business in California and either 1) generate $25 million or more in annual revenue; 2) buy or sell the personal information of 50,000 or more consumers, households, or devices; or 3) earns more than half its annual revenue selling consumers’ personal data. The law allows any California resident to get a full list of the data a business has about them and entitles consumers to know who businesses have shared that data with. If a business violates the privacy guidelines in the CCPA, consumers are allowed to sue the business even if there hasn’t been a data breach.
The CCPA went into effect on January 1, 2020. Regulators can fine noncompliant businesses up for $7,500 per record affected. It remains to be seen how strictly this law will be enforced and whether and when exactly enforcement will begin (although according to the law, the attorney general’s office can begin enforcement six months after the final regulations are in place, which will be July 1, 2020). But this is another instance where a wait-and-see approach is not likely to benefit businesses.
Nevada’s Senate Bill 220 went into effect in October of 2019, and it made Nevada the first state to follow in California’s footsteps and enact a data privacy law. The Bill requires that companies provide consumers either with a number they can call or an email request they can send to opt out of having their data sold by that business. Nevada’s attorney general can impose fines of up to $5,000 for each violation, but consumers can’t bring action against non-compliant businesses under the bill.
There are some additional differences between Senate Bill 220 and the CCPA, like the fact that the Nevada Senate Bill doesn’t require a “Do Not Sell My Information” link, the differences in what information is covered, and a more limited definition of what is considered the “sale” of consumer data. However, this is still an important law for businesses to understand and become compliant with. More bills like this will likely be introduced in the coming years, and businesses need to be ready to meet them as they are voted into law.
The Gramm-Leach-Bliley Act (GLBA) was enacted in 1999 and requires companies that provide consumers with loans, financial or investment advice, insurance, or other financial products and services to explain their information sharing and protection practices to their customers. It also requires companies to safeguard any sensitive data they collect from their customers. The GLBA requires financial institutions to have a written information security plan and have at least one employee designated to coordinate its program.
The penalties for violating the GLBA can be steep, with businesses facing fines of $100,000 for each violation and individuals facing a fine of $10,000 and up to 5 years in prison for being in violation of the Act.
The Computer Fraud and Abuse Act (CFAA) was passed in 1986 and makes intentionally accessing a computer without authorization a criminal act. Since then, it’s been amended and its scope has expanded to cover technological changes. Anyone who accesses a computer without authorization, exceeds their authorized access, intentionally damages a computer, or uses a computer to commit extortion can be prosecuted under this act.
The penalties for violating the CFAA include prison time and range from one to 10 years. The CFAA also allows for civil actions in some situations, such as if physical injury or damage that affects a computer used by an entity of the United States occurs.
How can you meet data privacy regulations?
1. Determine which data privacy regulations apply to your business
If you don’t have internal data privacy experts, you’ll want to consult with external legal experts as well as consulting firms to help you determine which data privacy regulations apply to your business, and how to feasibly comply with the regulations.
As technology changes or new ones emerge (e.g. facial recognition algorithms), legislators and regulatory bodies will update regulations to enhance protection of consumers. Your organization should make a concerted effort to stay abreast of regulatory changes in the data privacy realm. You can do so by joining industry associations such as the International Association of Privacy Professionals, the world’s largest and most comprehensive global information privacy community.
- Who is the user of the product?
- What information about the users will you be collecting?
- What is your business trying to do with the information you collect?
- What is the sensitivity level of the information?
You’ll want to start with a data inventory that includes all of the consumer data that you collect so you have a central record of what you have collected and where it is being stored.
You also need to understand, and indicate in your data inventory, the sensitivity of the information you’re collecting. Do you have highly sensitive information, like personal health information or social security numbers?
Finally, how will your revenue model utilize the consumer data you are collecting? How are you looking to sell data or monetize data? What do the privacy laws you’re subject to allow or not allow? How will those laws affect your ability to sell consumer data, and what do you have to offer consumers in terms of opting in or out of the sale of their data?
3. Implement data privacy and cybersecurity frameworks and auditing procedures
You shouldn’t be doing any guesswork when it comes to data security and data privacy. At this time, there are a number of well-regarded and well-adopted cybersecurity and data privacy compliance standards on the market. These compliance standards and auditing procedures (e.g., SOC 2, NIST 800-53, ISO 27001) provide detailed catalogs of privacy and security controls that businesses could put in place to secure their customers’ data and ensure data confidentiality.
For example, SOC 2, an auditing procedure developed by the American Institute of CPAs (AICPA) defines criteria for managing customer data based on five “trust service” principles” — security, availability, processing integrity, confidentiality and privacy. If your organization collects, transmits, uses or stores personal information, you may benefit from going through a SOC 2 audit for privacy and data security, to gain confidence that your customers’ personal information is protected and to provide assurance to potential customers that it has controls in place to protect customers’ personal information.
ISO/IEC 27701 is another privacy framework worth considering, because it was specifically developed to help organizations conform to the GDPR. If your business is required to be GDPR compliant, ISO/IEC 27701 provides an extensive list of guidelines that will help you as your company begins working towards GDPR compliance.
ISO 27001 is an additional family of standards your organization may choose to comply with, because ISO 27001 provides a comprehensive list of steps businesses can take to shore up security and ensure that their security processes can prevent unauthorized access to user data.
To ensure that your data protection practices are robust enough to keep your information assets safe, you’ll want to become familiar with these compliance frameworks, evaluate how your internal controls stack up against the best practices put forth within these IT compliance standards, identify the gaps, and implement new policies and procedures to close the gaps in your environment.
Again, if you’re implementing a cybersecurity or data privacy standard for the first time, you’ll want to get help from qualified consultants, software vendors with expertise in this realm and auditors.
3. Conduct internal audits on a regular basis
For businesses complying with multiple cybersecurity and data privacy regulations, having an internal auditing practice in place is crucial. Putting a dedicated professional in charge of auditing your compliance processes and giving them access to the right tools is the best way to spot possible issues and prevent disasters like a major data breach from happening.
4. Keep detailed records of your compliance activities
One of the best ways to protect your company from the legal consequences (e.g., fines and penalties) of non-compliance is to keep detailed records of your compliance activities. To illustrate this point, let’s take a look at the CCPA. The CCPA makes a clear distinction between willful non-compliance vs. unintentional non-compliance. Those who are found to be willfully negligent will pay a higher penalty: $7500 per violation per user vs. $2500 per violation in unintentional non-compliance cases. Being able to quickly demonstrate compliance can save your business a significant sum of money if your business were found to be in violation and investigated by the California Attorney General.
Even with a strong compliance program in place, the risk of a data breach or other violations is always present. Having a detailed records of your compliance efforts ready at your fingertips will help you demonstrate that you take that risk seriously and are actively working to mitigate it.
Data privacy and your business
Data privacy is critical to the survival of modern businesses and organizations’ leaders should embed data privacy into all processes or policies that touch consumer data within your company. No matter what size your business is, how mature your compliance program is, or how many people are on your compliance team, most businesses have room for improvement when it comes to data privacy.
Take some time, sooner rather than later, to evaluate your company’s data privacy policies and practices to make sure you’re utilizing all the resources at your disposal to protect your clients’ data, your business’ bottom line, and your customers’ trust in your company.
The post Understanding Data Privacy and Why It Needs to Be a Priority for Your Business appeared first on Hyperproof.