The protection of personal private information has been in the regulatory spotlight for many years. As the internet continues to connect the world, storage and transfer of personal information is no longer confined to physical customer cards or files in file cabinets. Sensitive information is now stored in electronic form or in the cloud and can be prone to hacks and used by malevolent actors for extortion and identity theft.
In recent years, privacy protection regulations like the EU’s General Data Protection Regulation (GDPR) aim to protect personal information and mitigate the impact of data breaches. That has driven a wave of privacy protection regulations in the United States. And it’s no wonder; the statistics are alarming:
• In the United States, someone is a victim of identity theft every 2 seconds.
• People whose accounts have been part of a data breach have a 31% chance of having their identity stolen.
• 7.9 billion records were exposed through data breaches during 2019. Those records contained addresses, phone numbers, credit card information and other private information that can be used for identity theft.
• Identity theft victims experience adverse mental and physical effects during and after their ordeal.
• Companies like Microsoft, Facebook, Capital One, T-Mobile, and many others experienced significant data breaches last year. Hackers also exposed information in government systems such as the Maryland Dept. of Labor, Los Angeles County Department of Health Services, the United Nations, and even the U.S. Defense Information Systems Agency that employs over 8,000 military and civilian employees.
The proliferation of privacy regulations
Protecting personal privacy is not a new concept. In the United States, laws like the Privacy Act of 1974 and Electronic Communications Privacy Act of 1986 placed rules and restrictions on federal agencies about the collection, use, and distribution of information about individuals. HIPAA, enacted in 1996, established privacy standards for private healthcare information that exists in both physical (paper) and electronic form. The Children’s Online Privacy Protection Act of 1998 (COPPA) instituted rules governing the privacy policies of websites to prevent the internet collection of data from children.
A major shift to the future of data privacy happened when the GDPR went into effect in May 2018. Older privacy acts dealt with the ways companies and organizations protect consumers’ personal data, but not how that data could be used. The GDPR’s purpose is to give each individual control over their personal data by regulating how a company or organization may process, protect, and use that data. Companies and organizations that do not comply with the GDPR face penalties of up to €20 million ($23 million) or 4% of their annual revenue. Though the GDPR is a regulation of the European Union (EU), it also impacts any company or organization in the world, including the United States, that receives and processes data from EU individuals.
The GDPR has spurred on the creation of similar privacy protection acts from various states across the United States. California used the GDPR as a guide to craft its CCPA (California Consumer Privacy Act). While it isn’t the first state to enact new privacy acts (Nevada was ahead of California by six months), the CCPA has been a template that other states have used to update, enhance, or create their personal information privacy regulations.
The proliferation of privacy regulations in the U.S. is on the rise. More states and even the federal government are introducing bills that contain similar regulations focused on the rights of consumers to control the collection, use, and distribution of their personal information. Some of those include:
Washington (State) Privacy Act
Texas Privacy Protection Act
• Pennsylvania House Bill 1049
Consumer Data Privacy and Security Act of 2020 (A federal regulation with a draft bill possible by August 2020)
According to a recent Ponemon Institute report “Keeping Pace in the GDPR Race: A Global View of GDPR Progress in the United States, Europe, China and Japan,” 30% of U.S. companies surveyed said they were not confident in their ability to respond to a data breach covered by the GDPR. The study also uncovered that 45% of U.S. respondents said they experienced cyberattacks that, under the GDPR, would have needed to be reported. Both statistics were the highest out of all countries participating in the study.
Implications for U.S. companies and organizations
Most of the new and proposed privacy regulations in the United States are modeled after the GDPR. Some even propose a slightly broader reach. The Ponemon study indicates that many U.S. companies are not yet confident in their ability to comply with the personal information protection and reporting standards now in place or proposed in this country.
Companies and organizations need to study their processes and workflows to identify what personal data they gather from customers, where it is gathered, how it is used, how it is stored and when it is destroyed. This can be done through an audit or DPIA (data protection impact assessment). Once a DPIA is completed, companies and organizations can use the results to go through a quick GDPR checklist and determine how well the company performs in the following key areas:
• Are security measures and policies in place to protect customer information (such as encryption, pseudonymization, etc.)? Are employees aware of the policies? Is there a process in place to carry out an assessment and contact authorities and customers if, and when, a data breach occurs?
• Is there a designated person or team responsible for GDPR compliance in the company? Are there security agreements in place with any third parties that process or handle customer information?
• Do company policies and processes make it easy for customers to exercise their privacy rights to request and receive all information the company has about them, correct or update information, object to how their personal information is used, and have all personal information deleted (the right to be forgotten)?
Following the GDPR guidelines and checklist is a good start. Each new state privacy regulation may be slightly different but the GDPR provides a good baseline to measure company preparedness for any new local information privacy requirements.
Putting technology to work will also make it easier for an organization to comply with many of the requirements in these new regulations. Digitizing workflows and reducing reliance on paper forms and records allows an organization to use information and content management solutions to collect, recognize and manage customer data with “privacy by design” in mind. The use of encryption pseudonymization and other security features of devices, software, and cloud services help protect customer information as soon as it is collected. Artificial intelligence and machine learning can more efficiently identify sensitive customer data and ensure it is adequately protected. Advanced tagging and metadata technology make searches and discoveries of data easier to meet customer requests for copies of their data or deletion of their information. Process analytics provide a way to more quickly identify when a breach happens and put their impact mitigation and reporting process in action.
For technology and solution resellers
The proliferation of privacy regulations and the persistent lack of confidence in U.S. companies to meet their requirements shows that businesses and organizations need the expertise to help them achieve necessary compliance. The cost of that expertise and solutions is minimal compared to the potential penalties and loss of business costs an organization can face if found noncompliant. Because of this, there is ample opportunity for solution sales professionals to engage in security and compliance conversations with prospects and customers.
Understanding the GDPR and new U.S. regulations that apply to their marketplace allows technology and solution resellers to educate their solution sales professionals on the type of services, technologies, and solutions that can help their customers meet compliance requirements. The solutions should help protect customer information and help provide a backbone for cyberattack mitigation and reporting.
Services can include security audits, conducting a DPIA and best practice consultation. Also worth offering are configuration services that enable security features on hardware and software to employee and compliance officer training and complete data discovery services. Using the variety of technology products and cloud services now available, solutions can be created that automate and standardize data collection, information extraction, tagging, storage and search functions to better manage information workflow and processes that comply with customer privacy needs. Having a holistic view of how products, software, and services work together within the organization’s workflows and processes will establish a solution sales professional as a trusted and strategic advisor to a company developing their compliance solution. This positioning strengthens the customer and seller relationship creating a nearly unbreakable competitive advantage.
It won’t ever be “done”
Washington State Senator Reuven Carlyle said, “I don’t think that we’re ever going to be done dealing with the regulatory framework of consumer data and the issue of privacy. We’re living in a new era.” This new era puts new pressures on businesses and organizations to safeguard not only their own data but their customer and client data. The need for closer partnerships between businesses and organizations with trusted solution providers will continue. Clearly, GDPR was just the start. The work of privacy protection does not appear to ever be “done.”