2019 is going to be a major year for data privacy. Companies have less than 12 months to meet the new California Consumer Privacy Act (CCPA) and we have already seen a €50 Million fine filed against Google under the General Data Protection Regulation (GDPR). In previous discussions with numerous businesses – they are absolutely taking legislation like CCPA and GDPR seriously – and the latest Google example brings home the point that noncompliance means stiff penalties and unwanted publicity.
This isn’t to say that we haven’t seen large fines for noncompliance before, such as the $16 Million settlement against Anthem Inc. But that was for a data breach in 2015 where attackers got access to the Electronic Protected Health Information (ePHI) of almost 79 million people. And while many people have become immune to data breach announcements, the fine issued against Google on January 21st illustrates how the focus on data privacy has elevated the task of data security. Google was fined not because they were reckless with the data or suffered a data breach, but because of how they let partners use data as well as whether they adequately gave the consumers clear information on how that data was used and a clear way to opt out.
The difference is that data breaches have always seemed to focus on how data was or was not protected, versus how the data was collected, used and removed when no longer needed. This highlights the differences between data privacy and data security. Data privacy centers around only using collected data for the purpose it was intended, only for the time it is needed and recognizing that the ultimate owner is the data subject themselves. It really is about monitoring authorized access and use of personal data. Data Security is all about the technology and processes used to manage authorized access and prevent all unauthorized access.
- This is everything you need to know about GDPR
- Satya Nadella calls for global GDPR
- Majority of companies still aren't GDPR compliant
California Consumer Privacy Act
GDPR and CCPA are built upon the principle of data privacy as a fundamental right and they give consumers the means to control their personal information. These regulations center around these basic requirements:
- To know what data is collected, used, and how long it is stored
- To see data in a readable format and have errors corrected
- To have access to data in a portable/useable format
- To be forgotten and have all identified data deleted
- To be notified of a data breach in a timely manner
The intended goal, of course, is data privacy, but what I’ve heard from customers and even state agencies is confusion. Most large corporations do business globally and keeping up with ever changing and various requirements is a major challenge. In addition, data privacy cannot be separated from protecting data, recovering from or notification in the event of a breach. GDPR defines what steps need to be taken and the fines that can be levied in the event of a breach, while CCPA works in tandem with some of the most stringent breach notification laws that are already on the books in California.
Currently, almost every state has some legislation around protecting data with requirements for breach notification. There are other focused regulations, such as those in the United States like HIPAA for healthcare or New York’s 23 NYCRR 500 that requires specific data security actions just for Banking, Insurance and Financial Services companies licensed to do business in the state.
And while Data Security is an important part of these regulations, the issue is that the requirements for protecting data are broad-based and less defined when one-size security technology doesn’t fit all. Unfortunately, in my discussion with customers and partners that lack of specifics has made it more confusing for companies to implement security by design and default. Defining privacy rights and procedures in legislation like GDPR and CCPA is critical, but in my opinion, it’s time that standard cyber terms and technologies such as policy-based identity and multi-factor access controls, data-in-transit and data-at-rest encryption, key management and access monitoring be included in legislation to help drive specific actions, and not ignore the problem of how to keep private data private.
Jim Varner, CEO of SecurityFirst (opens in new tab)