Heather Hobson is an author, consultant and founder of H Hobson Consulting. She is a seasoned cybersecurity, risk, and privacy expert with years of experience in the banking, media and technology industries that include The New York Times, Citigroup, ABN AMRO and EMC. Heather splits her time between New York City and the Catskill mountains, exploring the world with her husband and their dog as often as possible.
How CIOs Should Plan for U.S. Data Privacy Laws
In a recent IT & Technology Trends report by CGS, respondents agreed that the top disruptive issue in 2019 will be Data Privacy and Governance. Fueled by consumer frustration over massive privacy breaches and data scandals and inspired by the EU’s recent sweeping General Data Protection Regulation (GDPR), individual states in the U.S are enacting Consumer Privacy laws that will impact business operations around the country and across the world. U.S. states are proposing and passing competing and conflicting statutes that has the potential to create a morass of confusing corporate obligations, resulting in a chaotic and perilous operating environment for companies doing business in the U.S. Right now, U.S. businesses have a narrow window of opportunity to create an industry consumer data council to develop nation-wide protections that can standardize regulation and compliance requirements across the country, like the Payment Card Industry did in 2004, to forestall a fractured landscape of incompatible state-level consumer protections.
Consumer data breaches and data misuse have become commonplace public scandals in recent years, and many of these have involved the personal data of millions of consumers at a time. However, the 2016 Cambridge Analytica scandal was a game changer in the minds of U.S. consumers and lawmakers alike. In this incident, the personal information of over 87 million Facebook users was compiled and used by Cambridge Analytica without the permission of most of the consumers involved, without ever breaching or hacking Facebook. This difference from previous consumer data exposures was key to fueling consumer outrage: users discovered that their personal data was being passed to third parties without their awareness or permission, and that this type of transfer was legal and acceptable under U.S. law and Facebook privacy agreements.
In a data breach, the information is either stolen or accidentally released, against the intentions of the organization that holds it: a breach is ultimately a security problem. But the Cambridge Analytica scandal showed Americans that their data was being widely shared without their knowledge, without ever being stolen. Many consumers were angered by this new awareness, and many lawmakers around the country have begun looking for solutions to protect their constituents.
Coupled with massive, high profile data breaches like Equifax (143 million consumers’ financial data), Yahoo (3 billion consumers’ personal information), and Deep Root (nearly 200 million consumers’ data), data scandals like Cambridge Analytica have created a sense of urgency in consumers and lawmakers alike that is resulting in new and proposed laws in the U.S. and around the globe.
The California Consumer Protection Act (CCPA), passed in 2018, is the most sweeping, expansive, state-level privacy law in the U.S. in the wake of these privacy scandals, but other new and proposed laws are coming on line from Washington State to Illinois to Texas. CCPA is notable because of both the number of U.S. consumers it covers (nearly 40 million), the depth and breadth of that coverage, and the impact to businesses located around the country and across the world.
Unlike GDPR, which only affects U.S. companies that operate within the EU or process personal data of EU citizens, CCPA will affect every US company that meets one of its three thresholds, regardless of where the company is based or operates, so long as that company collects or manages consumer data of California residents. The CCPA thresholds are:
- Annual gross revenues of at least $25 million; or
- Possession of the personal information of at least 50,000 consumers, households or devices; or
- At least 50% of annual revenue obtained from selling consumer data
It defines consumer rights that cannot be ceded, regardless of the terms of corporate privacy statements. These include the rights to know what data is being collected about them, to know when their data is sold or disclosed, to say no to the sale of that data, to access their data, and to have their data removed. CCPA further protects consumers by guaranteeing equal service and price regardless of whether consumers exercise these privacy rights: in other words, companies cannot offset their increased overhead from these regulations by increasing prices for consumers that use these rights.
CCPA is the first salvo in what promises to be a barrage of state and local jurisdictional privacy laws.
There must be two solutions for the problem threatened by varied and disparate privacy regulation across the country: a short-term, tactical solution to understand and comply with laws that are passed, and a long-term, strategic solution to shape the future of consumer privacy in the U.S.
The short-term solution for any organization is to identify whether your company is covered by CCPA or other U.S. privacy laws; implement solutions to adhere to those laws; or shut down particular operations that might break them. For example, Google has already decided to close its Google Plus (google+) operations rather than bring them into compliance with CCPA.
Identifying what new state-level privacy laws will impact your organization will become an increasingly complex problem, and one that means operational changes for most U.S. companies. Many companies will need to create a core team made up of Legal, HR, IT and Operations representatives to help drive awareness and compliance with these laws. In most cases, companies will need to have both a Data Protection Officer and a Chief Information Security Officer, although for organizations with resource challenges, these may be shared roles. It will be critical for companies to ensure that this dedicated person has the necessary skills and knowledge to be effective. Outsourced managed services teams and executives, like a Virtual CISO, can be an ideal solution for organizations that need comprehensive experience without the resource challenges of hiring dedicated staff.
Implementing solutions that will meet these new legal requirements will likely pose an even greater challenge to U.S. companies than the initial identification of those requirements. With CCPA alone, these solutions must include a link on the company’s home page that consumers can click to prevent the sale of their data. This single requirement brings a myriad of operational challenges for most organizations that will result in comprehensive data governance and data system integration. Another example of operational complexity from the CCPA is the regulation of household data and device data, independent of individual consumers. Many organizations may not have granular enough visibility into the data to identify and control at the household or device level. Challenges such as these contributed to Google’s decision to close the struggling Google+ social network, rather than attempt to implement the necessary controls and solutions. Companies will need to build and implement a data privacy framework that complies with the most stringent requirements, and that will need to be updated regularly to stay current in an evolving privacy landscape.
In the longer term, U.S. companies have an opportunity to change that landscape by advocating for a comprehensive federal standard across all U.S. states. In the early 2000s, the Payment Card Industry faced a similar disruption. Credit card data theft and fraud were widespread issues, and various U.S. state legislatures began looking to implement consumer protections. With the help of guiding organizations like Netitude, the industry created the Payment Card Industry Security Standards Council, which developed the Payment Card Industry Data Security Standard (PCI DSS) with input from consumers, corporations, and government agencies. This solution standardized security requirements across the country and simplified what was promising to become a convoluted regulatory environment.
Similarly, consumer data protection is clearly coming in the U.S., but how it arrives is not yet settled. Companies that collect, use or sell consumer data have the opportunity today to develop a federal standard that will define how it is protected, but that opportunity is fleeting.