Sage Advice - Cybersecurity Blog

Privacy Regulations: What You Should Know

Privacy-Regulations-PostAs consumers, our information is everywhere. With nearly everything connected to the web, it’s nearly impossible not to have your personal data out there. Because of this, privacy is a hot topic, now, more than ever. This means that entities must take precautions to protect the valuable data they have on you so that your personal data is not stolen.

Although the Organization for Economic Cooperation and Development (OECD) has outlined some best-practice privacy guidelines for organizations, the not-so-simple question remains. Is privacy a legal right? The answer is yes and no. There is no explicit mention of privacy in the U.S. Constitution, however, the courts have ruled that the right to privacy is implied. Narrowly defined sector-specific regulations now exist, like the Gramm-Leach-Bliley Act (GLBA) for protecting financial data and the Health Insurance Portability and Accountability Act (HIPPA) for medical data.  These regulations are restricted to the specific sector, and in most cases, the personal information being protected is transactional based, meaning it could be used for identity theft.

Recently, several agencies began developing privacy regulations specific to the data that they collect and use, in particularly, U.S. agencies like the Federal Communications Commission, the Department of Commerce Department, Department of Transportation, and the Internal Revenue Service.

Confederation and State Regulations

Alongside specific regulations at the organization and sector levels, some U.S. states and international confederations have passed more widespread privacy regulations that organizations within that area must follow.

There are strong protections for all individuals in the European Union (EU) and the European Economic Area (EEA) under the General Data Protection Regulation (GDPR), which includes all EU constituent data that’s processed, stored, and transmitted within the EU, and even extends to the export of personal data outside of the EU. If your organization has clients, patients, prospects, stakeholders, or customers that are EU citizens or reside in the EU, these regulations will apply to you.

GDPR is based on the OECD principles, but it also addresses the transfer of personal data outside of the EU and EEA areas. GDPR aims to give control to individuals over their data and simplify the regulatory environment for international business by unifying the regulation all countries that make up the EU and EEA.

Unlike other privacy rules, a key part of GDPR is that is requires data subjects to provide informed consent to data processing done by organizations for one or more purposes. If individuals do not explicitly give consent (like checking a box to receive further communication from a company after signing up for their monthly newsletter) personal data may not be processed unless there is a legal basis to do so.

In addition to consent, organizations are required to notify data subjects if there is a breach within 72 hours of the event. People have the right to access their data, and they also have the right to be forgotten, meaning that they can request that the organization delete their data at any time. Individuals have a right to own their data, and companies must operate with a “privacy by design” mindset – that is, always keeping privacy in mind when doing business. Organizations should also have their own Data Protection Office to ensure GDPR is always being followed.

Closer to home, the State of Maine just enacted what is widely considered to be one of the most restrictive privacy regulations for internet service providers. California is also making strides in privacy since establishing the California Consumer Privacy Act (CCPA) in 2018. State residents now have the right to be informed about what personal information companies have of theirs and why it is collected. The law stipulates that consumers have the right to request deletion of personal information, opt out of the sale of personal information, and access the information in a “readily usable format,” that enables its transfer to third parties without hindrance. The CCPA also establishes a broad definition of personal information: a consumer’s personal identifiers, geolocation, biometric data, browsing history, psychometric data, and inferences a company might make about the consumer.

Organizations that fail to maintain the reasonable security practices outlined within GDPR and CCPA will face significant financial penalty. If your organization does any kind of business in the EU or California, it’s important that you know who you are communicating with and collecting information from, what information you are collecting, and ensuring that you can give them access to the data if they ask.

Be prepared: It’s only a matter of time

Even if your organization is not impacted by a privacy law like GDPR or CCPA today, state and federal regulations are becoming more and more common, especially around the United States. Companies operate according to their own individual privacy policies, but new laws are likely to be rolled out in more states sooner rather than later. The government sees that our privacy is a big deal, and consumers need their information secure and safe from a potential breach.

In the meantime, organizations should put a strong privacy policy in place (if they don’t already have one) and strive to collect and keep only clean, necessary data as it pertains to their business objectives. It’s only a matter of time until we see laws popping up on a more widespread state and federal level.

Threat-Hunting-Guide-CTA-LI

 

Topics: Privacy

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More