The regulatory landscape is something that touches every organization at some point. Regulations and standards cover many aspects of business, from how you dispose of waste to employment and tax. Some of the most complex and nuanced regulations are those that cover the area of personal data protection and privacy.
In recent years, data protection and privacy regulations have become more stringent and wide-reaching. The reasons for this are varied but include the ubiquitous use of cloud-computing and the more fluid movement of data. They are also a response to consumer pressure.
Pew Research found that over half of U.S. adults feel their data is less secure than 5-years ago. Also, 47% of U.S. adults are concerned about their online privacy; together with expectations of easy access to consumer data, you can see why regulatory bodies are reacting.
Meeting regulatory requirements around data protection is not an on/off switch. It can be onerous, time-consuming, and costly for a business. However, the first step on the track to compliance is to know what regulation or standard you must meet. Here we look at some of the most well-known that you should be aware of to help build your compliance strategy around data protection.
Major Regulations and Laws that Impact U.S. Companies
The U.S. currently has a mosaic of data protection and privacy regulations and laws. Whilst there are a number of state-specific regulations, there are also industry specific ones too. The following are some of the regulations that may affect your company; you should also look at any state laws that may impact your business.
General Regulations, Frameworks, and Programs
General Data Protection Regulation (GDPR)
Although this law originates in the European Union it has a far-reaching impact. The GDPR sets out stringent rules around the collection and processing of personal data – this includes customers, employees, contractors, and even potential employees; in fact, any individual your company deals with that could be identified using data you process.
The GDPR came into effect on May 25, 2018. Since then been fines of around $480 million have been issued.
Although it is designed to protect the data of EU citizens within an EU country, the GDPR can impact U.S. companies too. If an organization is based outside the EU but collects and/or uses the data of an EU citizen, they will need to abide by GDPR rules. For example, if a website collects email addresses for a newsletter, and may have EU visitors sign up, the website will need a clearly worded opt-in consent option for the newsletter; you cannot use opt-out or assume consent.
The GDPR has a number of ‘data subject rights’ that fall under its remit. These are that a data subject must be able to:
- be informed about their data;
- have access to their data;
- ask for data rectification;
- ask for data erasure;
- request restricted processing of data;
- have data portability;
- object to data use; and
- not to be subject to automated decision-making.
The GDPR also has some of the most onerous fines across two levels.
Level 1: 2% of annual global revenue or 10 million Euros whichever is higher. This level covers data breaches and not conducting a data privacy impact assessment (DPIA)
Level 2: 4% of annual global revenue or 20 million Euros. This level covers failure to gain consent to use personal data
EU-US Privacy Shield
This was a contract negotiated by the U.S. Department of Commerce and the European Commission to ensure that data that flows between the two, meets required data protection laws. The Privacy Shield became law on August 1, 2016. It is different from the GDPR as Privacy Shield is about the movement of data between two countries as opposed to an individual’s rights to privacy. If a U.S. organization is required to transfer data from the EU to the U.S. it will need to participate in the EU-US Privacy Shield program. A participating U.S. company will have demonstrated they can adhere to the right level of data protection to transfer EU data.
California Consumer Privacy Act (CCPA)
The CCPA became law on January 1, 2020. The law covers the personal data privacy and protection of California residents. Any company that handles data of a California resident is subject to the CCPA requirements. Data protection includes a raft of requirements such as the right to erasure and access. There is also an expectation that to comply, a business needs to have a web banner stating, “Do Not Sell My Personal Information”.
The CCPA applies to any for-profit commercial organization that sits within the jurisdiction of California, i.e.
“does business in the state of California.” – CCPA legislation
The scope of the jurisdiction, is, however, left vague. This means that any business, in any location, that processes the personal data of a California resident, will likely fall under the regulation. For example, an online retailer that sells goods to a customer in California would be subject to the CCPA.
The CCPA does offer derogations based on organization size and data consumption – the criteria for a business to fall under its remit are:
Having gross revenues over $25,000,000
- Buys or sells personal data of over 50,000 California consumers, households, or devices, per year, OR
- Annual revenue is more up from more than 50% by selling California consumers’ personal data
Fines are lower than the GDPR at:
- $7,500 for an intentional violation of any provision, or
- $2,500 for unintentional violations
However, there is an option within the act to bring lawsuits if data is found to be “nonencrypted or nonredacted“. This may open up wide-ranging and expensive lawsuits.
Children’s Online Privacy Protection Rule (COPPA)
Research by Javelin Strategy found that more than 1 million U.S. children were victims of identity theft in 2017. To help prevent the abuse of children’s data, the U.S. has developed the child-specific data protection regulation, COPPA. The rule is regulated by the Federal Trade Commission (FTC). The regulation applies to any person under 13-years of age. The main goal of COPPA is to place control of a child’s data into the hands of a parent or legal guardian. COPPA applies to websites, online services, and mobile apps that collect and process the data of children.
COPPA has a number of requirements, including:
- Give direct notice to parents
- Obtain verifiable parental consent before collecting personal data from children
- Provide parental access to their child’s personal information
Industry-Specific Regulations and Directives
A number of industries have specific rules that cover the use of personal data.
Protected Health Information (PHI) is a valuable commodity; a TrustWave report found that PHI was being sold on the darknet for around $250 per health record.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a framework for PHI protection. HIPAA has been around since 1996. However, HIPAA has had some more recent updates to reflect changes in online health records and other technology related risks.
HIPAA comprises 18 identifiers, i.e., the types of identifying data covered by the act. HIPAA is defined through five rules; two, in particular, are weighted towards data protection and privacy:
- HIPAA Security Rule: This rule covers data integrity and confidentiality. The rule has provisions for encryption and the use of robust authentication for data access control. There is also coverage of employee compliance training and awareness. Physical access safeguards are also part of this rule.
- HIPAA Privacy Rule: This rule is augmented by the security rule and covers the rights of the individual to control the use of health data.
The HIPAA Omnibus rule extends the protection of PHI and HIPAA to any business associate that handles health data.
HIPAA has stringent rules on breach notification. Any data breaches affecting 500 or more users must be notified through the Office for Civil Rights (OCR). The OCR then displays the notice on a public website, often referred to as the “Wall of Shame”.
Health Information Technology for Economic and Clinical Health Act (HITECH)
HITECH, first enacted in 2009, is about the protection of electronic health records (EHR), i.e. electronic PHI (ePHI).
Subtitle D of HITECH covers the security and privacy of ePHI. Penalties for violations can be up to $1.5 million.
HITECH has a similar requirement to HIPAA for breach notifications.
HITECH and HIPAA are separate laws, but they do interact, augment, and overlap each other.
Any organization that handles data involved in financial transactions comes under data protection regulations.
Gramm-Leach-Bliley Act (GLBA)
This U.S. federal law is about regulating how financial institutions communicate and protect customer data. The Federal Trade Commission (FTC) enforces the GLBA “Safeguards Rule” which covers risk assessment. It has a requirement for a written security plan which is based on the results of the risk assessment. The scope of GBLA covers many business types; if your organization transacts financial products or services you may need to comply.
Payment Card Industry Data Security Standard (PCI DSS)
PCI-DSS is a general financial regulation, first released as version 1.2 in 2008. The current version (3.2.1) was released in May 2018. PCI-DSS has wide-scope, covering merchants of all sizes, financial institutions, payment processors, and Point of Sale vendors. The regulation also covers telephone-based transactions. There are 4-levels of compliance, depending on the number of transactions processed.
PCI-DSS compliance covers cardholder data (e.g. card details) and sensitive authentication data (e.g. magnetic stripe data).
Fines of up to $500,000 have been issued.
23 NYCRR 500 cybersecurity
This is a New York state regulation enacted to protect consumer data privacy used in financial services. 23 NYCRR 500 cybersecurity is similar to PCI-DSS as it applies to the financial use of consumer data. The regulation requires a demonstration that an organization has taken “reasonable care” to prevent data breaches.
Manufacturers (IoT Devices)
IoT device manufacturers are now falling under the remit of data privacy as they collect and process personal and behavioral data.
Senate Bill No. 327
Senate Bill No. 327 focuses on the Internet of Things (IoT). The bill targets the privacy of data as used in IoT devices. It sets out the security requirements to build secure IoT devices for sale in the US.
Regulations and Data Protection into the 2020s
A recent development in the U.S. exemplifies the movement towards a more federal view on data protection and privacy. In November 2019, U.S. Senate Democrats lodged the Consumer Online Privacy Rights Act. This proposed federal law is likely to mimic the CCPA and possibly go as far as the GDPR, in terms of conditions and requirements.
Data protection requirements, whether federal, state or industry-focused, are all complex in detail and require specific implementations. This can be difficult for the smaller organization that may not have the internal expertise to execute the requirements.
One area that managed service providers (MSP) can help with is ensuring that your company is prepared for compliance with various data protection regulations. If the MSP has a security practice, this includes being able to offer best-of-breed solutions.
Often complying with one regulation will mean that you meet at least some of the requirements of another regulation. But data protection regulations are not just about ticking the compliance checklist. Being privacy respectful and protecting data also means that your company is protected against the loss of customer trust and allows you to avoid the heavy costs of a data breach.
 Final Version of the GDPR: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
 PCI-DSS Penalties: https://financial.ucsc.edu/pages/security_penalties.aspx
 New York State Department of Financial Services: https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
 Consumer Online Privacy Rights Act: https://www.cantwell.senate.gov/imo/media/doc/COPRA%20Bill%20Text.pdf