RSI Security recently partnered with Trustifi to discuss some significant considerations for the future of data privacy and security. Panelists discussed companies’ pain points concerning various, overlapping compliance frameworks and how RSI Security and Trustifi can help address them. Read on for a comprehensive recap of the data privacy webinar.
Webinar Recap: How To Prepare for the Future of Data Privacy
At the beginning of the webinar, Security Associate Nicole Fredrich noted an animating point from a recent poll. Of all participants asked about whether their company is ready for the future of data privacy, only 47% indicated they felt they were “over halfway prepared.” So, if the majority feels less than halfway prepared, what are some of the big reasons?
One major obstacle is data mapping—or identifying relevant data that needs protecting. Another is meeting data protection requirements, which differ by country. Then, there is the data privacy landscape here in the US, which differs by state. Other significant considerations involve trends impacting data privacy at present, such as a shift in cybercrime toward medical data rather than credit cards. The last important point of discussion involved enforcement. Companies that fail to comply with data regulations may incur penalties, which differ by framework and severity.
The Biggest Obstacle to Data Privacy: Mapping Sensitive Data
Peter Phaneuf, Senior Security and Privacy Advisor at RSI Security, established that the biggest obstacle to data privacy and security is mapping. Successful mapping requires identifying several critical factors:
- What sensitive data a company needs to protect. Primarily, this means identifying all personal and personally identifiable information (PII) owned, stored, or processed.
- Within data files, companies must also locate the elements counting as PII.
- Why a company currently controls PII or other sensitive data (i.e., use cases).
- When data can or must be retained, at a minimum or maximum (i.e., retention time).
- Peter noted that most data protection frameworks specify that there needs to be a retention time but leave it up to companies to justify their specific thresholds.
- Where the sensitive information is located within a company’s physical or digital assets.
Peter then noted that the other major factor impacting data protection for most companies is adjusting to regulatory policies that stipulate how data is supposed to be protected. Nicole then asked about how data protection officers can help address policies, leading to the next point.
Data Protection Policies, and How Data Protection Officers Help
RSI Security’s Director of Information Security and Compliance, Mohan Shamachar, led the following section with an overview of data protection policies that companies must be aware of when business activities involve other countries’ citizens’ data. He began by outlining some notable differences between regulations for data protection officers (DPO) across countries.
The European Union (EU) General Data Protection Regulation (GDPR) explicitly requires a DPO for companies processing EU member states’ citizens’ data. However, companies operating in or processing data from countries not covered by the GDPR may still require DPOs, or similar officials, for other legal adherences.
Beyond these distinctions, Mohan also covered some critical differences in the severity of data processing laws, and the reasons behind them, by country.
Differences and Similarities in DPO Requirements, By Country
Major differences exist in the scope of DPO requirements and stakeholder notification. Mohan categorized these in a visual aid as Scope and Registration / Notification:
- Scope – Not all countries specifically require a DPO for all companies:
- Australia requires all governmental agencies to have a formal DPO.
- Brazil requires all data controllers to have a DPO or similar role.
- Canada requires DPOS for covered entities under private sector laws.
- 27 EU Member States require controllers or processors to have a DPO.
- The United Kingdom (UK) requires controllers or processors to have a DPO.
- Registration / Notification – These countries all require publication of the DPO’s contact information, along with other notification requirements in three cases:
- Australia: contacting the Office of the Australian Information Commissioner
- EU Member States: contacting the data protection authority (DPA)
- United Kingdom: contacting the Information Commissioner’s Office
Aside from these differences, the required tasks and training were identical for all countries detailed by Mohan. Namely, DPOs require knowledge of all applicable laws and practices, as their responsibilities include
- Informing all staff about data protection requirements
- Cooperating with local DPA (or equivalent authorities)
- Fielding data privacy complaints
Strictness and Focus of Data Privacy Laws by Country
Shifting focus, Nicole posed a question about which companies have the strictest data privacy laws. Mohan noted that it depends on what kind of data a company needs to protect. There are major differences between the priorities of the GDPR, similar regulations in the UK, and the laws applicable to companies working with data that belongs to Californians—from in the US or not.
Mohan explained that all the applicable regulations in these places define sensitive data in their own ways, leading to differences in how (and why) data must be protected. Consider:
- The UK has the largest medical database globally, due to the National Health Service (NHS). So, UK regulations tend to prioritize de-identification of medical data.
- The GDPR stresses personal identifiers such as political, gender, geolocation, and other general demographic factors. The wide net makes GDPR one of the strictest rule sets.
- In the US, data privacy laws are primarily concerned with security measures rather than on privacy proper. In other words, it’s more about the steps taken to ensure data privacy.
At this point, Trustifi CEO Rom Hendler stepped in to note that the GDPR is considered the gold standard for general data privacy at present. This is similar to how, for a long time, the Payment Card Industry (PCI) Data Security Standard (DSS) has been the standard for credit card data.
Another Obstacle: Data Protection Requirements in the US
Next up, Nicole asked Peter to talk about privacy rights and business obligations within the US, or trends related to them, all of which are loosely based on the EU GDPR rules. Peter began by looking into acts already signed into law in two US states: California and Virginia.
In California, the pertinent acts are the California Consumer Privacy Act of 2018 (CCPA), which went into effect in 2020, and the California Privacy Rights Act of 2020 (CPRA), effective in 2023. Virginia signed into law one pertinent act, the Consumer Data Protection Act (CDPA), earlier in 2021, which also takes effect in 2023.
Then, Peter provided an overview of other bills currently in the works across several other US states, along with a proposed federal bill. He noted that many companies have trouble keeping up with and acclimating to the rapidly changing landscape all across the country.
Consumer Data Protection Rights in California and Virginia
Peter’s breakdown of rights guaranteed by the two states’ current and future laws included:
- Right of access – Granted in California by the CCPA and in Virginia by the CDPA.
- Right of rectification – Granted in California by the CPRA and in Virginia by the CDPA.
- Right of deletion – Granted in California by the CCPA and in Virginia by the CDPA.
- Right of restriction – Granted in California by the CPRA but not present in Virginia.
- Right of portability – Granted in California by the CCPA and in Virginia by the CDPA.
- Right of opt-out – Granted in California by the CCPA and in Virginia by the CDPA.
- Right against automated decisions – Granted in California by the CPRA and in Virginia by the CDPA.
Note that, until the CPRA, Virginia’s CDPA offered more rights. But moving forward, California covers all data privacy rights of the CDPA, plus the additional consumer right to data restriction.
The other right guaranteed in California but not Virginia pertains to security, not privacy proper: the private right of action. This allows consumers to bring private legal suits against businesses that fail to protect their personal information adequately, including violating other rights above.
Data Privacy Business Obligations in California and Virginia
Peter’s breakdown of business obligations in the current and future laws included:
- Required notice or transparency – Upheld in California’s CCPA and Virginia’s CDPA.
- Required risk assessments – Upheld in California’s CPRA and Virginia’s CDPA
- Prohibition of discrimination – Upheld in California’s CPRA and Virginia’s CDPA
- Limitations on processing – Upheld in California’s CCPA and Virginia’s CDPA.
The only significant difference between the two states’ requirements is the opt-in requirement age: 16 for California (as of the CCPA) and 13 for Virginia. Beyond that one exception, California’s data privacy requirement laws had been more lenient than Virginia’s until the CPRA made them near-identical. Both are similar, now, to the EU GDPR.
New Data Privacy Laws in the Works Across Other US States
Per Peter’s overview of other data privacy laws being considered across various US states:
- There are active data privacy bills in five US states, as of Peter’s presentation:
- Alaska – Senate Bill (SB) 116 and House Bill (HB) 159Colorado – SB 21-190
- Connecticut – SB 893 (similar to Virginia CDPA)
- Nevada – AB 323 and SB 260
- New Jersey – Assembly Bill (AB) 5448, AB 3283, and AB 3255
- There have also been data privacy bills introduced in 11 other states:
- Alabama – HB 216 (similar to CCPA)
- Illinois – HB 2404 and HB 3910
- Massachusetts – Senate Docket (SD) 1726
- Minnesota – House File (HF) 36 and HF 1492 / Senate File (SF) 1408
- New York – Numerous bills sitting in committee
- North Carolina – SB 569
- Pennsylvania – HB 1126
- Rhode Island – HB 5959
- South Carolina – HB 3063
- Texas – HB 3741 (heavily modified version of the CCPA)
- Vermont – HB 160 (still an early, short form bill)
At the time of the webinar, numerous dead bills had already failed to pass their state legislatures, including:
- Arizona – HB 2865
- Florida – HB 969 and SB 1734
- Kentucky – HB 408
- Maryland – SB 930
- North Dakota – HB 1330
- Oklahoma – HB 160
New Comprehensive Federal Data Privacy Law Being Considered
Finally, Peter noted that there are also federal privacy bills bubbling up at present, such as the Consumer Data Privacy and Security Act, proposed by Senator Moran (Kansas) in 2021, which would:
- Apply to all businesses with fewer than 500 employees, grossing less than $50 million annually per receipts, and processing fewer than 1 million individuals’ data.
- Cover personal and personally identifiable information, similar to GDPR.
- Create rights pertaining to informing citizens of the data collected, access to it, accuracy, deletion, and export of the data to machine-readable formats.
- Impose obligations to provide clear notice swiftly and prominently, obtain consent from individuals prior to data collection, make data policies public, notify all individuals of their data privacy rights, and maintain a security program to uphold them.
- Enforce civil money penalties for each infraction, up to $42,530.
Peter noted that, if passed, the legislation’s strictness is likely subject to current political parties’ philosophies and ongoing debate, but that it may meet or exceed CA’s and VA’s existing laws. Regardless, Peter reaffirmed that all businesses must prepare for strict regulations soon.
Software Solutions to Trending Challenges in Data Protection
Moving forward, Nicole posed a question about how these new developments impact Trustifi’s solutions and clients. Zack Schwartz, Vice President of Business Development at Trustifi, noted that the primary goal of all Trustifi tools and services is to find a happy medium between locking down users’ data and giving users the ability to use their data as needed. Encryption is the key (no pun intended) to striking this balance, per Zack. His answer led Nicole into querying all panelists about what cross-industry trends they see on the horizon.
Peter noted that cybercriminals used to target credit cards; now, they are stealing health data.
(At a later point in the conversation, Zac circled back to note that the main reason for hackers targeting healthcare data is that they have found they can use it for insurance fraud schemes.)
Rom then explained that COVID has had a significant impact on this shift, increasing the volume and variety of health data. Unfortunately, it’s easier than ever to use this data for illegitimate financial ends, and there is more of it available for exploitation than ever.
How Exactly Trustify Helps Ensure and Optimize Data Privacy
Moving into a more pointed discussion of how Trustifi addresses these trends, Rom highlighted the applicability of Trustifi across various industries. For example, a recent case involved a client dealing with issues related to online gaming and location-based restrictions on a reservation.
One of the primary solutions for this client (and others) is the innovative “one-click compliance” solution Trusifi has developed. The primary technology behind it is outbound encryption, which allows the end-user ultimate control over the extent to which their data is shared or kept private.
Rom noted that Trustify is designed to maximize security without compromising productivity. He used a metaphor of adding locks to a house—doing so makes it more difficult for any unwanted intruders to enter, but it also makes it harder for you to enter and exit your own home, which is far from ideal. This is precisely the kind of compromise the team at Trustifi is trying to avoid.
Circling back later, Zack explained how one-click compliance helps users prevent data leakage through outbound email, which he identified as the primary cause of data privacy violations.
Final Major Obstacle: Penalties for Non-compliance
The last segment began with a quick overview of general stakes companies should consider with respect to non-compliance, along with principles to help them mitigate various risks:
- Legal risks – Several applicable privacy laws overlap, and their legal penalties compile.
- An overall privacy program and culture help to deal with all applicable laws.
- Contract risks – Failing to comply may also involve breaches of your contracts.
- A privacy program helps to keep business relationships mutually beneficial.
- Data breaches – In the US alone, there were 1001 identified data breaches in 2020.
- These breaches exposed data of an estimated 155.8 million individuals.
- Third-party risks – Over 50% of data breaches are caused by (or involve) third parties.
Then, presenters offered individual analyses of specific consequences and considerations for individual data privacy frameworks—namely, GDPR penalties and HIPAA penalties in the US.
Variations in Applicable GDPR Fines Based on Severity
Peter began this segment with further analysis of applicable GDPR fines. He noted that the penalties depend on the severity of an infraction. A less severe incident could incur fines of up to 10 million euros or 2 percent of a company’s worldwide revenue—whichever is higher. Top cases from countries highlighted in an infographic Peter shared included the following:
- Denmark – A transportation service breach of retention limits (€200,000)
- France – A search engine breach of transparency and information duties (€50,000,000)
- Poland – A data analytics company’s breach of information obligations (€220,000)
- Portugal – A hospital’s breach of patient data confidentiality (€400,000)
- Spain – A sports association app’s unlawful data processing (€250,000)
- UK – An airline company’s undisclosed infringement (€180,000,000)
Multiple panelists agreed that EU Member States are using these enforcements as a revenue generator—almost as a tax. In practice, this means that states are motivated to seek out and enforce non-compliance penalties occurring within their borders or impacting their citizens. In addition, Zack noted that these fines are assessed pre-breach—unlike fines for HIPAA.
Multiple Factors Impacting HIPAA Non-Compliance Fines
Moran then quickly turned his attention to HIPAA, the Health Insurance Portability and Accountability Act of 1996. HIPAA still applies within the US to companies processing patients’ medical and billing information, whether or not the companies are healthcare providers.
Moran identified some of the primary factors that determine HIPAA non-compliance penalties:
- What type of violation the HIPAA covered entity committed
- How many violations the covered entity committed
- How many users were impacted by the violations
- How many records were impacted by the violations
- What has the covered entity done to address the violations?
- Has the covered entity made corrections to prevent future violations?
Moran noted that the Office for Civil Rights (OCR) assesses a wide range of penalties. For example, a company may be on the hook for just $100 or up to millions of dollars per infraction.
Final Questions and Remarks on Data Privacy and Security
Closing out the webinar, one final question from the crowd was addressed. All panelists were asked whether CCPA and CPRA restrictions apply to a company operating out of Arizona with client data from California. Multiple panelists agreed that it does, as CCPA applicability depends upon the data subjects’ location, not the company processing the data. The same goes for GDPR applicability. Nicole then opened the floor for the panelists’ closing thoughts. All agreed that data privacy regulations are here to stay—and won’t loosen any time soon.
In the future, there will likely be more data privacy regulatory frameworks you need to follow.
RSI Security’s Advisory and Education
RSI Security is here to help all companies navigate compliance and other concerns about personal data privacy and security. In addition to our advisory services, you can find past and future webinars providing education across numerous cybersecurity and compliance topics on our Events page.
To build out your program, contact RSI Security today!