In 2018 the United States saw 1,244 reported data breaches exposing nearly 450m records (Statista). The 2017 Cost of Data Breach Study from the Ponemon Institute estimated data breach costs at $141 per exposed record. Using those figures, the cost of data breaches in the United States in 2018 was greater than $62.9B. With those statistics in mind, it is easy to see why data protection has been a hot button issue over the past year. Between Congressional hearings on Facebook’s data privacy practices, the passing of the California Consumer Privacy Act, and the billions of users whose sensitive information has been exposed, there has been no scarcity of news coverage on the issue. Governments around the globe are beginning to take notice and act to enhance the regulatory environment and consumer privacy.
The European Union (EU) was one of the first to enact a significant data privacy regulation. The General Data Protection Regulation, better known as GDPR, was put into effect in 2016 with the goal to provide citizens greater control over their personal data and to more severely penalize organizations that do not uphold citizens’ privacy.
GDPR applies to all organizations operating in the EU, whether they are based there or simply offer goods and services to consumers within the EU. GDPR contains five primary mandates:
- All organizations beholden to the regulation must obtain consent in order to process someone’s data.
- Collected data must be anonymized to protect privacy.
- In the event of a data breach, the breached organization must provide notifications as defined.
- Data in transit must be appropriately secured and handled.
- Certain companies must appoint a Data Protection Officer (DPO) who oversees data privacy and protection in general and GDPR compliance more specifically.
It is only a matter of time until the US introduces a similar data protection law on the federal level. While there is currently no bill at the Federal level, most US states have their own set of regulations pertaining to data privacy and protection. This has created an overly complicated and inefficient environment for companies that operate within the US as they must constantly adapt and comply with varied and shifting laws for states they operate within. Prior to the introduction of GDPR the EU was faced with a similar issue because many countries within the EU had their own laws in place.
US State Law
While the specific mandates for each of these areas varies from state to state, there are standard elements that are shared by many states. The five areas and their standards are:
Covered Entity Definition
Any person or business who conducts business in (the state) and who owns or licenses computerized data that includes personal information; any person or business who maintains computerized data that includes personal information that the person or business does not own.
Information Security Requirements
Entities maintaining personally identifiable information must “implement and maintain reasonable security procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.”
Personally Identifiable Information (PII) Definition
Personally Identifiable Information (PII) is any data or combination of data that can be used to distinguish or trace an individual’s identity. For a majority of states, the definition of PII is the same:
First name/initial paired with last name and one or more of the following forms of data:
- Social Security Number
- State Identification #
- Driver’s License #
- Account #, Credit Card #, or other ID # with password or security code that would provide access to a financial account.
Breach Notification Requirements
All states require notification be provided to necessary parties without unreasonable delay. In some cases notification will be intentionally delayed as necessitated by the needs of ongoing law enforcement investigations. Most states that specify how long entities have to provide notification require it within 45 days of the discovery of the breach.
Fines for Compliance Failure
There are a variety of fines and penalties which can be applied in the case of a data breach. The fines and penalties applied in specific instances are influenced by environmental and operational factors that led to the breach as well as the appropriateness of the entity’s response upon discovering the breach. For example, many states apply specific penalties in cases where the breached entity failed to provide proper notice to affected parties in the time prescribed by the state. Additionally, some states make the differentiation between reckless negligence and knowingly or willingly committing misdeeds.
Along with the different factors that go into determining the severity of the penalty an entity should face, there are a variety of reasons an entity can be fined or penalized such as failure to meet data privacy responsibilities, failure to comply with notification requirements, and restitution of damages.
How to Prepare
Every company needs to ensure they are complying with data protection laws. Clearview assists companies of all sizes in assessing and developing a data protection program that is appropriately sized and cost effective. Our process starts with an assessment of the current security environment using a comprehensive security framework that identifies key areas for improvement and provides you with realistic recommendations. Contact Aaron Kerr (firstname.lastname@example.org) or Todd Jennings (email@example.com) for more information about data protection and how your company can start taking steps to improve your information security posture.