Preparing Your Organization and Data for New Consumer Privacy Laws
The most common targets of incursions today involve personal data, and so, it isn’t any wonder why state legislators across the nation have intensified the focus on rolling out their privacy laws.
As organizations take inventory of their data to comply with the laws we know are soon to be in effect –– California Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) –– it’s created a greater sense of urgency for having dedicated privacy programs in place to prepare for future privacy regulations and in advance of lookback periods.
More importantly, having a privacy program in place provides a detailed roadmap should an incident occur –– and privacy departments are keystone to program development as they actually play a major role in incident response because they are often the best source of data information. Additionally, the totality of personal data and the notification obligations for privacy laws are different from data security priorities, and organizations cannot operate under the false assumption that data security teams have privacy compliance covered. Those that do, grow increasingly vulnerable.
Data maps guide compliance
For decades, all states have had data breach laws in place requiring organizations to notify individuals if certain categories of “sensitive” personal information have been compromised. According to Michael Hellbusch, Partner at Rutan & Tucker, LLP and co-chair of the Orange County Chapter of IAPP, these new robust privacy laws expand the universe of data that companies need to be aware of, and responsible for, and know where it’s being processed.
“Now that companies have to comply with privacy, they’re getting on board with the fact that they may have sensitive data they’re not aware of,” Hellbusch said. “It’s simply good process and hygiene to have data maps in place and include data that may be subject to notification obligations under new privacy laws.”
Creating data maps is the standard method for cataloging data, and it’s the critical first step in preparing for a new generation of privacy laws and incident response. Data mapping is complex, particularly for large organizations with disparate or siloed data, and it produces the best outcomes when it’s a product of cross-functional collaboration that takes into account all of the data and notification obligations for both security breach and privacy regulations.
In the simplest of terms, data maps document what data exists in an organization, how it is collected and through which systems it flows, where data is stored and how long, and how it is categorized both inside the organization and for compliance purposes. With this level of insight, organizations can attribute distinct policies and security levels to that data as a framework for policy enforcement. A comprehensive data map also enables organizations to quickly identify the number of individuals who reside in a particular location to determine their notification obligations under a jurisdiction.
Because privacy and security requirements differ –– privacy laws apply to a larger set of personal information than data security protocols –– it is now mission critical for both sides of the table to come together to co-create incident response plans. Organizations should not assume that existing security compliance plans will cover future obligations under privacy laws.
Failing to prepare is preparing to fail
According to BakerHostetler’s 2021 Data Security Incident Response Report, it takes twice the amount of time to respond to security incidents than it did in 2018, now 66 days from detection to notification up from 33 days. This could be attributable to the fact that most organizations have more data than ever before and that data is spread across more systems than ever before. The massive shift to remote work in 2020 also added a layer of complexity as teams had limited access to servers and the overall data footprint of most organizations expanded significantly.
But, businesses simply can’t ignore the fact that they don’t know where their data is anymore. Now more than ever, companies need to have reasonable security measures and incident plans in place.
Sensitive data will always be a high-value target for theft, and everything-as-a-service provides bad actors with more gateways to breach data and network security. Now, with all events held to the same incident notification requirements under new privacy laws, organizations must have a handle on their data. To clarify, there are generally three basic types of incidents:
- Encryption/ransom –– this restricts access to your own systems
- Network or system intrusion –– often a single external or internal system, sometimes your network
- Inadvertent disclosure –– this can include scraping, a lost or stolen laptop or other sources
These incidents, along with other less nefarious events such as bad press, a breach in the industry or even targeting by a disgruntled consumer or employee can cause a spike in requests. This is where a well-prepared privacy department can shine.
“If companies don't know where their data is or who it belongs to, they won't be able to comply with notification obligations because it will take too much time to piece that information together after the fact,” Hellbusch said.
Developing a data map and privacy program before they are needed will make future incident response easier, faster, and cheaper. Gaining this insight before an incident occurs can also help identify potential risk factors, allowing the team to resolve them before they turn into issues.
Automation brings speed and accuracy to incident notification
As companies reevaluate their approaches to managing data and incident response in anticipation of new privacy laws and in advance of lookback periods, many are turning to automation to codify long-term compliance. Automation platforms can automatically process and categorize data (i.e. sensitive or basic personal information, medical or financial information, etc.) and apply various rules for notification and compliance.
In addition, all personal data is subject to access and deletion requests under CCPA and VCDPA. Organizations that have systems in place to not only process those requests but also verify a person’s identity to authenticate Subject Access Requests (SARs) will greatly reduce their risk exposure.
Manual processes create greater risk, particularly when dealing with a high volume of requests. Each manual response leaves an organization vulnerable to inadvertent disclosures like sharing the wrong information or sending personal information to the wrong person. Automation mitigates the risks of privacy violations by human error, and the negative impact that can have on brand reputation.
As regulatory bodies continually update industry governance and more individual states introduce new privacy laws, companies need agile and scalable systems in place that can evolve with these standards and reduce the time and cost of maintaining compliance with multiple regulations. In addition to the right toolset, however, privacy and security teams must start to work in unison to understand what data they have, where it is stored, how it is processed, and most importantly, what their responsibilities are in the case of an incident. The changes are coming and the time is now to start to prepare.