In the last year, we have seen a move toward security regulation changes mandating protection of consumer personal data (broadly speaking) extending beyond “private data” to all “personal data” including emails, phone #s, location data etc. Like Europe’s GDPR, U.S. states and the U.S. Federal Government are working on similar laws, with the states leading the way.
Federal and State security law changes are being implemented to strengthen the requirements for required security and also new provisions that protect all forms of personal data. Areas of enhancement in 2018/2019 security laws include:
- Ongoing risk assessments of any private data in a company’s possession
- Implementation of “appropriate security” to protect the protected data
- Requirements to manage and destroy protected information after temporary use (Ala GDPR)
- Focus on written internal policies
- 3rd party vendor scrutiny & security
Fines and enforcement are generally getting stronger as reflected by a recent GDPR fine of Google of $50M Euros and Anthem’s $16M fine for HIPAA violations.
Europe is leading in the quest for tougher regulations with U.S. States following, and the U.S. Federal Government lagging by following the states.
Recent 2018/2019 Security Regulations Changes
- All 50 states now have security laws for personal data breach notification
- At least 22 states have enacted 52 cyber security bills in 2018. States are enacting GDPR-like enhanced privacy laws (California, Colorado, …).
- State laws are intended to provide consumers with greater transparency and control over their personal data.
- Several states now go beyond breach notification and require companies to make significant changes in their data security and processing operations.
- 2018 new security law introductions came from at least 35 states, introducing or considering more than 265 bills or resolutions related to cybersecurity. Some of the key areas of legislative activity include:
- Requiring government agencies or businesses to implement specific types of security practices
- Increasing penalties for computer crimes
- Restricting public disclosure of sensitive government cyber security information
- Addressing threats to critical infrastructure and more
- Funding for cybersecurity programs and initiatives
- Workforce training
- Multiple U.S. federal data privacy laws have been introduced and are in the legislative process
- American Data Dissemination Act (S. 142)would “impose privacy requirements on providers of internet services similar to the requirements imposed on Federal agencies under the Privacy Act of 1974”.
- The Social Media Privacy Protection and Consumer Rights Act of 2019(S. 189), among other things, would require covered entities to “(1) offer a user a free copy of the personal data of the user that the operator has processed; and (2) notify a user within 72 hours of becoming aware that the user’s data has been transmitted in violation of the security platform.”
- Proposed new security laws aimed at social media companies. At least two are in the proposal process. One in the U.K. and one being proposed in the U.S (The Social Media Privacy Protection and Consumer Rights Act of 2018).
- No major security regulation changes, but HIPAA enforcement continued in 2018 with penalties related to breaches and HIPAA violations by covered entities and business associates. 2018 brought us the largest fine since OCR began enforcing HIPAA (Anthem’s payment of $16 million in October).
- In 2018 we saw many of the same enforcement themes we have seen in previous years, including:
- The importance of conducting an accurate and thorough risk assessments
- The necessity of managing 3rd parties and the use of Business Associate Agreements (BAAs)
- The need to be good at the “basics” of HIPAA compliance.
- Merchant Security (PCI/DSS): No Major changes in 2018. The biggest change requires the use a the more secure communications for company’s ecommerce sites and payment processors.
GRC Solutions That Can Help You Cope with Regulation Changes
Recent and ongoing changes to cyber security laws and regulations dictate ongoing changes to your company security. Those areas include:
- The need to place high priorities and budgets on security to compliance or customer issues, or public breaches
- The need to integrate private and personal data protection into corporate strategies
- The need for security risk assessments to assess risks and define gaps to become compliant
- Use of governance, risk and compliance (GEC) experts to augment your internal team
- The need to manage 3rd party security as an extension of your security effort
Contact us to help.