You’re probably well aware of the General Data Protection Regulation (GDPR) in Europe and California’s Consumer Privacy Act (CCPA). These two privacy laws provide fairly stringent requirements for businesses to uphold consumers’ and employees’ right to privacy, and they use significant monetary penalties to punish those who break the law.
But what about a federal privacy law here in the United States? When will we have one, what will it cover, and what will businesses have to do to stay compliant?
We’re getting close to having a national data privacy and security standard.
Over the last two years, multiple federal information privacy bills have found their way to Congress. It’s unlikely anything will pass during the remainder of the term, but Congress seems primed to legislate on data privacy in the upcoming session—possibly running with the latest bill introduced by GOP senators known as the SAFE DATA Act.
In this article, we’ll get you up to speed on recent developments in U. S. federal privacy legislation and go in-depth on the SAFE DATA Act. We’ll break down what your organization needs to do to prepare for the passage of a federal privacy law to ensure you’re effectively managing your privacy, cybersecurity and compliance risks.
SAFE DATA Act
Several signs support the trend that U.S. lawmakers are in favor of enacting a federal privacy law. The GDPR passed in 2018, and the CCPA came into enforcement on July 1, 2020. Senator Maria Cantwell (D-WA) put forth a federal privacy bill last year. Several GOP senators collaborated on the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA Act) in September of 2020.
The SAFE DATA Act shows promise—it’s a conglomeration of three previously introduced bills: the discussion draft of the U.S. Consumer Data Protection Act, the Filter Bubble Transparency Act, and the Deceptive Experiences To Online Users Reduction Act.
This law would expand what’s considered sensitive data and include enacting data security standards to accompany data privacy standards. It would create rights to transparency, access, deletion, correction, and portability and require opt-in consent to process or transfer “sensitive covered data.” Under this law, businesses would need to name privacy and data security officers within their firms and meet “reasonable” and “appropriate” data security requirements.
It’s important to note a couple of additions to the new SAFE DATA Act bill. This bill introduces an algorithmic ranking system to determine how content can be presented to consumers. It also establishes regulations for the “manipulation of user interfaces”, which prevents deceptive UIs from coercing customers into giving up personal data.
The SAFE DATA Act would be enforced by the FTC and state attorney’s general, take precedence over state privacy laws, such as CCPA, and would not include a private right of action. These last two are partisan contention points, differing drastically from Democrat Maria Cantwell’s competing bill of the previous year.
The Key to Staying Safe: Maintaining a Consistent Infosec Compliance Program
There are plenty of guides on creating effective data privacy programs, but here we will be focusing on the security side of data privacy.
The SAFE DATA Act and other bills introduced by Democratic senators require organizations to maintain a baseline level of data security. To be compliant, your organization will need to maintain an ongoing information security compliance program to minimize privacy compliance risk.
If the new federal privacy law is modeled after the GDPR and the CCPA, the law will hold your organization responsible for your third parties’ action. Your vendor’s privacy slip can become your compliance violation. Needless to say, your organization must clearly understand and approve the risk profile of any partner you allow near your sensitive customer data.
Do you know how many third parties have access to sensitive data from your company and your customers? If you don’t, you should find out immediately.
According to a Ponemon institute, the average company shares confidential sensitive information with approximately 583 third parties. Even worse, only 34% keep a comprehensive inventory of these third parties. (source)
How to strengthen your risk management practices
Maintaining an effective information security compliance program starts with a thorough understanding of your risk landscape. What are the biggest risks in your environment? What controls do you already have in place to mitigate those risks?
Once control are identified, it’s worthwhile to see how your controls stack up against standard controls in compliance frameworks such as the NIST SP 800-53 (National Institute of Standards and Technology) or ISO 27001 (International Organization for Standardization)
For instance, NIST SP 800-53 is a good reference framework to use because it offers a layered approach to cyber protection. It acknowledges that risks can be introduced in many ways, and risks may be realized even when you have solid, preventative controls in place. It recommends that organizations think through the preventative elements as well as the response elements of their infosec compliance program.
NIST SP 800-53 emphasizes five key areas: Identify, Protect, Detect, Respond, and Recover, and offers somewhere between three to six controls for each area.
Invest the time to implement controls in all five areas, and your organization can be confident that you’re reasonably secure across both cloud and traditional environments.
However, even after you’ve checked to see that the right controls are in place to cover high risk areas, the work still isn’t done. Risk profiles can change by the minute as attackers devise new sophisticated schemes and as business units incorporate new tech into their operations, launch new digital initiatives (e.g., customer-facing mobile apps), and onboard new vendors.
Integrate compliance into business operations
Many issues arise when infosec compliance teams remain unaware of business operation changes — changes that may render existing controls obsolete. For instance, during the COVID-19 pandemic, a company might lay off employees and neglect to tell the security team, so user access controls might remain valid when they should be deleted.
Or the company might begin processing certain transactions on new apps, exposing confidential data to vendor risk. In both cases, the security risks there are well understood and can be controlled. The true risk is poor integration that leaves the security team isolated from the company’s changing risk profile.
Your infosec compliance team needs to have a way to regularly observe, test, and review your security policies, procedures, and controls. They need to have tools that allow them to spot issues in real time and respond quickly.
Unfortunately, modern infosec compliance teams stare down a rigorous challenge in keeping security controls current and policies relevant. Change happens fast in business, and compliance teams often struggle to identify control owners and stay in the loop. Busy schedules keep compliance teams on-the-go, often without the time to adequately observe and supervise the controls around critical systems.
Facing this adverse landscape, many forward-looking organizations turn towards innovative compliance operations software providers such as Hyperproof. Hyperproof knows that managing a compliance program consistently requires a lot of hard, tedious work. This work, when left undone, leaves an organization vulnerable.
Hyperproof’s solution is to make the work of maintaining a consistent infosec compliance program manageable. By using Hyperproof, compliance managers are able to:
- Reduce repetitive administrative work around key processes, such as collecting evidence for audits
- Assign controls to individuals or teams in business units and automate reminders for people to review their controls and provide fresh evidence
- Supervise, continually check, and critically observe the controls in place around compliance requirements and documented risks
- See the organization’s compliance posture in real-time and identify next steps to strengthen their compliance program
When an organization does all of their compliance work in a single platform like Hyperproof, it’s much easier to demonstrate that the company takes information privacy very seriously should there be a breach that requires reporting to authorities.
This is important because, although civil penalty amounts haven’t been specified, it’s possible the SAFE DATA Act may borrow a page from the CCPA—administering lesser financial penalties for organizations capable of proving the existence of functional data privacy and security compliance program prior to an infraction. For that reason, you will want to keep a detailed record of your infosec and data privacy policies, be able to show you’ve regularly tested and reviewed controls, and ensure all documentation of compliance activities is readily accessible.
Respecting your customer’s privacy and protecting their sensitive data couldn’t be more critical in today’s business world. With a federal privacy law around the corner, wise organizations understand the advantages of being proactive. Successful teams will look to risk management frameworks like NIST and ISO for guidance, weave compliance into the company culture, and use modern tools to improve their ability to monitor and evolve their compliance program as regulations, technology, and their business landscape evolve.
Make no mistake—the daily management of compliance isn’t easy, and the coming federal privacy law will only raise the stakes. Start preparing today so your organization will be poised to lead in a world where privacy protection and regulatory compliance are paramount to business success. To learn more about how Hyperproof can support your organization’s effort to mitigate privacy and security risks, sign up for a personalized demo.