After Jerry Brown signed the
California Consumer Privacy Act (CCPA) paperwork in June 2018, shock waves
reverberated throughout Silicon Valley. Lobbyists at the
Information Technology Industry Council, a Google-backed think tank,
quickly went to work drafting proposals for a federal law that would supersede
the stringent California bill.Twelve states subsequently
followed California's lead and passed similar legislation, causing some of the
largest tech companies, including Google, Facebook, Apple, Intel,
and Microsoft,
to clamor for federally-mandated consumer data privacy regulation. Although 15
bills have been proposed in the last year alone, as of September 2019, none
have yet to pass. However, it’s only a matter of time before a federal data
privacy bill passes. Businesses need to be prepared to make drastic changes to
their data gathering and privacy processes, and determine if outside help is
needed.Looking to the future: a
law on the horizon
The bills that have been
proposed and turned down to-date have common threads running through them, so
we can accurately deduce what a future federal data privacy law might look
like. Below are the common themes that have appeared in the bills that were
proposed but did not pass.It will give citizens control of their data or the ability to opt outConsumers want access to and
control over their own data. The Data Broker Accountability and Transparency
Act was put together in the wake of the Cambridge
Analytica uproar, and it directly targeted data brokers – companies
that collect consumer data and sell it to third parties. Additionally, this
bill would allow US citizens to remove their data from corporate servers.Another bill, the Consumer
Data Protection Act (CDPA) called for the creation of a national “do not track”
registry.It will keep large corporations in checkThe American Data
Dissemination Act was introduced by Marco Rubio in January 2019 as another
opportunity to supplant the current patchwork of state laws. In an effort to
keep large, incumbent companies from dominating the space, Rubio's bill called
for the FTC to create exemptions for smaller companies.Creating more
opportunity among competition should ultimately benefit consumers.It will create severe punishments for data breachesAside from calling for the
creation of a “do not track” registry, the CDPA also proposed data breach fines
as high as four percent of offending businesses' annual revenue, as well as 10
to 20 years of jail time for negligent executives. The bill also proposed
hiring 175 more FTC employees to monitor the sale of private data.The Corporate Executive
Accountability Act, issued in April 2019 by Elizabeth Warren, would affect
companies with over $1 billion in annual revenue. Like the CDPA, the bill calls
for jail time for senior executives; however, the threshold for incarceration
is quite high. According to the proposed bill, senior execs are only liable if
a data breach is the result of illegal activity, and prosecutors must prove
that these executives were negligent.Companies need to be prepared
for consumers to have more control over their data; they should expect more
balanced competition, and to be held accountable if consumer data is left
unsecured. An opportunity for managed
service providersIf the United States enacts a
federal data privacy law, this change will provide an opportunity for managed
service providers (MSPs). As we've already seen in Europe, many MSPs have taken
advantage of the GDPR, opting to position themselves as experts in data privacy
compliance. These MSPs essentially offer consultancy services, which can
include providing clients with data protection officers (DPOs), technicians,
and internal auditors. By encrypting data, patching software, and providing
auditor checklists, these MSPs help businesses address their GDPR compliance
issues.When MSPs provide their
clients with external DPOs, it helps to prevent business conflicts of interest
from arising; for example, if a business were to have a sys admin or someone
else doing double duty as a DPO, he or she might not want to change their
everyday activities—even if it were required for compliance. Hence, it can be more beneficial for a business to use a DPO
provided by an MSP than to use an employee from inside their own organization.
However, it's important to keep in mind that paying an MSP for DPOaaS (data
protection officer as a service) doesn't provide businesses with immunity from
data breach fines.Who is liable?MSPs can open themselves up
to fines, lawsuits, and reputational damage should a breach happen while
they're hosting a client's data. However, if an MSP is solely providing their
client with software or tips, the responsibility then likely lies with that
client. Answers to questions around liability continue to be vague, with the
industry paying attention to new precedents as they are set.Ultimately, we are going to
see a shift in two directions: 1.) companies using third-party advisors; 2.)
companies owning and taking on liability. Companies and advisors will both be highly dependent on technology solutions to provide
the necessary transparency and data security to keep up with future federal
regulations. In addition, the solutions relied upon will need the right mix of
intelligence and automation to course correct individuals and companies in the
moment in response to regulatory changes. Picking the right technology vendor
that can keep up with the rapid change ahead will be key.Companies must start
determining their technology stack, as well as their strategy for complying
with the impending changes that federal regulation poses, including whether or
not to utilize an MSP that specializes in data protection. While there will be
a certain level of risk for MSPs, there clearly is a lucrative opportunity
ahead for those who are willing to fill this gap. The question is whether
utilizing MSPs' services will become companies' preferred strategy for dealing
with the federal regulations that are on the horizon.
The rollout of new rules around the Cybersecurity Maturity Model Certification by the U.S. Department of Defense is pushing government contractors to upgrade their internal security practices and protections
These products help organizations comply with specific regulatory requirements demanded of companies in the healthcare, retail, educational, financial services, and government markets.
