RSA 2019 discussed a whirlwind of topics, including everything from up-to-the-second threats to the long-term global implications of General Data Protection Regulation or GDPR, the European Union’s data protection policy. Navigating the various events can be a daunting task, but there were a few talks that stood out as particularly relevant to ProCircular’s clients. In this blog I’ll recap an excellent presentation and Q&A on compliance.
Note: I’m not an attorney, and this blog shouldn’t be considered legal advice. It’s only meant to get you thinking about these issues and to potentially follow up for more clarification from your counsel or a member of the ProCircular team.
Privacy Regulation: A Little History
At the center of this discussion is the GDPR. The history of GDPR provides an interesting comparison between the EU and other parts of the world, particularly the United States. Speaking in broad generalizations, in the EU personal privacy is largely taken from the perspective of the citizen. Its genesis goes back as far as the 1995 Directive 95/46/EC when the EDPD adopted Data Protection Directive. The language in the first section alone is telling:
“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”
The language is largely about fundamental rights and freedoms and reflects an overall ‘citizen’s rights’ perspective. In short, the citizen has certain rights and the organizations that are lucky enough to employ them must comply with certain requirements to protect their inherent right to privacy. This was very forward thinking considering that in 1995 people were still dialing into CompuServe by the millions and Mosaic was the browser of choice.
Compared to Europe, the United States has written privacy regulations from a business and federal privacy perspective. The first foundational act in the US was the US Federal Privacy act which was overseen by the Office of Management & Budget. It was intended to restrict disclosure of personal information and grant individuals increased right to access their own records, but the act itself applied primarily to federal employees and does not appear to have been widely accepted by businesses. Fast forward to the Foreign Intelligence Surveillance Act (FISA) created in 1978 –and revised in 2001 by the USA Patriot Act—and you’ll see other examples of the needs of government (e.g. security) outweighing what the EU would describe as the rights of citizens.
Your New Requirements:
The GDPR has its roots in ‘the fundamental rights and freedoms of natural persons’ and many of those aspects can be seen in the core tenets of the regulations:
- Right of Access – the right to know all personal information collected and shared with third parties
- Right to Erasure – The right to have personal information deleted, largely based on the purpose of having the information
- Right to Data Portability – The right to know personal information that is collected based on consent and review and transfer of same
- Right to Object/Opt-Out – The right to object to or restrict the processing or sale of personal information
- 72 Hour Breach Notification – The right to be notified within 72 hours of the discovery of a breach or disclosure of personally identifiable information.
Each of these examples is as problematic for businesses as they are advantageous for the private citizen. The Right to Erasure is conceptually very straight forward – if you aren’t paying me for my time you have no right to continue to possess my personal information, particularly given the likelihood that any business may be breached and expose my PII to a bad actor. Thinking from the perspective of the business, this is an extraordinarily complex article to fulfill. Larger companies have countless numbers of systems that may require PII to function (e.g. HRIS, CRM, Payroll, ERP, etc.) and selectively deleting that data without putting other records at risk is extremely difficult.
Nonetheless, these articles are all a part of the GDPR regulations, and the enforcement came into effect on May 25th of 2018, and European and global firms are struggling to even begin to comply.
These are challenging times from a regulatory perspective for U.S. firms as well. Breach Disclosure laws vary state by state and require competent counsel to work through each time a firm may have an incident. Several other state-level statutes are working their way into law:
- California Consumer Privacy Act
- Washington Privacy Act
- Massachusetts – An Act Relative to Consumer Privacy Data
- NY Department of Financial Services Cybersecurity Requirements
- South Carolina Department of Insurance Data Security Act
- Ohio’s Cybersecurity Framework
Most of these, in one way or another, base their language and timing around the example laid out by GDPR.
What was once a European challenge will very quickly become an issue for U.S. firms. Each of these have varying requirements, definitions aren’t synchronized, and—while based on GDPR—each is being developed in a silo. This doesn’t include the industry specific regulations akin to the NY Financial Services requirements, and several others that are in various stages of completion for Power, Manufacturing, Government Contractors, Healthcare and Education. In lieu of federal regulation that provides some consistency, this patchwork of requirements may require a mind-bending amount of legal advice for anyone looking to comply.
There may be light at the end of the tunnel, as groups seem to be working together to avoid the ‘Privacy Apocalypse’ described above. At RSA, presenters with deep relationships inside both government and specific industries indicated that there were several high-level discussions of a consistent set of federal regulations to attempt to synchronize the patchwork of state level requirements.
The CCPA is due to become active in January of 2020, and April Falcon Doss (formerly with the NSA and SSCI) indicated that this timing has forced these discussions. Rather than cede to the California set of standards, an over-arching set of Federal regulations could replace many of the core sections of the CCPA in set of bills. Privacy advocacy groups such as the Electronic Freedom Foundation (EFF) have met with HIPAA representatives, the National Association of Attorneys General, GDPR experts, Congressional Staffers and large industrial representatives to hammer out what may be our only hope at an omnibus set of regulations. The hope would be that this consistent set of regulations would apply in the same way to all organizations, eliminating much of the state-to-state variation we see today.
In the meantime, we’re left with the aforementioned variability, but there is hope that these organizations can get together and present a set of basic federal regulations before another five or ten state-based requirements become part of the equation.
As always, ProCircular has significant experience helping organizations to weather this storm and navigate the complex waters of compliance. If you have any questions, please feel free to reach out to firstname.lastname@example.org for more information.
About the author: Aaron R. Warner has more than twenty-five years of experience in information technology, cybersecurity and risk management. He specializes in organizational cybersecurity and applying technology, process, and people to solve complex challenges. As the CIO and CTO with Integrated DNA Technologies he led an amazing team of people who grew the company from 13 employees to nearly 1000, hundreds of millions in revenue, and scaled operations in the US, EU, and APAC.
He’s been recognized by Gartner and Microsoft, published articles and whitepapers, and sits on the board of several companies and charitable organizations. He’s a Certified Information Systems Security Professional (CISSP), a certified Security+ engineer, and a full member of the FBI/DHS Infragard partnership. Mr. Warner is also a member of the Technology Association of Iowa Board of Directors and a member of Leadership Iowa.
Mr. Warner attended undergraduate and graduate school at the University of Iowa, earning an MBA from the Tippie College of Business. In his free time, Aaron enjoys cave diving, back-country camping, off-road motorcycles, and the occasional bottle of fine, red wine. He’s the proud father of two children and enjoys the best parts of life with his wife and best friend Heather.