Data regulation is now a strong, permanent feature of the IT landscape.
Over the past year, a series of sweeping regulations have come into force that have brought change on entire industries.
Global business will have to operate in a new data environment in 2019. With the year coming to a close, this is the opportune time for companies to recap on the most important laws governing digital data.
The EU’s General Data Regulations (GDPR) was a game changer for Europe. While earlier laws governing digital information prohibited specific infractions, GDPR was a paradigm switch, forcing organizations to completely revamp their practices and institute privacy by design. However, in the six months since entering into law, the effects of GDPR have been minimal. While many companies have instituted changes to their protocols, the fundamental shifts regulators hoped for have been slow to come about.
Many experts are saying that it’s just a matter of time . Heavy fines from GDPR violations haven’t yet been reported. Additionally, the infrastructure of enforcement simply hasn’t had time to come into its own. 2018 was GDPR’s year codification. 2019 will almost certainly be the year of enforcement.
California Privacy Act
Back in June, privacy advocates recently succeeded in one of the fastest legislative maneuvers in history by passing the California Consumer Privacy Act (CCPA). Under the law, data collectors are now obliged under “the right to opt out” essentially the ability for users to object to their data being distributed or sold. Companies will also be required to “maintain reasonable security procedures and practices appropriate to the nature of the information”, ie the more sensitive, the more protection.
California’s privacy regulations will not become law until January of 2020. However, the more immediate effects of CCPA is its influence on the larger debate over US data laws. The regulations are likely to fuel the efforts of privacy advocates across other states. Even discussions on federal privacy laws have been influenced by the CCPA.
National Breach Notification Law
The Gramm-Leach-Bliley Act, commonly known as GLBA, has been on the books since 1999. The Act was revolutionary for its time, being one of the earliest data regulations in the modern era. The federal law requires financial institutions to explain how they share and protect their customers’ private information. Compliance of GLBA is not particularly demanding. The main section of the law, the Safeguard Rules require companies have an employee designated for data security, maintain a security program, and test it somewhat regularly.
A few months ago, the House Financial Services Committee introduced a bill that would profoundly amend the GLBA. These new rules would supersede a multitude of the state-level laws currently governing data collection, possibly putting an end to major regulations such New York’s DFS regs. Perhaps the biggest change would be a “national breach notification law” for the financial industry. As the name would suggest, the notification law would require companies notify users of a breach within a very short time period after it’s identified.
Cybersecurity and Infrastructure Security Agency Act
President Trump signed the Cybersecurity and Infrastructure Security Agency Act (CISA) into law in mid November.
The repercussions of this bill turning into policy were tremendous. CISA essentially codifies the notion of data security being critical national infrastructure, and authorizes the administration to protect it as such. Under CISA the Department of Homeland Security 9 was charged with assessing risks and threats associated with data systems, and force organizations to comply with safety measures. This important law has had little time to get of the ground. 2019 will be the year the U.S. begins to feel repercussions of CISA.