State Privacy Patchwork
Stay Compliant in Constant Change
This summer, the state of Colorado passed comprehensive privacy legislation, the Colorado Privacy Act (or ColoPA). Joining the ranks of California and Virginia, the states aim to fill the data privacy protection gap left by a lack of federal law by enacting strict, state-level guidance and penalties around the collection, storage, usage, deletion, and leakage of consumer information. Don’t live in one of these three states? Luckily for you, Dear Consumer, the laws still likely provide coverage; each sets forth specific requirements for businesses operating in each state, meaning entities across the globe that sell to CO, VA, or CA should comply. There are, of course, variations on which organizations must comply between each state, but it’s a fairly safe bet that larger companies that handle personal information of US citizens will need to prove compliance (besides, it’d be much harder to only cover residents of these specific states, rather than providing solid privacy protections for all US citizens).
Sorting through three separate sets of legislation isn’t the easiest task, but it’s been done. However, the problem is about to become more complex; as of this writing, 23 other US states are pursuing comprehensive consumer data privacy laws, meaning that more than half of all states could soon have unique legislation to address increasingly complex data regulation. For organizations operating in multiple states, this seems like an impossible task; adhere to various legal guidelines that dictate not just how data is gathered and used, but highly technical issues, like data storage, transfer, and encryption. Many organizations struggle to implement these concepts under a single best practices framework, let alone dozens of compliance laws; let’s look at some easy ways to prepare for the changing privacy landscape.
Start With a Framework
Everything is easier with a single set of requirements. If the Federal Government doesn’t pass national privacy legislation soon, consider achieving compliance against an industry standard, such as ISO 27001, or overseas national standards, like GDPR. While neither will encompass all the requirements set forth by each state, they do cover a lot of ground; additional efforts will be extremely easy to implement when and where they’re needed. As a bonus, some potential federal privacy laws require internal audits; you’ll be ahead of the curve if your enterprise does this proactively. Certifications also make for great sales tools, since they give potential customers peace of mind that your infrastructure and business practices are safe and modern.
Designate an Owner
Strong security and compliance practices always include a named program owner. Typically, in larger organizations, this will be someone with a title like CISO, VP of Compliance, or similar. What if your company isn’t large enough to employ these roles? Naming someone to be “point person” is a great way to ensure best practices are not only followed, but updated as laws change. This person should be at least tangential to security and compliance, but they don’t necessarily need to be an expert. Both the organization and customers will benefit from a single point of contact should they have questions or concerns, and many policies will require a named resource for these purposes. Additionally, the owner should stay vigilant for industry and legal changes; this can be as simple as signing up for compliance training and newsletters and setting Google alerts.
Have a Plan
If you’re part of an organization that’s unable to fully dedicate resources to compliance, be sure to have a plan should you need professional assistance. This can be anything from implementing larger legal changes to navigating potential breaches; if the organization doesn’t have an appropriate team to tackle such issues, it’s important to know what to do. Finding a trusted advisor to depend on is not only useful in terms of resourcing, it may very well be necessary; failure to comply with some of the recent legal changes carries heavy financial penalties. Depending on the assistance you pursue and the issue at hand, it may also be useful to have a specialized legal representative available, as well.
Constant changes to the legal landscape may seem intimidating, but they’re commonplace in many other industries. Data privacy regulation is long overdue in the US, so the flurry of state-level legislation to address this gap isn’t surprising. By planning ahead, organizations can easily adapt to these changes while building stronger, more secure infrastructures and practices- not just great for sales, but great for everyone with data involved.
The information presented in this article is accurate as of 9/16/2021. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.