The Changing Landscape of Data Collection and Protection
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
In April 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR is a great step forward for consumers and data privacy. For most of us, the GDPR was an interesting conversation starter at cocktail parties and networking events. It only impacts businesses that operate inside the EU or the European Economic Area (EEA), or businesses that process the personal information of individuals belonging to the EU and the EEA.
In June 2018, the California Legislature led the way in the United States by passing the California Consumer Privacy Act (CCPA). This law will have a great impact on data privacy throughout the United States. Many other states are now contemplating their own consumer privacy laws. Included in the law are various consumer safeguards:
- Notice: Guarantees consumers the right to know what data is being collected
- Consent: Guarantees consumers the right to opt out of data being sold
- Deletion: Guarantees consumers the right to delete all their private data, with exceptions
- Access: Guarantees consumers the rights to access, download or transfer their data
- Kids’ Rights: Kids under 16 must opt in to consent to the sale of their data
- Enforcement: The attorney general can levy fines, and consumers can sue for breaches
(See www.commonsensemedia.org – a sponsor of the bill and a great source of reviews, objective advice, helpful tools and more for media, tech and the digital world.)
The law only protects individuals residing in the state of California. The CCPA applies to all for-profit entities that collect personal information and do business in California and either have annual gross revenue over $25 million, buy, sell, receive, or share for commercial purposes the personal information of 50,000 consumers, devices, or households on an annual basis or derive 50% or more of their annual revenue from selling personal information. To be clear, the law makes no distinction on where that annual revenue is earned. So even if you do $1 million in revenue in California, and $24 million in revenue in North Carolina, the law still applies to your business.
The CCPA is expansive in its definition of “personal information.” “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Basically, if you think it could be personal information, it is under the law.
And just in case you thought you are not affected by these data privacy laws because you live in North Carolina, amendments to the NC Identity Theft Protection Act have been introduced as House Bill 904. This proposed change applies to businesses that conduct business in NC and own or license personal information of NC residents. Some of the main points of the amendments are:
- Requires businesses to implement and maintain reasonable security procedures and practices
- Imposes a maximum of 30 days after discovery of a breach or reason to believe that a breach has occurred to notify impacted individuals and the NC Attorney General
- Expands the definition of personal information to include any information regarding an individual’s medical history, condition, treatment, diagnosis, genetic information, and health insurance information like a policy number
- Clarifies when other information that normally is not “personal information” would be considered “personal information” for notice and security procedure requirements
- Changes the law from unauthorized access and acquisition of data containing personal information to unauthorized access to or acquisition of….
- Requires businesses to verify a lack of harm for 3 years
- For any breach involving SSN, the business must provide identity theft monitoring and mitigation services for 24 to 48 months
- Increases the amount of information a business is required to provide to the Attorney General
- Clarifies that compliance with HIPAA is considered compliance with the law
- Gives the consumer more control over credit checks and information at a Credit Reporting Agency (CRA)
Since there is currently no federal framework, businesses will need to work with the attorneys, CPAs, and cybersecurity/data privacy specialists to stay abreast of the changing laws in the states where they do business. There are always costs to regulations, and these consumer privacy laws are no different. Much of the burden will be borne by the businesses. However, just as food label regulations cost businesses but puts consumers in control of what is in the food they choose to eat, the data privacy laws such as the CCPA will put the consumers in control of their own data. It is this author’s opinion that the CCPA is a positive move forward for data privacy.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Senior Manager in our firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit […]