BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Data Privacy Disruption In The U.S.

Forbes Technology Council
POST WRITTEN BY
Yaki Faitelson

Getty

The General Data Protection Regulation (GDPR) has been the greatest change to EU privacy laws in almost 20 years. The law’s new (and controversial) international scope now means that U.S. companies will be facing direct consequences. But even after going into effect in May, its full impact on employee records, the right to be forgotten and other areas has yet to be realized.

The GDPR is also having a powerful indirect influence on U.S. consumers as they begin to experience the new EU privacy notices and cookie policies on their favorite websites. U.S. policy thinkers and lawmakers are taking notice as well and now understand that the U.S. will be at a disadvantage in the long run if no serious actions are taken.

According to Christopher Painter, a commissioner for the Global Commission on the Stability of Cyberspace, if the United States doesn’t lead with its own its own privacy and security law, other countries will use the GDPR as a standard.

While the EU GDPR has been criticized as being overly complex, there are some core aspects to it that even U.S. tech and social media companies can rally behind.

AT&T, Google, Amazon, Twitter and Apple recently testified in Senate hearings in favor of a unified privacy and data security law covering consumer personal data. They each offered their own frameworks -- a simplified version of GDPR -- but there is agreement on some ideas: calling for a standard definition of personal information, letting consumers access and correct their personal data (deleting information as needed) and setting basic data security standards.

Back In The U.S.A.

It’s understandable that U.S. companies would want a uniform U.S. law instead of the current status quo. The private sector currently faces 50 separate state data breach laws. If the data is medical or financial, it’s also covered by HIPAA and Gramm-Leach-Bliley, respectively, at the federal level.

There is a separate children’s data protection law, known as COPPA (Children’s Online Privacy Protection Act). And student records are covered by yet another law, FERPA (Family Educational Rights and Privacy Act).

It’s not as if there haven’t been efforts to create order out of this legal chaos. Over the years, various data security and privacy laws have been kicking around the halls of Congress. For example, there's Senator Leahy’s Consumer Privacy Protection Act or Senator Klobuchar’s Social Media Privacy Protection and Consumer Rights Act. There’s no shortage of potential legislation.

While progress at the federal level is slow, there have been real innovations at the state level -- our “laboratories of democracy.”

New York State, for example, has an interesting year-old cybersecurity law for financial companies. This tough security and privacy law is like a mini-GDPR and covers basic principles of data security, risk assessments, documentation of security policies and speedy notifications of data breaches and other cyber events.

California, which has an economy greater than that of the U.K., just passed a new data privacy law that has a very GDPR feel: In 2020, it will give consumers the right to access and even delete their personal data, as well as decide whether third parties can see their data.

This new privacy law accompanies an existing California breach notification law that, like the GDPR, covers a broad range of personally identifiable information (PII), including emails and online handles.

What To Do?

In recent months, there have been some stirrings that a federal privacy law may truly happen soon. In September, the Commerce department issued a request for comments on a federal data privacy law.

Even if a U.S. law is not enacted in the next year or two, it’s clear that state governments are willing to step in to fill the gap. How do U.S. companies manage what is an inevitable sea change in U.S. privacy and security laws? Even taking a conservative view of a future U.S. privacy law, there are three primary IT-related issues that will have to be addressed.

First, as the California Consumer Privacy Act already introduced, personal data will encompass not only standard identifiers -- name, address, phone number, driver’s license -- but also internet-era handles, such as IP addresses, URLs and geo-location information, as well as anything that can help identify an individual. The first step in protecting and controlling access to data is to find it, but by no means is this an easy problem to solve. Think of all the variations on basic account numbers, let alone more complex internet-era patterns. Developing algorithms to match these patterns will require more than an ad-hoc solution.

Second, this new wave of U.S. privacy laws will require companies to process consumer subject access requests (SARs), which will involve either updating or deleting personal information. To help zoom into specific parts of relevant files, highly granular indexes will have to be built, similar to what search engines use in the background to find text within HTML pages. Then, the files will have to be quarantined and ultimately processed to modify or remove the subject’s personal data.

Finally, a core level of data security will be required -- “safeguards to protect against unauthorized access” is the standard language used in these laws. At a minimum, companies will have to perform risk assessments to establish what data is vulnerable -- due to overly broad access permissions, for example -- and plan to remediate vulnerabilities. The New York State Department of Financial Services (DFS) spells these assessments out in more detail in its cybersecurity rules for financial companies.

If you’re already under some of the stricter state or U.S. federal laws or under GDPR because you do business in the EU, then you’re really ahead of the game. At this point, it looks like it’s a matter of when tougher privacy rules will become the law of the land.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?