Whenever new data privacy and cybersecurity laws go into effect, they create more work and responsibilities for cyber professionals. This reality hasn’t gone unnoticed by attorney Scott Giordano, who reminded cybersecurity professionals during a session about the California Consumer Privacy Act (CCPA) that the law will create new duties for them.
Giordano, Vice President of Data Protection at Spirion, went over details of the law, which takes effect on Jan. 1, 2020, and how organizations should prepare for it. His was one of a series of presentations at the 2019 (ISC)² Security Congress, taking place in Orlando this week, about privacy and security regulations, and their impact on how organizations go about collecting and keeping personal customer data.
The California law comes in the heels of Europe’s General Data Protection Regulation (GDPR), and employs a broad definition of personal information. It includes identifiers such as name, address, email account and passport number, as well as other data such as personal property, web purchases, and internet browser and search history. “You can see that just about anything is personal information,” Giordano said.
The law will require businesses to respond within 45 days to requests from individuals for the information companies keep about them. It also will give users the right to have their data deleted. But there are exceptions, such using the data for debugging and security incident detection.
Giordano fielded a lot of questions in a roomful of (ISC)² Security Congress attendees, who clearly are keenly interested in how the law will work and what it means to them. Giordano also shared a list of recommendations to prepare for the law, including the following:
- Create a data inventory.
- Create a data subject access request (DSAR) process.
- Determine what to include in a report to fulfill a data request and how to package it. “You don’t want to crate a snowflake for every consumer; otherwise, you’re going to get buried,” he aid.
- Determine a delivery mechanism – customer account, email, regular mail.
- Have a protocol to “make sure nothing falls through the cracks.”
The CCPA and other regulations were the subject of a panel discussion of attorneys on Monday afternoon. Panelists talked about another upcoming data privacy statute, the New York SHIELD Act, which takes effect on March 21, 2020.
The New York law is the most prescriptive yet, said Monique Ferraro, Cyber Counsel, Global Cyber Products at the Hartford Steam Boiler Insurance and Inspection Co. It lays out what the state expects companies to implement as part of their cybersecurity programs and expands the definition of personal identification information (PII), she said.
Unlike the California law, which does not cover disclosure, the New York statute covers the reporting of breaches to the attorney general and the state police. It also covers the implementation of security programs and the need to put one or more employees in charge of them.
Coping with GDPR
Earlier on Monday, James MacKay, Deputy CISO and Data Protection Officer at insurance carrier Markel Corp., related his company’s experiences with GDPR before and after the law took effect. Four days after the law took effect, he got a call about a possible violation, he said.
Documents were mistakenly sent to two lawyers that were intended for the other, which could have been a problem because of the information they contained. Fortunately neither recipient opened the documents and the situation was resolved.
Then someone in the U.S. operations left the organization and emailed the full company phone directory to their personal address. Since the directory contained no email addresses, no violation occurred. Another incident involved an email sent to a recipient who threatened to complain to regulators because it didn’t have an opt-out link. The recipient follow through, so another issue was averted.
The incidents showed MacKay the company needed better data protection policies and procedures. This included making him Markel’s data protection officer, a position the company didn’t have before, and creating a framework for data protection. The framework covers privacy controls and procedures for communicating about data protection to the Markel board.
Part of the challenge was to establish a clear understanding of what data is used when a company launches a new service or application, and where the data comes from. Because the Markel operates in 17 countries, the framework has to be standardized across its global operations. “We are not fully there yet. We are still working on it but that’s our intention,” he said.
Markel also decided to educate all employees on GDPR and how it affects them. In addition, he has regular conversations about data protection with the CEO. Lastly, MacKay said, Markel has a process for reporting data privacy incidents, should one ever happen. “We have a defined process for reporting to the regulator, and we practice it. It’s something we feel it’s important and it’s something we feel we have to get right across all of our different regions.”