Stairs and columns outside government building

As concerns about data privacy and the protection of personal information grow, state regulators are enacting laws to address breach notification requirements – specifically, whether, when, how and to whom notifications of a breach must occur. California, New Jersey, Washington and Illinois are among the latest states to enact legislation that will significantly impact businesses operating in those jurisdictions.

What you need to know

These laws typically define the nature of information and types of organizations covered under the law, methods and timing to notify affected parties, and requirements to notify regulators.

The types of data covered is far-reaching. For example, Illinois enacted a biometric privacy law –recently held up in a state supreme court case – that gives individuals the right to sue if their biometric data is collected without consent. The law in Washington state covers hard copy records, as well as digital ones.

While no two laws are the same, one thing is clear: Privacy is here to stay. Existing statutes and case law have reinforced the notion that the data subject, not the data collector, is the owner of the data. And there is every reason to expect that privacy requirements will only grow more complex and rigorous over time. California was the first state to model its regulation after the General Data Protection Regulation (GDPR), the EU’s sweeping privacy regulation, but it will not likely be the last.

Why this is important

In many cases, once laws are signed, they go into effect on an accelerated timeline. For example, a Massachusetts law signed in January went into effect just three months later despite significant changes, including a requirement to provide complimentary credit monitoring when a breach involves a social security number. In Nevada, implementation is required beginning Oct. 1, 2019 – just five months after the regulation was passed. In California, businesses have until Jan. 1, 2020 to comply, although amendments are continuing to be made there, so the final details remain unclear.

The cost of inaction or noncompliance can be severe. While the structure of penalties varies from state to state, they are trending well past warnings and slaps on the wrist. In California, for example, fines are levied per record breached. In Arizona, the maximum fine is $500,000 per breach event while Alabama can impose a fine of $5,000 per day for failure to comply with its notification law.

Not all regulatory details are settled. It is likely that case law will ultimately determine the intricacies of how different laws are interpreted (e.g., what constitutes a breach or which types of data are covered data). Likewise, it is impossible to prevent every possible future breach. For organizations to sufficiently protect themselves, it will be important to demonstrate good faith efforts to identify and remedy risks. The extent to which an organization can show regulators that they did the work up front and put controls into place based on industry standards and best practices, will determine the strength of their case for reduced penalties.

Steps to take now

It is impractical and inefficient for organizations to revamp data privacy programs each time a new law goes into effect. Organizations with a presence in multiple jurisdictions should instead think holistically about their privacy programs by taking the following steps:

  1. Identify potential data and systems that could be affected by privacy and data breach regulations: Put a process in place to understand what data you collect, for what purpose, how many records are involved and where it is stored. Segment the data by jurisdiction, so it will be easier to align with new regulations when needed.  In some cases, the risk may not be immediately obvious. For example, most people would agree that a social security number is private information that should be protected. But what about security camera footage? Do you know what laws are in place to protect a person’s likeness?
  2. Understand existing data privacy controls: Review your existing data protection controls and compliance efforts. Are written security protocols in place? Do you have a handle on your risk exposure? Are you compliant with existing frameworks, such as ISO, HIPAA or Privacy Shield? Which best practices are used to inform your approach?
  3. Determine a plan to get compliant and stay compliant: Once you understand the scale and scope of your risk, along with whether and how new regulations are relevant to you, prioritize the development of a well-documented plan that is designed to account for and address evolving regulations. A trusted advisor can help you understand the nature of the information you have, what the risk is and what the options are. For many organizations, this is simply a matter of becoming aware of the regulatory landscape and aligning your risk profile to it. You may be closer to compliance than you think.

For more information on this topic, or to learn how Baker Tilly specialists can help you with privacy and data protection program development, contact our team.

Aerial view of people walking through a plaza
Next up

Banking KPI insights: 2019 first quarter metrics of note