By: Brian Egenrieder, CRO, SyncDog
The U.S. does not yet have a comprehensive data privacy law at the federal level like GDPR in Europe – at least for now. The closest we come to it is the Federal Trade Commission Act which contains language that allows the U.S. Federal Trade Commission to enforce consequences if a company engages in “deceptive practices”, or fails to protect consumers’ personal information. The momentum is building however as new broad data protection mechanisms are being implemented. One of the more notable regulations, primarily geared towards government contractors, is the Cybersecurity Maturity Model Certification (CMMC). CMMC mandates that companies seeking to work with the Department of Defense (DOD) must achieve the necessary verification of their ability to uphold cybersecurity best practices when interacting with controlled unclassified information (CUI). The enforcement date of CMMC is somewhat unclear and dependent on contract type with the requirement scheduled to appear on certain RFPs in the fall of 2020.
Due to the previous lack of a wide spread, GDPR-like mandate, state governments are taking data privacy into their own hands. One of the first is the California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020 and enforcement started on July 1, 2020. CCPA enforces four fundamental rights of Californian consumers: 1. the right to know what personal information a business collects about them and how it’s shared; 2. the right to delete that information; 3. the right to opt-out of their personal information being sold; and 4. the right to non-discrimination for pursuing these rights under CCPA. Taking the cue from California, other states have begun implementing their own data privacy laws, including New York, Maryland, Hawaii, North Dakota, and Massachusetts.
While CCPA is as close to a gold standard as other states have to replicate, there is a push to improve it with the California Privacy Rights Act (CPRA) of 2020 which is qualified to be on the ballot in November as Proposition 24. CPRA details the creation of a new data privacy agency on the state’s dime to the tune of at least $10 million. In addition to the proposition’s hurdles of being the first of its kind in the U.S., is the fact that privacy policy advocates can’t seem to agree on “how hard to push” in terms of enforcement.
With new data privacy rules and regulations popping up left and right in the United States, how are businesses supposed to keep track and pivot to ensure compliance? Especially, when the dates of enforcement seem to shift with minimal notice.
There are a few key steps you can take to stay in the know about regulations that impact your business:
If You Have a Legal Team, Ask Them!
It is within your legal team’s best interest to stay up to date on the ever-changing privacy landscape. Connect with them to determine if your current controls, policies and procedures are in accordance with upcoming privacy legislation. IT, leadership and legal teams need to be in regular communication about what data the company interacts with, collects, stores, etc. to inform what new laws and certifications are applicable to comply with. Having a baseline inventory of data protocol will keep you prepared.
Set Up Google Alerts
Establish a Google Alert for the name of the regulation (full name and acronym) and set one for the entity that is controlling its implementation. In an example such as CMMC, the Google Alerts would be for CMMC, Cybersecurity Maturity Model Certification, and The Office of the Under Secretary of Defense for Acquisition and Sustainment. You can set the filters to focus on the United States, provide only the best results, and determine how frequently you want to get email updates.
Chat with Your Network
When new regulations are put in place, no business typically knows everything about how to get all their ducks in a row for compliance. Lean on your network of peers. Ask around about how they are addressing it and who they are using as a source of reliable guidance. Keep an eye on email blasts from industry organizations you are a member of. These types of organizations exist to share industry news and best practices.
Ask the Source
Advice from peers is a great start to ensuring compliance with new regulations, but for the most definitive response to questions you have contact the source of the new regulation or certification. Sticking with the example of CMMC, you can check out their FAQs webpage and use their contact form to detail your concerns and questions. Your Google Alerts can help you here as well by flagging official press releases.
Have a Holistic Security Measure in Place
The truth is the government is playing catch up in terms of protecting private citizens’ data and information. The tools to implement the legislations’ requirements already exist. The quickest way to be well-positioned for compliance with new regulations and certifications is to implement a holistic security tool into your business’s daily operations. For example, our containerized application solution for mobile devices, Secure.Systems, encrypts corporate data at rest, in use, and in transit. If a device with Secure.Systems on it is lost, stolen, or an employee is let go, the application and therefore any relevant company data can be remotely erased. Of particular relevance is the solution’s ability to recall information surrounding application access, data access, data transmission and location information. This matters because one of the main tenets of most upcoming regulations is accountability for where and how data was used.
__
To learn more about how Secure.Systems can help your business achieve compliance with most government regulations, get in touch with our team!
Note: The content of this blog is not legal advice and was not written by a legal professional.
