The lobbying of Congress plus the looming enactment of California’s own privacy act – CCPA – and fact that other states are ramping up their talks of enacting their own privacy laws indicates that such disparate measures could prove a challenge for U.S. organizations. This includes firms that do business in the EU.
As companies undergo digital transformation, they must make security a priority not just to comply with data privacy laws, but to protect consumer information, which is what all these laws would (at least in part) be designed to do. The adoption of new technologies can create as many risks as it does opportunities. However, with the right guardrails in place, organizations can continue to leverage new technologies to obtain a competitive edge while remaining secure.
Chris Hertz, the CRO at DivvyCloud, delves deep into the subject of privacy laws for Digital Journal.
Digital Journal: Why do you think these 51 tech CEOs sent an open letter to Congress asking for a federal data privacy law?
Chris Hertz: California already has a data privacy law that will be enacted in January 2020, and countless other states have discussed enacting their own regulations. It’s entirely possible that if we stay on the current path, every state will have its own data privacy law, and companies will be forced to navigate 50 different regulations in order to do business in the U.S. The companies that penned the open letter to Congress are trying to change this current course and avoid the possibility of there being a different data privacy law in every state. A federal standard would be much easier to comply with instead of a patchwork of 50 different state laws, and it would make it easier, especially for small businesses to conduct business online.
DJ: Why do you believe a federal data privacy law in the U.S. would be more effective than several state regulations?
Hertz: Even though large organizations that operate internationally have the global scale, legal teams and other resources that are needed to make sure they comply with numerous different data privacy standards, it is still expensive to understand and implement new processes that would be necessary for compliance. It would be especially difficult for small and medium-sized businesses (SMBs) that operate throughout the U.S. to comply with multiple sets of regulations, given their more limited resources, and thus puts these SMBs at a significant disadvantage compared to their larger peers and competitors.
Being legally bound to comply with 50 different sets of data privacy regulations in order to operate in all states in the U.S. could be seen as a barrier to enter or continue operations across all industries. A single law that governs all user privacy and data protection would simplify compliance and data management for organizations of all sizes while still facilitating a competitive market.
DJ: Would a federal data privacy law be modeled after CCPA or do you believe it would mirror GDPR more?
Hertz: The U.S. Government Accountability Office (GAO) gave Congress the green-light to pass a federal internet data privacy legislation that is similar to GDPR to enhance consumer protections. Tim Cook, Apple’s CEO, even called on the U.S. to introduce laws that are equivalent to GDPR in 2018.
For organizations that operate internationally in the European Union (EU) and companies that expect to scale globally and start doing business in the EU, it would be easier to comply with two data privacy laws that are similar instead of two that have major differences.
DJ: What are some of the drivers behind the need for a federal data privacy regulation?
Hertz: When the GAO initially gave Congress the go-ahead to pass a federally regulated internet data privacy legislation, the agency’s investigators cited multiple different privacy issues as drivers behind the need for a federal law. Events that were cited include 2018’s Facebook Cambridge Analytica scandal, the lack of regulation in IoT, the fact that automakers will begin collecting data from smart car owners, minimal oversight into the practices of data brokers, and a deficiency of protections for mobile users against secret data collection practices.
DJ: Why should organizations make securing consumers’ data a priority, and what technologies are available to assist organizations in securing their data?
Hertz: Data breaches are expensive for everyone involved and have a real and negative impact on people’s lives and on society that extends beyond just the monetary impact. But to highlight just the monetary costs, the Ponemon Institute’s 2019 Cost of a Data Breach Report found that the total cost of a data breach in the U.S. is $8.19 million on average, more than twice the global average.
When you take into consideration the 130 reported data breaches that occurred in the U.S. just in August 2019, according to the Identity Theft Resource Center, data breaches will have cost U.S. organizations an estimated total of more than $1.06 billion — just in August 2019. Companies also have to fear diminished brand reputation and loss of customers if they suffer data breaches. For example, 87 percent of consumers will take their business elsewhere if they do not trust a company is handling their data responsibly, according to PwC. Beyond that there is also the simple explanation that companies have a duty and a responsibility to protect their customers.
Companies continue to suffer data breaches due to avoidable issues such as misconfiguring a cloud database, storage, or search engine service — all of which can have massive consequences, especially if the misconfigured database contains customer information. For example, Capital One’s recent misconfigured firewall led to a former AWS employee using web application firewall credentials to obtain privilege escalation in order to access one of the company’s S3 buckets, therefore compromising more than 100 million users’ data. Capital One is not alone, as other companies that have suffered exposures of data due to misconfigurations this year include Facebook, FedEx, Verizon and GoDaddy.
When considering the true cost of a data breach, companies must take into consideration that the cost of a data breach includes fines for violating data privacy laws, the cost of cleanup and incident response, cost of reparations for exposed customers and even litigations. In fact, Marriott and British Airways were fined more than $350 million combined by failing to comply with GDPR with the news of each of the organizations’ 2018 data breaches.
We live in a world where there are hundreds of thousands of threat actors continuously trying to exploit vulnerabilities. Hackers are typically successful since organizations still continue to have an approach to security that is manual and periodic rather than continuous, even as companies rapidly adopt new technologies like public cloud that increase the scale and complexity of securing data and applications. Inevitably, this creates a cycle of shifting in and out of compliance and true security, and even a brief lapse in compliance or security opens a window that can be exploited.
In order to avoid the monetary costs of data breaches, maintain a higher level of customer trust, adhere to data privacy regulations and even gain a competitive edge; organizations need to adopt automated security solutions. Automated security solutions perform continuous discovery of infrastructure resources that allow organizations to discover risks and threats, and either automate the remediation of those vulnerabilities or alert the appropriate personnel of the issue in real-time.
