It’s been one year since GDPR was put into place in Europe, and as security breaches continue across the world, the appetite for laws and regulations that protect personally identifiable information grows in the U.S.
Twenty-five states either have their own data security laws in place or have laws in progress in their state’s legislature. One of the key state data security laws to watch will be California’s Consumer Privacy Act, which goes into effect on Jan. 1, 2020.
With all these changes and challenges facing the country, U.S. citizens are starting to ask, “Does our country need something as strict as GDPR?” and “How would data privacy laws affect my business?”
Answering the Tough Data Security Questions
The U.S. federal government faces a growing appetite for data protection laws as a result of continued high-profile information security breaches and data leak scandals such as Facebook’s Cambridge Analytica incident. A 2018 survey from SAS found that 67% of individuals think that the federal government should play a role in setting basic data protection standards to ensure personal information is secure.
Several bills have been proposed within Congress following the GDPR’s May 2018 effective date, but it may be difficult for this particular Congress to reach a consensus around what U.S. data protection laws should entail and which agency would be responsible for enforcing it. For example, a draft of a bill called the Consumer Data Protection Act suggested Congress should expand the Federal Trade Commission’s jurisdiction so that it could regulate and enforce data privacy standards.
Uniform federal guidance may help companies prioritize and shore up companies’ information security protocol. As it stands, there are disparate laws across the country. Companies (outside of the health care and financial sectors) are not following a set standard of protection of personal information. This might leave many companies under-protected should an information security breach occur.
What’s more, because of the array of data protection laws at the state level, companies that are the victim of an information security incident may also find themselves having to siphon through their various data law requirements in the wake of an incident. For example, data breach notification laws vary by state and may depend on the number of individuals affected and the specific type of information compromised.
What Data Privacy Conversations Mean for Businesses
Data protection laws and standards will affect companies of all sizes, as all types of organizations are equally liable in the case of a breach in security.
One of the ways companies can be prepared for eventual data privacy law changes, in whatever form they come, is to look to the GDPR regulations as a guide. Many companies, both domestically and abroad found that GDPR compliance took significant work, and companies continue to work to bring their protocol up to the strict European information security standard.
One of the ways your company can test how much effort might be involved in data protection before any U.S. law would go into effect would be to measure your information security readiness and awareness. The questions below might provide some insight into the types of requirements that are gaining popularity as a result of the GDPR.
- Do you have an opt-in and opt-out policy on your website or marketing materials?
- Have you purchased a list of personal contact information?
- Have you recently conducted a general scan for current information security control weaknesses?
- When was the last time you had a penetration test and/or a network scan?
- Do you have a transparent cookie policy linked to your privacy policy on your website?
- Have you thought about where most of your consumers live? Expert tip: Keep an eye out for legislation coming from states like California, New York, or Washington.
- Have you started reviewing how you are interacting with customers? Expert tip: Seek to have costumers opt-in rather than opt-out of electronic communication.
- Have you checked with your web-based communication platforms such as marketing, ecommerce, and loyalty services to find out what their security and data protection policies are?
While this might seem like a large undertaking, it can also create consumer trust and add value to your company’s brand. A commitment to information security could generate goodwill for your consumers. Starting this process one step at a time will help your business be ready if (or when) new privacy laws roll out across the U.S.
For more information about how your company can position itself for the cyber regulation culture change, please contact us.
Related Reading
Published on August 05, 2019 © Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.