It’s been one year since GDPR was put into place in Europe, and as security breaches continue across the world, the appetite for laws and regulations that protect personally identifiable information grows in the U.S.

Twenty-five states either have their own data security laws in place or have laws in progress in their state’s legislature. One of the key state data security laws to watch will be California’s Consumer Privacy Act, which goes into effect on Jan. 1, 2020.

With all these changes and challenges facing the country, U.S. citizens are starting to ask, “Does our country need something as strict as GDPR?” and “How would data privacy laws affect my business?”

Answering the Tough Data Security Questions

The U.S. federal government faces a growing appetite for data protection laws as a result of continued high-profile information security breaches and data leak scandals such as Facebook’s Cambridge Analytica incident. A 2018 survey from SAS found that 67% of individuals think that the federal government should play a role in setting basic data protection standards to ensure personal information is secure.

Several bills have been proposed within Congress following the GDPR’s May 2018 effective date, but it may be difficult for this particular Congress to reach a consensus around what U.S. data protection laws should entail and which agency would be responsible for enforcing it. For example, a draft of a bill called the Consumer Data Protection Act suggested Congress should expand the Federal Trade Commission’s jurisdiction so that it could regulate and enforce data privacy standards.

Uniform federal guidance may help companies prioritize and shore up companies’ information security protocol. As it stands, there are disparate laws across the country. Companies (outside of the health care and financial sectors) are not following a set standard of protection of personal information. This might leave many companies under-protected should an information security breach occur.

What’s more, because of the array of data protection laws at the state level, companies that are the victim of an information security incident may also find themselves having to siphon through their various data law requirements in the wake of an incident. For example, data breach notification laws vary by state and may depend on the number of individuals affected and the specific type of information compromised.

What Data Privacy Conversations Mean for Businesses

Data protection laws and standards will affect companies of all sizes, as all types of organizations are equally liable in the case of a breach in security.

One of the ways companies can be prepared for eventual data privacy law changes, in whatever form they come, is to look to the GDPR regulations as a guide. Many companies, both domestically and abroad found that GDPR compliance took significant work, and companies continue to work to bring their protocol up to the strict European information security standard.

One of the ways your company can test how much effort might be involved in data protection before any U.S. law would go into effect would be to measure your information security readiness and awareness. The questions below might provide some insight into the types of requirements that are gaining popularity as a result of the GDPR.

  • Do you have an opt-in and opt-out policy on your website or marketing materials?
  • Have you purchased a list of personal contact information?
  • Have you recently conducted a general scan for current information security control weaknesses?
  • When was the last time you had a penetration test and/or a network scan?
  • Do you have a transparent cookie policy linked to your privacy policy on your website?
  • Have you thought about where most of your consumers live? Expert tip: Keep an eye out for legislation coming from states like California, New York, or Washington.
  • Have you started reviewing how you are interacting with customers? Expert tip: Seek to have costumers opt-in rather than opt-out of electronic communication.
  • Have you checked with your web-based communication platforms such as marketing, ecommerce, and loyalty services to find out what their security and data protection policies are?   

While this might seem like a large undertaking, it can also create consumer trust and add value to your company’s brand. A commitment to information security could generate goodwill for your consumers. Starting this process one step at a time will help your business be ready if (or when) new privacy laws roll out across the U.S.

For more information about how your company can position itself for the cyber regulation culture change, please contact us.

Related Reading


Myth-Busting the Revenue Recognition Standard

Published on August 05, 2019