Given the many data breaches dominating the news over the past several years — think Yahoo, OPM, Anthem, Equifax, even Facebook — data privacy regulations have gained increased relevance and importance.
Authorities are attempting to ensure that companies to whom people entrust their data are handling it properly.
Get the ultimate starter guide on making an employee handbook that works.
Consumer Data Privacy Protections
To date, California has been the most proactive state in terms of legislation that protects people’s data. The California Consumer Privacy Act (CCPA), enacted by the state’s legislature in June of 2018, continues to lead the way. This law is set to go into effect on January 1, 2020.
The law will allow California consumers to:
- Demand to see all the information a company has saved about them
- View a full list of all the third parties that data is shared with
- Sue companies if the privacy guidelines are violated, even where there has not been a breach
Under the CCPA, companies have a 72-hour window in which they must report a data breach.
Some of the requirements are still in flux. The final bill contains many provisions that require further clarification — some clarifying amendments have already been enacted, and more may still be on the way.
That said, from a data security and privacy perspective, you might consider using this law as a north star for your own business. It’s likely that other states and localities will follow suit with similar legislation.
Data Security Best Practices
Even if your business is not covered under the CCPA, here are five data security best practices to help you limit your risk:
1. Only Collect What You Need
Conduct a risk-based assessment around what kinds of data you collect and hold. As a general rule, limit the data you collect to only what is absolutely needed. If you don’t actually need customers’ Social Security numbers (SSNs), phone numbers, or even names, then simply don’t collect them! Whatever you collect, you’re responsible for, so it’s better to take on less risk. An established data security policy and standard that is published to your entire organization is necessary to help establish the proper data handling standards.
Be sure to follow standard practices around vendor risk management for any vendors you use. This will help to manage third-party risk, and prepare you to respond to any of those requests for information.
2. Properly Protect What You Do Collect...
Whatever data you are collecting needs to be protected. Implement appropriate data security measures, including proper access control that limits who has access to data. It’s also crucial to ensure the encryption of data in transit as well as data at rest.
An example of encryption at rest would be implementing full disk encryption on endpoints and laptops. This not only safeguards the data in the event that a device is lost or stolen, but also provides encryption “safe harbor” in certain regards. Safe harbor exemptions included in breach statutes of a number of states limit a company's liability if it can be demonstrated that the data was encrypted.
3. ...Especially the Most Sensitive and Critical Data
Let’s say you do need to collect SSNs for you business. That kind of sensitive data should have additional protective measures implemented to protect it, like tokenization. Follow privacy and data security standards and frameworks outlined by leading industry organizations, such as:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Payment Card Industry (PCI) Data Security Standard (DSS)
- Center for Internet Security (CIS) benchmarks
- Statement on Standards for Attestation Engagements (SSAE), an auditing standard for service organizations
4. Classify and Map Your Data
Data classification, and mapping where user data is stored, are vitally important. Requirements around tracking, accessing, and storing data — like those under the CCPA — mean your security teams will need to work closely with database administrators and other stakeholders to get visibility into data storage and ensure access to it is fully secured.
Training and awareness cannot be over emphasized. Employees should be trained on the proper handling and care for each category of data. Security training and awareness also helps reduce the risk of employees falling for phishing emails or behavior that can potentially put not only their own data at risk, but the company’s as well.
For more on security awareness and training, check out this related article: Security 101: Protect Your Small Business with These Tips
5. Develop an Incident Response Plan
Having an incident response plan already in place helps your organization to be able to respond promptly and limit the damage that could result from an incident.
This plan should include how you would respond in the event that something goes wrong. For instance, if breach notifications have to be made — what will your process be for doing that? You should also plan for any teams or resources that you’d require. If you’re a small business, you’ll likely want to engage outside privacy professionals or lawyers for help in an incident.
This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, legal or tax advice. If you have any legal or tax questions regarding this content or related issues, then you should consult with your professional legal or tax advisor.