Navigating The Newest Data Privacy Regulations
by Sean Curiel, on Feb 7, 2023 6:32:09 AM
Businesses is changing! New ways of delivering value are being made possible through processes such as digital transformation. As industries worldwide integrate new technologies into their environment, the result is often significantly more data being generated, stored and shared digitally. Accordingly, the need to regulate private and sensitive data has become increasingly important and ever-present. Organizations of all sizes, whether corporations or IT providers, must take care to respect the latest data privacy laws to ensure the security of their customer's information, to protect their reputation and to avoid the heavy fines that may be imposed for non-compliance.
Achieving compliance can be a challenge for system administrators that are already spread-thin across several IT projects, often working under a limited budget. We can break this undertaking down into three important components.
1. Data classification and management: Understanding what private data is being collected and its priority. Verifying that it is being gathered and stored in such a way that it meets compliance requirements.
2. Infrastructure and technical: Your hardware, software and the means by which data is transferred, backed-up and deleted must employ encryption, authentication, and other required security standards.
3. Employee education and training: Your security policies must not only be documented, but also well-understood and executed correctly by your team. Training will be required for each of your response team to understand their role in maintaining compliance.
These security requirements are ever-evolving, based on the latest laws and amendments, which compels us to stay informed. Let's take a look at some of the newest changes in the industry.
California Privacy Rights Act (CPRA)
Amendment to the California Consumer Privacy Act (CCPA)
The CPRA went into effect January 1st, 2023 with the goal of giving consumers more say in how their personal information is used by businesses who gather it. This law limits what information can be collected, how the consumer is notified of collection, how that data is shared with other businesses, and it provides the consumer with the ability to opt-out. Perhaps most interestingly is that it also gives the consumer a right to request what specific information a company has about them and request that information be corrected, limited and even deleted! This places the burden of data removal on the business who collects it, and while there is an exception built in for archives and backups, it raises questions. Will future amendments include backup data? When a backup is restored (and again becomes production data), will that client's data once again be promptly dealt with in your organization?
It’s also important to note that CPRA/CCPA enforcement is newly being handled by California Privacy Protection Agency (CPPA). The industry expectation here is that enforcement activities will increase significantly over the prior authority, the California Attorney General.
While California was the first state to launch a data protection law, others have their own coming into effect or are rapidly working to get one in place.
Virginia, Connecticut, Colorado and Utah
In the U.S. following California, other states are passing state privacy laws to regulate how data is collected. Similarly, they call for regular security risk assessments and employee training. Individuals have a right to opt out their personal data from targeted advertising, profiling and sales. While the laws are similar, there will are no doubt specifics which should be observed by businesses who are working with personal data in these states.
Not far behind on the legislative trail is Michigan, Ohio, New Jersey and Pennsylvania with their own bills underway.
"74% of MSPs clients struggle to comply with regulations like HIPAA, GDPR, and PCI-DSS."
Kaseya’s 2022 Global Benchmark Survey Report
Payment Card Industry Data Security Standard (PCI DSS) 4.0
While PCI DSS 4.0 was released in 2022, we are currently mid-transition for its replacement of the v3.2.1 standard which will be complete in March 2025. Organizations will need to be compliant with the new standard by that time. This standard, crated by the major credit card companies, was built to protect private data as it is processed, transmitted and stored. The new requirements in 4.0 do much to address client-side security which has been a vulnerability for the latest security threats. Organizations will need to identify and document all web assets, ensure that applications and system components are securely configured and that vulnerabilities can be identified. In fact, any system that might affect the credit card data environment, even MSP’s who may not be processing the data themselves, will have security requirements to maintain. This may include intrusion detection and the support of penetration testing.
Support for Windows Server 2012 and Windows Server 2012 R2 will come to an end on October 10, 2023 and no longer receive security updates. If you are running these operating systems after this deadline it can directly affect the state your regulatory compliance. Request a consultation
Quebec's Law 25
Quebec's Law 25 (previously Bill 64) to modernize its private and public sector privacy laws was enacted by the national assembly of Quebec on 21 September 2021. It applies to all businesses operating in Quebec that collect personal information in the course of their activities, requiring that they take action and receive consent before using, transferring and disclosing data. The law has been amended many times over the years, with major changes coming into effect on September 22, 2023.
These changes have the potential to significantly affect the compliance requirements of organizations inside Quebec - and the businesses who interact with them.
Policies will be implemented for how personal information (and consent) is obtained, retained and destroyed. Data which is no longer needed will need to be either destroyed or anonymized. A Privacy Impact Assessment (PIA) must be done for any project that deals with transferring personal information across the border. And now individuals have the right to request organizations to stop processing their data.
Organizations of all shapes and sizes must put forth effort to respect the newest compliance regulations coming into play this year. Protecting the private and personal data of customers and partners, preserving their reputation and avoiding heavy fines are in everyone’s best interest. Stay informed and speak with data protection experts, like our team here at NovaBACKUP, to develop a strategy that conforms to strict compliance standards but offers your organization the access data flexibly, inspiring productivity and facilitating the modernization of your business in the age of digital transformation.
Note: The information provided in this blog post is for educational purposes only and is not intended to be a substitute for professional legal advice. The authors are not lawyers and any information regarding legal specifics, fines, etc. should be verified with a qualified lawyer that specializes in regulatory compliance.