Share this
Navigating The Newest Data Privacy Regulations
by Sean Curiel on Feb 7, 2023 6:32:09 AM
Businesses are changing! New ways of delivering value are being made possible through processes such as digital transformation. As industries worldwide integrate new technologies into their environment, the result is often significantly more data being generated, stored, and shared digitally. Accordingly, the need to regulate private and sensitive data has become increasingly important and ever-present. Organizations of all sizes, whether corporations or IT providers, must take care to respect the latest data privacy laws to ensure the security of their customers' information, to protect their reputation, and to avoid the heavy fines that may be imposed for non-compliance.
Achieving compliance can be a challenge for system administrators who are already spread-thin across several IT projects, often working under a limited budget. We can break this undertaking down into three important components.
1. Data classification and management: Understanding what private data is being collected and its priority. Verifying that it is being gathered and stored in such a way that it meets compliance requirements.
2. Infrastructure and technical: Your hardware, software, and how data is transferred, backed up, and deleted must employ encryption, authentication, and other required security standards.
3. Employee education and training: Your security policies must not only be documented but also well-understood and executed correctly by your team. Training will be required for each of your response team members to understand their role in maintaining compliance.
These security requirements are ever-evolving, based on the latest laws and amendments, which compel us to stay informed. Let's take a look at some of the newest changes in the industry.
What's New in Terms of Data Privacy Regulations?
California Privacy Rights Act (CPRA)
Amendment to the California Consumer Privacy Act (CCPA)
The CPRA went into effect on January 1st, 2023, intending to give consumers more say in how their personal information is used by businesses that gather it. This law limits what information can be collected, how the consumer is notified of collection, how that data is shared with other businesses, and it provides the consumer with the ability to opt out. Perhaps most interestingly is that it also gives the consumer the right to request what specific information a company has about them and request that information be corrected, limited, and even deleted! This places the burden of data removal on the business that collects it, and while there is an exception built in for archives and backups, it raises questions. Will future amendments include backup data? When a backup is restored (and again becomes production data), will that client's data once again be promptly dealt with in your organization?
It’s also important to note that CPRA/CCPA enforcement is newly being handled by the California Privacy Protection Agency (CPPA). The industry expectation here is that enforcement activities will increase significantly over the prior authority, the California Attorney General.
While California was the first state to launch a data protection law, others have their own coming into effect or are rapidly working to get one in place.
Virginia, Connecticut, Colorado, and Utah
In the U.S., following California, other states are passing state privacy laws to regulate how data is collected. Similarly, they call for regular security risk assessments and employee training. Individuals have a right to opt out of their personal data from targeted advertising, profiling, and sales. While the laws are similar, there will be no doubt specifics that should be observed by businesses that are working with personal data in these states.
Not far behind on the legislative trail are Michigan, Ohio, New Jersey, and Pennsylvania, with their own bills underway.
"74% of MSPs' clients struggle to comply with regulations like HIPAA, GDPR, and PCI-DSS."
Kaseya’s 2022 Global Benchmark Survey Report
Payment Card Industry Data Security Standard (PCI DSS) 4.0
While PCI DSS 4.0 was released in 2022, we are currently mid-transition to its replacement of the v3.2.1 standard, which will be complete in March 2025. Organizations will need to be compliant with the new standard by that time. This standard, created by the major credit card companies, was built to protect private data as it is processed, transmitted, and stored. The new requirements in 4.0 do much to address client-side security, which has been a vulnerability for the latest security threats. Organizations will need to identify and document all web assets, ensure that applications and system components are securely configured, and that vulnerabilities can be identified. Any system that might affect the credit card data environment, even MSPs who may not be processing the data themselves, will have security requirements to maintain. This may include intrusion detection and the support of penetration testing.
WARNING: Support for Windows Server 2012 and Windows Server 2012 R2 will come to an end on October 10, 2023, and no longer receive security updates. If you are running these operating systems after this deadline, it can directly affect the state of your regulatory compliance. |
Quebec's Law 25
Quebec's Law 25 (previously Bill 64) to modernize its private and public sector privacy laws was enacted by the National Assembly of Quebec on 21 September 2021. It applies to all businesses operating in Quebec that collect personal information in the course of their activities, requiring that they take action and receive consent before using, transferring, and disclosing data. The law has been amended many times over the years, with major changes coming into effect on September 22, 2023.
These changes have the potential to significantly affect the compliance requirements of organizations inside Quebec and the businesses that interact with them.
Policies will be implemented for how personal information (and consent) is obtained, retained, and destroyed. Data that is no longer needed will need to be either destroyed or anonymized. A Privacy Impact Assessment (PIA) must be done for any project that deals with transferring personal information across the border. And now individuals have the right to request that organizations stop processing their data.
Conclusion
Organizations of all shapes and sizes must put forth effort to respect the newest compliance regulations coming into play this year. Protecting the private and personal data of customers and partners, preserving their reputation, and avoiding heavy fines are in everyone’s best interest. Stay informed and speak with data protection experts, like our team here at NovaBACKUP, to develop a strategy that conforms to strict compliance standards but offers your organization access to data flexibly, inspiring productivity and facilitating the modernization of your business in the age of digital transformation.
Note: The information provided in this blog post is for educational purposes only and is not intended to be a substitute for professional legal advice. The authors are not lawyers and any information regarding legal specifics, fines, etc. should be verified with a qualified lawyer that specializes in regulatory compliance.
Share this
- Pre-Sales Questions (96)
- Tips and Tricks (92)
- Industry News (37)
- Reseller / MSP (32)
- Best Practices (31)
- Disaster Recovery (24)
- Cloud Backup (23)
- Storage Technology (23)
- Security Threats / Ransomware (22)
- Compliance / HIPAA (21)
- Applications (19)
- Backup Videos (19)
- Virtual Environments (16)
- Technology Updates / Releases (6)
- Backup preparation (5)
- Infographics (5)
- Products (US) (3)
- Company (US) (1)
- Events (1)
- Events (US) (1)
- May 2025 (1)
- April 2025 (2)
- March 2025 (1)
- February 2025 (2)
- January 2025 (2)
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (2)
- August 2024 (1)
- July 2024 (2)
- June 2024 (2)
- May 2024 (1)
- April 2024 (2)
- March 2024 (2)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- May 2023 (1)
- March 2023 (3)
- February 2023 (2)
- January 2023 (2)
- December 2022 (1)
- November 2022 (2)
- October 2022 (2)
- September 2022 (1)
- July 2022 (1)
- June 2022 (1)
- April 2022 (1)
- March 2022 (2)
- February 2022 (1)
- January 2022 (1)
- December 2021 (1)
- November 2021 (1)
- September 2021 (1)
- August 2021 (1)
- July 2021 (1)
- June 2021 (1)
- May 2021 (2)
- April 2021 (1)
- March 2021 (1)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (1)
- October 2020 (1)
- September 2020 (4)
- August 2020 (2)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (1)
- March 2020 (3)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- November 2019 (1)
- October 2019 (1)
- August 2019 (1)
- July 2019 (1)
- June 2019 (1)
- April 2019 (1)
- January 2019 (1)
- August 2018 (3)
- July 2018 (3)
- June 2018 (2)
- April 2018 (2)
- March 2018 (2)
- February 2018 (1)
- January 2018 (2)
- December 2017 (1)
- September 2017 (1)
- May 2017 (2)
- April 2017 (4)
- March 2017 (4)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- October 2016 (2)
- August 2016 (3)
- July 2016 (1)
- June 2016 (2)
- May 2016 (6)
- April 2016 (7)
- February 2016 (1)
- January 2016 (7)
- December 2015 (6)
- November 2015 (4)
- October 2015 (5)
- September 2015 (1)
- July 2015 (1)
- June 2015 (2)
- May 2015 (1)
- April 2015 (3)
- March 2015 (3)
- February 2015 (4)
- October 2014 (3)
- September 2014 (7)
- August 2014 (5)
- July 2014 (4)
- June 2014 (3)
- May 2014 (3)
- April 2014 (5)
- March 2014 (6)
- February 2014 (5)
- January 2014 (5)
- December 2013 (4)
- October 2013 (6)
- September 2013 (2)