NovaBACKUP Data Protection Blog

Navigating The Newest Data Privacy Regulations

Regulations

Businesses are changing! New ways of delivering value are being made possible through processes such as digital transformation. As industries worldwide integrate new technologies into their environment, the result is often significantly more data being generated, stored, and shared digitally. Accordingly, the need to regulate private and sensitive data has become increasingly important and ever-present. Organizations of all sizes, whether corporations or IT providers, must take care to respect the latest data privacy laws to ensure the security of their customers' information, to protect their reputation, and to avoid the heavy fines that may be imposed for non-compliance.

Achieving compliance can be a challenge for system administrators who are already spread-thin across several IT projects, often working under a limited budget. We can break this undertaking down into three important components.

1. Data classification and management: Understanding what private data is being collected and its priority. Verifying that it is being gathered and stored in such a way that it meets compliance requirements.

2. Infrastructure and technical: Your hardware, software, and how data is transferred, backed up, and deleted must employ encryption, authentication, and other required security standards. 

3. Employee education and training: Your security policies must not only be documented but also well-understood and executed correctly by your team. Training will be required for each of your response team members to understand their role in maintaining compliance.

These security requirements are ever-evolving, based on the latest laws and amendments, which compel us to stay informed. Let's take a look at some of the newest changes in the industry.

What's New in Terms of Data Privacy Regulations?

California Privacy Rights Act (CPRA)
Amendment to the California Consumer Privacy Act (CCPA)

The CPRA went into effect on January 1st, 2023,  intending to give consumers more say in how their personal information is used by businesses that gather it. This law limits what information can be collected, how the consumer is notified of collection, how that data is shared with other businesses, and it provides the consumer with the ability to opt out. Perhaps most interestingly is that it also gives the consumer the right to request what specific information a company has about them and request that information be corrected, limited, and even deleted! This places the burden of data removal on the business that collects it, and while there is an exception built in for archives and backups, it raises questions. Will future amendments include backup data? When a backup is restored (and again becomes production data), will that client's data once again be promptly dealt with in your organization?

It’s also important to note that CPRA/CCPA enforcement is newly being handled by the California Privacy Protection Agency (CPPA). The industry expectation here is that enforcement activities will increase significantly over the prior authority, the California Attorney General.  

While California was the first state to launch a data protection law, others have their own coming into effect or are rapidly working to get one in place.


Virginia, Connecticut, Colorado, and Utah

In the U.S., following California, other states are passing state privacy laws to regulate how data is collected. Similarly, they call for regular security risk assessments and employee training. Individuals have a right to opt out of their personal data from targeted advertising, profiling, and sales. While the laws are similar, there will be no doubt specifics that should be observed by businesses that are working with personal data in these states.

Not far behind on the legislative trail are Michigan, Ohio, New Jersey, and Pennsylvania, with their own bills underway.

"74% of MSPs' clients struggle to comply with regulations like HIPAA, GDPR, and PCI-DSS."

Kaseya’s 2022 Global Benchmark Survey Report


Payment Card Industry Data Security Standard (PCI DSS) 4.0

While PCI DSS 4.0 was released in 2022, we are currently mid-transition to its replacement of the v3.2.1 standard, which will be complete in March 2025. Organizations will need to be compliant with the new standard by that time. This standard, created by the major credit card companies, was built to protect private data as it is processed, transmitted, and stored. The new requirements in 4.0 do much to address client-side security, which has been a vulnerability for the latest security threats. Organizations will need to identify and document all web assets, ensure that applications and system components are securely configured, and that vulnerabilities can be identified. Any system that might affect the credit card data environment, even MSPs who may not be processing the data themselves, will have security requirements to maintain. This may include intrusion detection and the support of penetration testing.

WARNING:
Support for Windows Server 2012 and Windows Server 2012 R2 will come to an end on October 10, 2023, and no longer receive security updates. If you are running these operating systems after this deadline, it can directly affect the state of your regulatory compliance.


Quebec's Law 25

Quebec's Law 25 (previously Bill 64) to modernize its private and public sector privacy laws was enacted by the National Assembly of Quebec on 21 September 2021. It applies to all businesses operating in Quebec that collect personal information in the course of their activities, requiring that they take action and receive consent before using, transferring, and disclosing data. The law has been amended many times over the years, with major changes coming into effect on September 22, 2023

These changes have the potential to significantly affect the compliance requirements of organizations inside Quebec and the businesses that interact with them.
Policies will be implemented for how personal information (and consent) is obtained, retained, and destroyed. Data that is no longer needed will need to be either destroyed or anonymized. A Privacy Impact Assessment (PIA) must be done for any project that deals with transferring personal information across the border. And now individuals have the right to request that organizations stop processing their data.

Conclusion

Organizations of all shapes and sizes must put forth effort to respect the newest compliance regulations coming into play this year. Protecting the private and personal data of customers and partners, preserving their reputation, and avoiding heavy fines are in everyone’s best interest. Stay informed and speak with data protection experts, like our team here at NovaBACKUP, to develop a strategy that conforms to strict compliance standards but offers your organization access to data flexibly, inspiring productivity and facilitating the modernization of your business in the age of digital transformation. 

Note: The information provided in this blog post is for educational purposes only and is not intended to be a substitute for professional legal advice. The authors are not lawyers and any information regarding legal specifics, fines, etc. should be verified with a qualified lawyer that specializes in regulatory compliance.