The last time we checked in on what's been happening in Exterro's Data Privacy Alert Library, we reviewed a variety of trends that have been going on in privacy news for a while:
- The federal government moves in fits and starts toward a comprehensive privacy law... but doesn't seem to get there.
- States, meanwhile, continue to enact comprehensive privacy laws.
- In Europe, a more advanced approach to privacy normalizes fines and seeks to resolve past conflicts.
This time, we'll take a slightly different approach, reviewing some of the news in the order of how many people were affected--just to give a sense of the scope of impact privacy laws can truly have.
California Poised to Enact Significant Cybersecurity Requirements on Businesses
California, like Europe above, is more focused on operationalizing their privacy regulations, since they have passed a solid framework to protect their residents' rights. The California Privacy Protection Agency (CPPA) has released draft regulations governing risk assessments and cybersecurity audits, imposing significant cybersecurity requirements on businesses that collect or process personal data belonging to Californians. This is a significant step in that it imposes specific, prescriptive requirements on businesses, rather than penalizing outcomes, such as a data breach.
Michael Hellbush, Partner, Intellectual Property at Rutan, explains, "The CPPA’s Draft Cybersecurity Audit Regulations will have a massive impact on businesses, services providers, and third parties, regardless of whether they will be directly subject to the cybersecurity audit requirements set forth in the draft. While the draft regulations propose various levels of stringency and scope for the audits, they signal that the CPPA is not interested in check-the-box cybersecurity compliance. As drafted, businesses who meet the (low) threshold for having to complete a cybersecurity audit based on their “high risk” processing activities will have to undergo the audit for their entire data ecosystem, not just those assets and activities that are involved in the high-risk processing. Since the draft regulations would require service providers and contractors to assist businesses in completing their cybersecurity audits, we should expect businesses to push audit requirements down to vendors who process any personal information regardless of whether the service provider is itself subject to the audit requirements."
Millions of US Citizens’ Health Data Compromised in MOVEit Hack
Health data is among the most sensitive personal data—and 60 million Americans, more than one and a half times the population of California--had their data stolen because of a vulnerability in the MOVEit file transfer system. Reports on impacts of the breach have trickled in over several days, highlighting the fact that it often takes time for organizations to recognize that they have been breached.
Constantine Karbaliotis, CIPP/C/US/E, CIPT, CIPM, FIP, Counsel, nNovation, LLP, notes that "the impact of this breach is widespread, due to the reliance on MOVEIt by so many vendors to facilitate business-to-business file transfers. It highlights the risks associated with the supply chain – that a vulnerability anywhere down the supply chain can have devastating impact for organizations who may only be dimly aware of the use of software tools supporting the business relationship with a vendor.
"What is an organization to do? The most important element is conducting appropriate reviews of vendors based to make sure the controls they have are proportionate to the risk associated with the data they are handling. This is to both prevent putting data into untrustworthy hands, but also to show due diligence when something goes wrong. Some controls are technical, but some are by necessity contractual or administrative, such as requiring patch management policies. And because things do go wrong, it is essential to address response to breaches, such as notifications in the event of breach, indemnification, and insurance."
FTC Bureau of Consumer Protection Director Calls Out “Surveillance Economy”
The Federal Trade Commission has staked out a more aggressive position as a consumer privacy regulator in the US. These remarks, delivered at a conference in September, clearly state that the FTC will use its authority to “ensure substantive protections” for US citizens, calling into question the long-term viability of the surveillance economy. As one of the over 330 million citizens of the United States affected by these predatory organizations, I'm glad to see the FTC continue its recent trend of vigorous enforcement of privacy regulations.
Karbaliotis opines, "As the Director pointed out, companies can no longer rely on the fiction of notice and choice. These however are important elements in returning control of consumers’ data to them, and meaningful notice and choice are still important; that is to say, effective dashboards that allow individuals to not only make choices about what information they share, but really to operationalize increasing consumer rights over access, correction, and deletion. This also requires that notice not be written in a fashion that requires a law degree to interpret, but clearly and in plain language to allow understanding of what processing activities are being undertaken.
"To the heart of the FTC actions to reduce unlawful commercial surveillance, one of the most important areas most companies can address is to actually understand the information they collect and use; often the left hand is collecting (and commercializing) data the right hand is unaware of, and likely has not been able to evaluate properly in risk assessments and ethical assessments.
"Legislation will ultimately become a reality. If organizations operate internationally, particularly under GDPR, they are going to be held to a higher standard sooner or later. It is important to note that the proposed American Data Privacy and Protection Act (ADPPA) speaks in terms of making companies fiduciaries of personal information. To get ready for a new, more respectful world of privacy, organizations need to start with understanding their collection of personal, and most importantly, their sharing of data, particularly with aggregators, and make better, more thoughtful decisions as the stewards of consumers’ information."
India Continues Moving Rapidly Toward New Privacy Regime
In terms of sheer number of people affected, all of the prior alerts--even combined--are dwarfed by the number of Indian citizens (well over 1.4 billion) affected by the Digital Personal Data Protection Act (DPDPA). In August 2023, The Indian parliament passed the DPDPA through the final stages of approval after several years of debate, amendments, and negotiations, giving the world’s most populous nation a comprehensive privacy law. More recently, the government has signaled it will give businesses about six months to comply with its requirements.
Rahul Sharma, Founder, The Perspective and Grade Ace, explains, "The DPDPA 2023 got enacted after more than a decade of effort to adopt a comprehensive data protection regime for India. The bill covers substantive requirement of a horizontal framework with specific rules and timelines for enforcement waiting to be notified that will reduce uncertainty. The MeitY Minister has indicated that the sunshine period won't be as long as the 24 months organizations got for the GDPR. For certain provisions, the government may not grant more than six months to demonstrate compliance, a wake-up call for the organizations that haven't embarked on their data protection governance journey yet. Privacy compliance is on the board’s agenda now. Gap assessments, process and legal consulting, technology integration and optimization and audits will all help organizations develop and mature their practices to become and exhibit compliance with DPDPA."
If you enjoyed this article, visit our Data Privacy Alert Library for more expert analysis and consider signing up for our newsletter.