Organizations face a broad set of new rules and regulations with significant negative consequences for unprepared privacy and security teams.
Even while dealing with the impact of Covid-19 on their operations, companies and their privacy and cybersecurity teams face an increasingly complex regulatory environment when it comes to data privacy and business risk management. The continued emergence of the California Consumer Protection Act (CCPA), new regulations being worked on in other states around the United States, and new requirements issued by the U.S. Department of Defense add significant potential hurdles for organizations working with them.
CCPA Still Being Enforced Regardless of Covid-19
While most companies operating in the United States at this point are familiar with CCPA and the state’s plan for beginning enforcement of it July 1, 2020. Many organizations, however, began to hope that the state would delay their enforcement plans due to the global Covid-19 outbreak. To that end, a group of organizations reached out to the state’s attorney general to ask for a delay in the implementation of the Act due to its possible economic impact.
The attorney general’s office declined to act, with an advisor to the office noting that they were still “committed to enforcing the law starting July 1.” Their rationale was in part of the need for companies to be mindful of data security and privacy practices in “this time of emergency,” apparently indicating their view that the epidemic would increase the risk of breaches of data privacy. While this adds stress to organizations also dealing with Covid-19, the state clearly remains intent on companies protecting the privacy of consumers and their personal information.
As enforcement begins, organizations need to be mindful of the impact of potential CCPA penalties if they fail to properly secure and protect data. While the Act imposes penalties of up to “$2,500 per negligent violation and $7,500 per intentional violation,” it also imposes the potential for damages for lack of reasonable security being implemented by the organization. In those cases, “statutory damages of $100 to $750 per incident, per consumer,” are likely to create serious negative consequences for the business if a data breach occurs.
New Regulations Advancing Across the United States
Many additional states continue to aggressively pursue privacy regulations, in most cases using other laws including the CCPA and the EU’s General Data Protection Regulation (GDPR) as exemplars. For example, Washington state lawmakers are purportedly attempting to create the “most comprehensive data protection law in the United States.” They are focused on expanding protection for biometric information, which could likely be a major additional risk for businesses given fingerprints are now pervasively used in lieu of passwords for logging in to computing devices.
Several states, including Illinois, New Hampshire, and Virginia, continue to pursue privacy laws to protect sensitive data and information. Most are exploring setting the bar for potential damages for data that was not encrypted or otherwise protected and ended up being captured and exfiltrated by cyber threats because the organization did not implement reasonable security practices. What is reasonable is not typically defined but is left essentially to the judgement of the organization based on factors like their industry and geography.
Enforcement and damages for these new regulations vary but all of them could end up being potentially significant. Washington is exploring damages of up to “$7,500 per violation” from lack of reasonable security as well as automatically expanding damages to include those of violations of their Consumer Protection Act. Other states are allowing consumers to seek damages of “the greater of $100 – $750 per consumer, per incident or actual damages.” Both Virginia and Illinois are considering requiring organizations to conduct risk assessments when processing personal information and to make the assessments available to officials in the appropriate government for non-public review.
US Department of Defense Cybersecurity Maturity Model Certification
Given the number of companies around the world that directly or indirectly support the military of the United States, the Cybersecurity Maturity Model Certification (CMMC) emerging from the U.S. Department of Defense is a new requirement of global interest for those practicing privacy and cybersecurity. The department pursued this framework with the recognition “that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward.”
The department drew not only on US federal and state laws for this new certification, but also international laws and examples like GDPR. The framework builds upon lessons learned and best practices across several privacy and security disciplines across five defined maturity levels. Each level is designed to represent the current state of an organization’s security with the next representing the necessary steps they need to make to continue to progress.
Each maturity level requires implementing up to 43 capabilities, culminating in 17 practices at the lowest and 171 practices at the highest, across 17 privacy and security domains. For example, the incident response domain even at the lowest maturity levels demands capabilities be implemented to “plan incident response, detect and report events, develop and implement a response to a declared incident, and perform post incident reviews; and test incident response.” The highest levels of maturity also require significant investments in monitoring, training, and practice processes and procedures when incidents occur.
The CMMC requires organizations to provide evidence to submit to audits that they have implemented all the necessary steps to achieve the required level of maturity to conduct business with each military agency. In fact, many have noted the proactive analysis and gap assessments required for companies to determine what they need to accomplish to at least meet even the most minimal stages of maturity.
How BreachRx Can Help
Given the national and international scope of data processing across most industries today, the added complexities of all these rules and regulations make it crucial for organizations to proactively prepare for incidents before they occur. They must put in place and demonstrate reasonable privacy and security practices to prevent incident damages from spiraling out of control.
When the inevitable breach occurs, organizations that have not sufficiently prepared and do not understand the exact rules and regulations applicable to their incident will have to scramble to figure out what to do. They will likely pay exorbitantly for outside counsel and hire breach response teams who will have to work from the ground up to help the business understand the impact of the incident.
The BreachRx platform allows organizations to proactively prepare for incidents by dynamically linking incident response playbooks to the appropriate regulations and controls. In addition, it allows customers to respond to and recover from incidents more quickly when they do occur. Implementing the BreachRx platform is the fastest way for organizations to achieve a best in class incident management and response program.