Given the fast-changing patchwork of state data privacy legislation and regulations impacting American businesses, it can be challenging for chief security officers and other enterprise security leaders to stay on top of the latest developments. Failing to comply with state data privacy laws and regulations can be a costly mistake, as evidenced by Sephora’s $1.2 million settlement over its use of third-party cookies, BNSF Railway Company’s $228 million judgment over its use of biometric information and Google’s record $391.5 million settlement over location tracking.
Here are five wise investments that security leaders and their companies can make to navigate the data protection minefield.
1. Assess data collection and retention practices and risks
A great first step in data protection is to assess the business model of a company and its full range of data practices. Current regulation in the U.S. is disjointed and often based on the type of data collected and the state of residence of the individual on whom data is collected. Knowing what data the business collects and where the persons reside will help determine the laws and regulations triggered by a company’s operations and will clarify the proper circumstances under which data can be collected, as well as how it may be used, retained, shared, and destroyed.
As part of this process, be thoughtful about data and minimize collection where you can. How much do you have? How do you organize it? Do you segment storage of data that is more sensitive or subject to heightened regulation? Are the access controls appropriate? Aim to collect only the personal data that’s necessary to fulfill the purpose for which it was collected, and don’t store it any longer than reasonably necessary. Businesses create unnecessary risk by keeping data they don't need or use.
Only when you fully understand your data collection and use practices can you assess your regulatory risk. New laws are frequently popping up across the U.S. and around the world and — while it is a challenge to understand how they apply to your company — failure to do so is a costly endeavor. Those services can be especially valuable if they are customized to monitor specific issues that fit into the context of your business operations.
2. Regularly update internal and external privacy and security policies, notices and programs
As an ancient Greek philosopher imparted: All is in flux, nothing stays still. So should be your approach to your internal and external statements about privacy and security and your internal policies and programs that support those disclosures. Systematic review of your external privacy notice to ensure accuracy and compliance with evolving laws will avoid deceptive and incorrect information for consumers. Additionally, businesses evolve over time and the products and services offered change. Ensuring the external privacy statement reflects new products that may collect new data or use data in a new way is critical to ensuring the privacy notice remains accurate. It is likewise increasingly important to clearly notify employees of their privacy expectations in the workplace — or lack thereof — and in some instances seek consent for certain monitoring or information collection practices. Finally, more states are requiring reasonable security measures to protect certain types of data, and those practices may need to be memorialized in an internal written information security program and tested regularly.
3. Review vendor agreements
Federal and state laws are increasingly requiring companies to oversee their third-party vendors and suppliers by building data protection into their service contracts. Even when not required by statute, best practices dictate that companies restrict how they and their third-party vendors use the personal data and confidential information they share or receive. The most direct means of controlling third-party data risk is to build data protection requirements directly into your contracts. It can be useful for companies to partner with outside counsel to develop an initial blueprint for those contract terms. Since new data privacy laws can subject you to liability based on the data security failures of your suppliers and vendors, companies must have thoughtful third-party risk management programs.
4. Train employees and implement effective policies
The reality is that employees are often the largest risk for data vulnerabilities. This is especially true with the rise of remote work. Spear-phishing and other malicious email campaigns, including business email compromises, have led to debilitating ransomware attacks. A successful spear-phishing campaign can also lead to the damages your company faces tripling, as an employee intentionally sharing social security numbers — even though they have been tricked — can trigger claims under additional state laws. Moreover, new types of social engineering threats are on the rise as “vishing” attempts are being seen in higher volumes.
It is essential in today’s climate to develop policies to reduce those vulnerabilities, train employees on those policies and common pitfalls, and diagnose legal risks in emerging technologies such as facial recognition and other uses of biometrics.
5. Plan for cyberattacks
Some states, insurance companies, and customers now require businesses to have a written information security plan and/or an incident response plan. Businesses with those plans almost always emerge from a ransomware attack in stronger shape — while spending less money — than those without one.
In other words, it is a wise investment to develop and practice your breach response now if you have not already. That plan can include assessing your options in an attack and planning out customer notifications, media relations, and the use of forensic investigators.
The five investments described above are not intended to be comprehensive. But they can immediately reduce risks and provide a strong foundation for businesses, enabling them to adapt faster as new laws and regulations take effect.