Staying up to date with the newest developments can be difficult for chief security officers and other corporate security professionals, given the rapidly evolving patchwork of state data privacy legislation and regulations that affect American firms. As demonstrated by Sephora's $1.2 million settlement over its use of third-party cookies, BNSF Railway Company's $228 million judgment over its use of biometric information, and Google's record $391.5 million settlement over location tracking, breaking state data privacy laws and regulations can be a costly mistake.
Here are four wise investments that security leaders and their companies can make to navigate the data protection minefield.
1. Assess data collection and retention practices and risks
A great first step in data protection is to assess the business model of a company and its full range of data practices. Current regulation in the U.S. is disjointed and often based on the type of data collected and the state of residence of the individual on whom data is collected. Knowing what data the business collects and where the persons reside will help determine the laws and regulations triggered by a company’s operations and will clarify the proper circumstances under which data can be collected, as well as how it may be used, retained, shared, and destroyed.
As part of this process, be thoughtful about data and minimize collection where you can. How much do you have? How do you organize it? Do you segment storage of data that is more sensitive or subject to heightened regulation? Are the access controls appropriate? Aim to collect only the personal data that’s necessary to fulfill the purpose for which it was collected, and don’t store it any longer than reasonably necessary. Businesses create unnecessary risk by keeping data they don't need or use.
Only when you fully understand your data collection and use practices can you assess your regulatory risk. New laws are frequently popping up across the U.S. and around the world and — while it is a challenge to understand how they apply to your company — failure to do so is a costly endeavor. Those services can be especially valuable if they are customized to monitor specific issues that fit into the context of your business operations.
2. Regularly update internal and external privacy and security policies, notices and programs
As an ancient Greek philosopher imparted: All is in flux, nothing stays still. So should be your approach to your internal and external statements about privacy and security and your internal policies and programs that support those disclosures.
Systematic review of your external privacy notice to ensure accuracy and compliance with evolving laws will avoid deceptive and incorrect information for consumers. Additionally, businesses evolve over time and the products and services offered change.
Ensuring the external privacy statement reflects new products that may collect new data or use data in a new way is critical to ensuring the privacy notice remains accurate. It is likewise increasingly important to clearly notify employees of their privacy expectations in the workplace — or lack thereof — and in some instances seek consent for certain monitoring or information collection practices. Finally, more states are requiring reasonable security measures to protect certain types of data, and those practices may need to be memorialized in an internal written information security program and tested regularly.
3. Review vendor agreements
Federal and state laws are increasingly requiring companies to oversee their third-party vendors and suppliers by building data protection into their service contracts. Even when not required by statute, best practices dictate that companies restrict how they and their third-party vendors use the personal data and confidential information they share or receive. The most direct means of controlling third-party data risk is to build data protection requirements directly into your contracts. It can be useful for companies to partner with outside counsel to develop an initial blueprint for those contract terms. Since new data privacy laws can subject you to liability based on the data security failures of your suppliers and vendors, companies must have thoughtful third-party risk management programs.
4. Plan for cyberattacks
Some states, insurance companies, and customers now require businesses to have a written information security plan and/or an incident response plan. Businesses with those plans almost always emerge from a ransomware attack in stronger shape — while spending less money — than those without one.
In other words, it is a wise investment to develop and practice your breach response now if you have not already. That plan can include assessing your options in an attack and planning out customer notifications, media relations, and the use of forensic investigators.
The four investments described above are not intended to be comprehensive. But they can immediately reduce risks and provide a strong foundation for businesses, enabling them to adapt faster as new laws and regulations take effect.