By Eric Cole, Advisor – theon technology
Since 2018, there has been serious discussion about new national privacy laws that promise to strengthen data protection for Americans, much like the European Union’s General Data Protection Regulation (GDPR). Nearly five years later, the United States is still the only major actor in the world without federal data protections in place. In the United States, we have always relied on state-level and local laws, such as the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2023, as opposed to governments proposing something that serves the nation as a whole. It is a step in the right direction for Congress to finally act and enact laws that will protect American citizens, our information and valuable data. However, the proposed legislation is not without potential flaws and implications. Some might argue that the proposed legislation falls short of the protections already in place at the state level. Additionally, the law falls within the purview of the Federal Trade Commission (FTC) and therefore only applies to existing issues already dealt with by the FTC. These issues only include identity theft, children’s privacy, consumer fraud, and some cybersecurity issues.
Above all, regulations are expected to surge nationwide as we begin the new year. As California sees implementing the CCPA, other states will start to follow suit. At the national level, we will see more stringent new regulations rolled out, and business leaders need to prepare. Organizations that have not yet engaged in regulatory activity or do not have to deal with GDPR will be in a difficult position and will be under pressure to implement these changes quickly. As a result, they will rush through the process as the US has been slow to enforce these laws.
What does CCPA mean in the wider country?
After various delays, the California Consumer Privacy Act (CCPA) takes effect on January 1, 2023, and here are some common questions I’ve heard:
- What does this mean for various organizations across the country?
- How will it affect you?
- How should organizations prepare for a rollout?
In today’s interconnected world, most organizations and states have some affiliation with California, so I advise viewing the CCPA as a precursor to what will happen on a national level in the near future. If you take a step back and consider the launch in January and nationwide, you’ll see that it’s very similar. Organizations and business leaders across the country must assume that all regulations must be upheld and followed, regardless of state. Additionally, regardless of whether you are trading Europe or not, you must comply with the GDPR as it is similar or similar to what has been proposed at the state and national levels in the United States. However, this is a significant hurdle to consider as the US is so far behind in enforcing these regulations that it will be a hasty trial.
What about encryption?
Everyone overlooks the encryption of consumer data and makes sure the keys are stored on a separate server. Most organizations have encrypted their data in the past, but the problem is that they leave it exposed, much like locking a door and putting a key under a floor mat. Are you locking the door? yes. Is it really effective and safe? A lot of the older regulations that we’ve become accustomed to were all about encryption encryption, encryption, but it was still unclear what was considered good encryption or bad encryption. Most of the data thefts we’ve seen in the US have been from data that was “technically” encrypted but not properly encrypted because the keys are all the same. Regulators today are redoubling and enforcing the use of different keys that must reside on separate servers. If strict enforcement is put in place, we will see many organizations get into hot water in California and nationally. Historically, the US hasn’t strictly enforced these types of regulations, so management hasn’t taken them seriously. The difference between US law and the GDPR is that the GDPR was strictly enforced from the start and set an example for companies not taking it seriously by forcing them to pay millions for their mistakes. As a result, the law was taken very seriously.
The most important factor in getting it right and establishing effectiveness is ensuring that individuals and organizations are compliant. The reasons organizations comply with the GDPR have nothing to do with European standards. GDPR is effective because of its enforcement and significant fines. Looking at PCI and HIPAA compliance, the United States is struggling with enforcement, and better enforcement will be critical to its success if the CCPA and ADPPA are to be effective. It will be a make-or-break moment and there will be questions like who will enforce the law. What will be the punishment? How much will the implementation cost? These questions and answers need to be clearly defined to increase compliance and demonstrate effectiveness or ineffectiveness.
the good, the bad, the ugly
If these laws come into force, the US government will take a huge step forward by introducing protection laws at the federal and national levels. One of the great benefits of this is that it remains bipartisan and will be clear and concise, with no contradictory state laws that can become messy. However, as with everything, there are potential problems and downsides. The huge down side of ADPPA is that it is incompatible with European law, there will be many contradictions with offshore companies and offshore US subsidiaries, and additionally other laws and regulations will come into force. Strict enforcement is essential to the success of the CCPA and ADPPA. As we’ve seen with European companies, enforcement would be impossible if there were no tangible consequences or penalties for the company. How are the CCPA and ADPPA enforced? One thing is clear: it has to be intimidating enough to take action and do it.
Overall, decision makers have a lot of work to do to make the CCPA and ADPPA a success. Enforcement will be the most important factor. Stricter enforcement increases the likelihood of compliance and determines the overall willingness to implement. In the US, regulators are notoriously slapped on the wrist, and ultimately executives and security chiefs have become unafraid of the potential consequences. CIOs and security officers need to effectively communicate with management that these regulations can result in significant fines. You should ask yourself if you want to pay a fine of 10 million and become an exemplary company.
Finally, as the world is interconnected on every side, compatibility with GDPR will be key. GDPR is tried and tested, so the more closely the CCPA and ADPPA mirror the GDPR, the bigger the win for everyone.
About the author
World-renowned cybersecurity expert Dr. Eric Cole is a renowned cybersecurity expert and keynote speaker who brings over 30 years of experience in network security to help organizations reduce the risk of cyberthreats. Dr. Cole has worked with clients ranging from Fortune 500 companies and top international banks to the CIA. He has been a featured speaker at many security events and has been interviewed by several major media outlets such as CNN, CBS News, FOX News and 60 Minutes.