Earlier this summer, California passed new privacy legislation that sees the state implementing the strongest privacy controls of any state in the U.S. Similar to the E.U.’s GDPR, the law is aiming to bring more transparency to how personal data is being used and traded, giving new strength to consumer rights that hasn’t been in U.S. law previously.
The law, entitled AB 375, specifically gives consumers the right to ask businesses about what type of personal information is being collected as well as requiring businesses to disclose the purpose of collecting or selling the information and who is receiving it. While this seems like it might only apply to brands using data for marketing or advertising purposes, the law actually goes further to state that now consumers can initiate civil action if they believe any company wasn’t protecting their personal data with the utmost care.
In response to recent U.S. data breaches that have affected millions of people — from Target and Home Depot to Equifax’s massive breach of social security numbers and Facebook’s careless behavior with Cambridge Analytica, consumers have become increasingly concerned about their personal data. The AB 375 law was created directly thanks to outspoken consumers but in turn, it could cause concern for companies who haven’t had to think about complying with a strict data regulation such as this previously.
Although this law only applies to California, I strongly believe it will become a catalyst for widespread data privacy laws across the country — especially with five additional states already mulling over new laws. Simply moving operations out of the area or routing users away from laws like Facebook did with Ireland in May with GDPR is not a good solution. Given that California’s economy is the 5th biggest in the world and the likelihood of the laws spreading, it makes sense for all businesses to get in line with these requirements. It’s a conversation about risking both money and reputation. Yes, higher fines for violations aren’t in the proposal yet but it’s very possible that it’ll be included while the law is still open to suggestions. Do you as a business owner really want to take that risk?
The proposed law won’t go into effect until 2020 so there’s still some time for businesses to adequately prepare. My advice to those companies is to start with becoming PCI DSS compliant first, if they aren’t already. Adhering to the tenets of PCI compliance will ensure that data is secure in the company’s ecosystem, leaving less risk for violation of the CA Consumer Privacy Act once that comes into law.
First and foremost, it will ensure that companies are not storing valuable (and enticing!) private consumer data in their system. Rather than investing time and money in protecting data, compliance ensures there’s nothing there to steal. The less customer data stored, the less risk there is of that data being stolen and therefore less risk of falling foul of the new privacy act.
This ‘nothing stored’ strategy will also minimize the risk of internal employee breaches is minimized as well. Think about the last time you said your credit card number or social security number out loud to an agent on the phone. It probably felt uncomfortable and unsafe — and it is. Instead of using compensating controls like blurring the screen or pausing recording on a call, most PCI compliant companies will ensure that the sensitive card data doesn’t reach their environment at all. Instead, agent hear tones and see asterisks on the screen, making sure not even internal employees have access to the personal data. And with Verizon reporting in its 2018 Data breach Investigation report that 28% of hacks involved internal actors, there certainly is a risk of that.
Another useful PCI tactic for the CA law is logging and auditing systems. To further improve security, PCI DSS requirement 10.6.1 mandates a daily review and log of security events to ensure cardholder data is being appropriately handled. Organizations that already comply with the PCI DSS will be able to take advantage of their experience of logging and tracking data to ensure that they can prove that data under this new privacy law is protected.
If all of this doesn’t convince you to become PCI DSS compliant before the CA law comes into effect, then recent consumer backlash should. With the recent headline-making breaches, US consumer sentiment is quickly shifting with 81% worrying about how well businesses will protect their personal information and taking actions to safeguard their data. These breaches are starting to have real consequences for businesses.
Consumers have been burned too many times to trust that their information is safe with companies without regulation. While changing the functionality and spend of your business’ IT security department can be a pain, it’ll save you money in the long term as you avoid the hefty fines and reputational ruin that can accompany consumer data breaches. Descoping your environment from PCI DSS — this means not using a compensating control! — increases safety overall as there is simply no information for hackers to steal. I strongly urge business to make moves now to comply with PCI DSS to jump start your business for success once the privacy law is fully underway.