Just this past month, California officials announced the appointment of five board members to the California Privacy Protection Agency (“CPPA”). These appointments mark an important milestone and the rise of the first data protection agency in the United States by achieving the state’s goal of enforcement. The creation of the CPPA is a result of California voters passing the California Privacy Rights Act (“CPRA”) back in November. To be clear, the CPPA is tasked with promulgating the CPRA regulations, enforcement of both the California Consumer Privacy Act (“CCPA”) and the CPRA, and educating consumers about their privacy rights. But California is far from alone in this endeavor. We are seeing other states growing more confident about jumping into the privacy protection fray and who have already passed comprehensive privacy legislation. The latest to do so is Virginia which recently enacted the Virginia Consumer Data Protection Act (“CDPA”). The CDPA has significant parallels to the CCPA and the CPRA, as well as Europe’s well-known General Data Protection Regulation (“GDPR”) of 2016.
Right now, privacy is set to mimic cybersecurity laws in this country, comprising a patchwork of laws from each jurisdiction with slight variations. Each state has its own data breach notification law, and each law, in turn, has important, if not subtle in some cases, differences that can affect how an organization responds to a data breach. What is universal thought about these laws is that the affected organization does not need to be a registered business in that state for the law to apply to them. All that is required is that businesses have to collect data from a resident or consumer in that state, and just like that, the business is subject to the law of that state when it comes to data breach notification. And some states like New York, and its Stop Hacks and Improve Electronic Data Security (SHIELD) Act, even require proactive measures to protect personal data.
So what does all of this mean for businesses? No matter what stage your business is in, i.e., from startup businesses to multi-billion dollar titans, a data privacy and cybersecurity impact assessment is necessary and solid first-step to providing your organization with the knowledge and roadmap it needs to mitigate its risks and liabilities. Today's business landscape undeniably runs on data. The goal for any business when it comes to data privacy and cybersecurity is always risk mitigation. You simply cannot know what you do not know and what you do not know can be costly. Organizations foremost need to get a handle on their data. Such a strategic first step is critical to understanding what laws may be impacting the organization and the initial blueprint to constructing a cyber defense plan for the corporate organizational infrastructure.
A data privacy and cybersecurity impact assessment also provide an organization with a comprehensive and efficient overview of its data collection practices, contractual obligations, technology usage, and business workflow. Examining this type of information, along with the business internal policies and guidelines on data privacy and cybersecurity, is a key building block to determining the nature and type of laws and standards with which an organization must comply. The creation of the CPPA makes one thing pretty clear - enforcement is on the way. Setting a strategic corporate plan with a comprehensive data assessment, coupled with tailored solutions to satisfy compliance requirements, will go a long way to defending against those enforcement actions down the road and doing so with cost-efficiency in mind.
In sum, a business must examine a technology map of its corporate infrastructure with a data map overlay to then formulate a liability map to then understand its liabilities and vulnerabilities. Each step in the chain builds to the strength and efficiency of the next, serving to construct a cyber defense plan that works with the unique organizational structure rather than attempting to forcibly achieve a non-workable course of action. Experienced but flexible advisors who know how to be creative are invaluable. As a result, once a business has a clear understanding of its data, technology, and liability intersections, the organization can develop and/or revise its internal policies, standards, guidelines, and protocols to align with cybersecurity best practices, as well as any legal standards applicable to their industry or data collection practices. The goal for any organization and its partners is simple - develop a stronger, more secure technological infrastructure that also aligns with regulatory and contractual obligations. Enforcement should be a concern for any well-managed organization but one that should not interrupt its forward movement. Preparation is a necessary ingredient to success and here pays dividends to deflect costly enforcement actions.