On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. GDPR is the legal set of guidelines for the collection and processing of personal information within the European Union (EU.) GDPR rules impacts organization that offer goods and services to people in the EU or collect and analyze personal data tied to EU residents. In the United States, several states are implementing laws similar to GDPR. Among the most aggressive states to establish such laws are New York and California.
The New York Law, Cybersecurity Requirements for Financial Services Companies, relates to information maintained by organizations that operate in the banking, insurance, or financial services industries. It was passed in March 2017 and has staggered effective dates for various aspects of the law, ending with all parts needing to be in full effect by March 2019. The California Law, the California Consumer Privacy Act of 2018, is a broad, sweeping law concerning digital privacy, allowing consumers significant control over their online personal information. It was passed in June 2018 and has an effective date of January 2020. While there are different requirements in each law, both laws require policies, processes, and systems to support the secure management of online Personally Identifiable Information (PII) by companies. Some of the requirements for maintenance of PII include:
- Documented cybersecurity programs to protect information systems from intrusion
- Documented cybersecurity policies related to information security, including data governance and classification; asset inventory and device management; access controls and identity management; business continuity and disaster recovery; systems operations and availability concerns; systems and network security; systems and network monitoring; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party service provider management; risk assessment; and, incident response.
- Annual penetration testing and bi-annual vulnerability assessments
- Audit trail of transactions to reconstruct activities and transactions
- Limited access to data as needed and review of access privileges
- Documented procedures, guidelines, and standards for secure application development
- Periodic risk assessments along with documentation on risk mitigation)
- Documented third-party service provider policies including limitation to nonpublic data
- Multi-factor authentication to limit unauthorized access to PII
- Documented policies and procedures for disposal of PII
- Training on cybersecurity awareness, and risk-based policies, procedures, and controls to monitor authorized user activities and detect unauthorized user access to PII
- Implementation of controls on PII to protect such data, including encryption
- Documented incident response plans in the event of a breach
- Notices to appropriate authorities in the event of cybersecurity breaches
- Disclosure of PII as well as use of that information to consumer on request
- Disclosure of PII that is sold by business on consumer request
- Deletion of PII collected by business on request of consumer along with appropriate methods to do so
- Consumer opt out of business sale of PII along with appropriate methods to do so
US companies can be assessed financial penalties both by states and consumers for violations. Therefore, it is critical that your organization’s PII is protected. Many US companies are already familiar with data privacy, because of Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI,) so the new data privacy laws are not a new concept. These new PII laws will likely be introduced by other states in the near future. Trillium has significant experience in privacy and cybersecurity and can perform the analysis on your systems to determine what may be needed to bring your organization into compliance as well as to create the roadmap you will need.