- January 25, 2023
State Data Privacy Laws Leave More Questions than Answers
- Bill Tolson|
- June 30, 2021
While some maintain that it’s only a matter of time before the United States passes federal legislations regarding data privacy, it currently doesn’t exist. In the meantime, states are being forced to create a growing patchwork of consumer data privacy protection bills. Many states, notably New York and Connecticut, have failed to get their well-meaning bills through their legislatures, but California, Virginia, and Colorado have already succeeded. Many state bills, both passed and failed, have been modeled on the California Consumer Privacy Act (CCPA), with many more currently moving through state legislatures.
The biggest issue many of these privacy bills have is the lack of prescriptive requirements around data security. Without stringent data security measures, any efforts of data privacy are compromised. Instead, the bill authors use almost the same language, including the phrase "reasonable security measures." My question is, why the vague language? While we wouldn’t expect states to require specific vendor products or dictate security protocols, specific security measures would be nice.
The GDPR started it all
The EU General Data Protection Regulation (GDPR) was the first significant privacy regulation with a global reach and fines hefty enough to get the attention of organizations. The GDPR underscores the benefits of personal information (PI) encryption through several references throughout the regulation. For example, Article 34, Communication of a personal data breach to the data subject, includes the following instruction on breach notification and encryption:The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
- the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
Article 34 states the cost of breach notification can be avoided if breached PII was encrypted.
Lastly, GDPR recital 83 states:
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
However, the GDPR and other privacy bills do not expressly state that encrypted data is no longer classified as personal data and not subject to the privacy regulations – until decrypted.
The obvious missing GDPR requirement would be to require all PI to be encrypted while in transit and while at rest, with a further stipulation, encryption keys cannot be stored on the same platform as the PI. The GDPR is the most prescriptive privacy bill globally (so far) but still neglects to require basic privacy technology like encryption and encryption key management.
The CCPA/CPRA Data Privacy Laws
The California Consumer Privacy Act (CCPA), the second major privacy bill to be made into law, also does not include a specific directive requiring PI encryption but instead has vague security requirements:
"as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action…" [1798.150].
But, unlike other current and draft US privacy laws, the CCPA ties liability (payment of fines) to data encryption, i.e., if the breached system included PI encryption AND the encryption keys were not available to the hacker, then any fines could/will be waved.
In my opinion, this is a respectable half measure, but if referenced in the law, why not go all the way and specify that all PI must be encrypted? The follow-on bill to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), which become law on January 1, 2023, again includes the nebulous "reasonable security" phrase:
"A business that collects a consumer's personal information shall implement reasonable security procedures, and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5."
The Colorado Privacy Act (CPA)
On June 8, 2021, the Colorado legislature passed the Colorado Privacy Act (CPA) and sent it to Governor Jared Polis to sign into law. The Governor has said that he will sign it into law soon, becoming the third state in the United States to pass a comprehensive privacy law.
The CPA is similar to the California Privacy Rights Act of 2020 (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Like the CCPA/CPRA and the VCDPA, the Colorado law shies away from prescriptive security requirements around the topic of data security. The relevant section of the CPA, Section 6-1-1308, states:
(5) Duty of care. A Controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition.
However, unlike the CCPA/CPRA, the Colorado law does not mention data encryption, nor does it call out potential fine reductions if breached data is encrypted – a huge mistake in my opinion.
The Virginia Consumer Data Protection Act
The State of Virginia passed its privacy bill into law on March 2, 2021, dubbed the Virginia Consumer Data Protection Act (VCDPA). It drew from California and early drafts of the Colorado privacy laws and some yet enacted state bills. And like the California bills, the Virginia privacy bill does not directly address actual security requirements that should have been spelled out. In fact, the Virginia bill includes the "reasonable" qualifier in the responsibilities section:
- 59.1-574.3 - Data controller responsibilities; Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue…
Why did these three state privacy bills avoid including more explicit language around security requirements?
What is "Reasonable Security"?
Because of the perceived misuse of personal information collection by many companies across the globe, federal and state governments have been pushed into writing privacy laws that address the most egregious trends end-users are complaining about. However, in many cases politicians continue to walk the fence between their constituents looking for personal information privacy and security, and businesses that use the collection of personal information for marketing, sales, and analytics. Additionally, most politicians lack the technical background to create prescriptive privacy bills that will actually be prescriptive enough to address the issue.
As you can no doubt tell, the main issue with most of the current privacy bills is the lack of specific guidance/directives for companies to implement appropriate data security for personal information.
Legally, an organization could raise a statutory defense to a breach incident and data loss in a lawsuit following a consumer data breach (and if the law includes a private right of action) to establish that it maintained a "reasonable" security stance. Who's to say what a reasonable security stance is from state to state? In future legal actions, establishing what a reasonable security capability is and who defines it will determine the outcome of these cases. In those states that include a private right of action, the Judge will need to determine what reasonable security is. No doubt, Judges will fall back on experts, on industry best practices, and common sense.
Instead, why didn't the privacy bill authors go the next step and require specific security practices? By the way, I'm not suggesting calling out specific technology or manufacturers, but rather a minimum process and technical requirements.
Defining reasonable security for privacy bills
Enterprise infrastructure and data security are at the center of providing overall "reasonable security" for personal information. Obvious requirements that should be included in privacy regulations should be:
- All personal information should always be encrypted – during transit, while at rest, and while in use.
- Role-based access controls for stored PI should be standard. The user should never have access to PI if they are not authorized.
- On-going, immutable audits of personal information access should be standard practice.
- Encryption keys for the PI should never be stored in the same location in the cloud as the encrypted data.
- Encryption keys should be stored in highly secure applications in the cloud or, better yet, within the data owner's own on-premises data center.
- Personal information should not be down-loadable to individual workstations or laptops – even if the user has the authorization to view the PI.
- Personal information should never be copied to removable media.
- When required, personal data should be securely deleted – meaning an unrecoverable deletion.
Many more rules could be included in privacy regulations, but requiring at least the above would address the most apparent PI security short-falls. Then at least default security would be greater, and determination of fault and liability of PI leakage or theft through a breach or employee theft could be readily determined.
The Future of US Privacy Laws
Last year a New York State privacy bill failed in the legislature. The interesting piece in this bill was the inclusion of a data fiduciary requirement - it would have created a fiduciary obligation on businesses that collect/store personal data. In this case, the fiduciary responsibility means the company that collects PI must act in a way that will benefit the New York data subject first. Under a data fiduciary requirement, businesses would be held to a much higher standard of care for the collected PI.
In 2021, there is again a proposed privacy bill in the New York legislature, the New York Privacy Act, which again will include a data fiduciary requirement. I mention this because the inclusion of the fiduciary provision will drive PI data collectors/controllers towards higher security requirements, including encryption technologies.
The overriding need now is for the federal government to pass a comprehensive privacy bill (including specific security requirements) that would supersede all state privacy bills. This action would benefit companies because they would be required to meet one privacy regulation rather than 50 slightly different state privacy laws.
By creating more specific federal and state privacy laws - which layout specific security requirements, such as role-based access controls, immutable auditing, PI encryption, and secure encryption key management, companies will significantly reduce their overall breach regulatory and legal liability as well as see their annual legal spend drop dramatically.
Will this happen in 2021? Almost certainly not, but possibly in the next 3-4 years.
Archive360 Security in the cloud
Archive360 is the leader in secure cloud-based information management and archiving. Because Archive360 is the only cloud archiving solution provider to employ a native platform as a service (PaaS) solution, our solution can offer customizable data security capabilities (unlike SaaS-based providers that are limited to a one size fits all approach). One of them is the Security Gateway, an on-premises gateway that works closely with the Archive360 Cloud Archive to create and store your encryption keys locally and encrypt sensitive data before moving into your cloud tenancy while still maintaining full search and management capability. This means that your sensitive data is encrypted while in transit, while at rest (stored) AND while in use. Archive360 is the only vendor to provide this market-leading security capability. It's Your Data, In Your Cloud, with Your Security, Under Your Control.
For more information on the industry's most secure cloud archive available, please contact us at:
email: firstname.lastname@example.org | phone: +1 (212) 731-2438
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.