There should be little dispute that the current patchwork of foreign, federal, state and industry cybersecurity regulations need to be harmonized in order to protect data. While these varying laws and proposed laws can be dizzying even for large corporations, it is virtually impossible for small businesses to feel confident they are meeting their obligations under these various laws. As it stands today, a data collector, regardless of size, has to balance a number of conflicting sources when considering cyber security. Suffice it to say, the current framework of competing laws and regulations may overwhelm data collectors causing them to simply give up on trying to meet their obligations. In the end, data protection laws may become useless if they are too complex to be worth a data collector’s effort.
- A Case Study: Mom and Pop’s Cleaners
As 2018 unfolds, a hypothetical “mom and pop” dry cleaner in Tucson, Arizona keeps a registry of its customers’ names, addresses, phone numbers and email addresses. We learn that “Mom and Pop’s Cleaners” has customers that include international citizens visiting the United States and others who work at nearby businesses, as well as Arizona residents and residents from other U.S. states. In an effort to not skirt any laws, Mom and Pop have asked the Privacy Risk Report for assistance in understanding the laws and proposed laws that may impact them in 2018. The following will take a real world approach and spot the issues presented by the laws and regulations that may impact Mom and Pop’s business in 2018.
- Foreign Regulations Must Be Part Of The Cycle.
Mom and Pop’s Cleaners does a brisk business with international workers at the nearby regional office of French corporation. Accordingly, Mom and Pop have questions concerning the data they are collecting on these French residents and residents of other EU nations in 2018.
European Union General Data Protection Regulation
European Union (EU) member states will begin enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018. The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” (A guide to the EU GDPR can be found here.)
Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of whether the data collector may be located. The definition of personal data is broadened to the extent it includes any information “that can be used to directly or indirectly identify the person.” Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
GDPR also imposes new obligations on how the data is to handled and stored. For example, EU residents will have a “right of access” that requires data collectors provide specific details about how information is processed. GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request. Further, under GDPR, data collectors will be required to perform routine assessments to identify risks for private data. Finally, the penalties for non-compliance may total anywhere from 4% of annual global turnover of the breaching data collector or €20 Million (whichever is greater).
Mom and Pop should not dismiss the upcoming enforcement of the GDPR as something that only concerns large, multi-national corporations. Mom and Pop, as with many data collectors of all sizes, may be surprised to find the amount of data they are storing that belongs to EU residents. Here, there is no question that Mom and Pop have data belonging to customers that are EU residents and should at least consider whether they have obligations under GDPR and how a breach of this information could become a stain on their business. Further, the GDPR may give some insight to Mom and Pop as to the direction of U.S. privacy laws in the coming years.
Just as Mom and Pop seem to understand their obligations under GDPR, they wonder if GDPR applies to their British customers in light of Brexit. The GDPR website offers the following stitch of advice:
“If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear.”
Mom and Pop may not be ready to consider how Brexit impacts their collection of data belonging to their British customers. They have already made more progress in this area than many of their competitors.
- Federal Regulations Need To Be More Tailored
Mom and Pop’s Cleaners also has a number of customers that are tourists from other U.S. states. Mom and Pop have questions concerning the data they are collecting for these customers in 2018.
The Data Breach Prevention and Compensation Act of 2018
U.S. lawmakers have taken steps to directly regulate credit reporting agencies in response to the Equifax breach. In its current form, The Data Breach Prevention and Compensation Act of 2018 would create new regulations by expanding the powers of the Federal Trade Commission (FTC). Specifically, the proposed Act would create an Office of Cybersecurity to monitor large credit reporting agencies. The Office of Cybersecurity would have the authority to impose fines on any credit reporting agency that breached data or failed to properly report a breach. Under the current draft of the law, consumers would receive 50% of any fine imposed by the Office of Cybersecurity.
This legislation has been introduced by Senators Elizabeth Warren and Mark Warner after seeing the Equifax breach in 2017. While this legislation is unlikely to pass, it still makes clear that credit reporting agencies will continue to be under heightened scrutiny in 2018 and beyond.
Of course, even if this legislation passes, Mom and Pop will not need to worry about it since they do not qualify as a credit reporting agency.
IoT Cybersecurity Improvement Act of 2017
The IoT Cybersecurity Improvement Act of 2017 would provide security practices for any company before it can sell interconnected devices to the federal government. Importantly, this legislation would not regulate all IoT devices. Commentators have stated that “’[b]road IoT legislation isn’t practical in the current Congress…which is was why the bill’s authors had narrowed its focus to federal procurement.” There are further questions as to whether this is a good first step that will lead to broad IoT regulation or if these regulations will lose momentum after devices for the federal government are regulated.
Mom and Pop do not have any immediate concerns with this proposed legislation. Down the road, their business may be safer if any interconnected device they purchase has the same security as that imposed on devices sold to the U.S. government. However, this legislation does not appear to be of any concern to Mom and Pop over the next year.
- State Regulations Create Wrinkles For Smaller Data Collectors.
Mom and Pop do not have to worry about any national data breach notification requirements. All attempts to create breach notification standards at the federal level have lost steam. In particular, the bill referred to as the Data Security and Breach Notification Act appears to have no chance becoming law in 2018. Unfortunately, as data collectors for Arizona residents, Mom and Pop will face some uncertainty in 2018.
Arizona’s Data Breach Notification Law: Changes in 2018
At present, the Arizona legislature is considering changes to Arizona’s data protection laws. The current Arizona law requires data collectors to notify individuals of any breach that compromises their information and may cause “substantial economic loss” to that individual. The new law under consideration in 2018 for Arizona would remove this “substantial economic loss” requirement, and, therefore, would require notice in many more situations. Additionally, the current law defines “personal information” as an individual’s name combined with a social security number, driver’s license number, non-operating i.d. or financial account number, credit card or debit card number in combination with a security code, access code or password for that account. The new legislation would no longer require a security code, access code or password to be compromised in order to trigger a data collector’s notification obligations.
In 2018, Arizona’s notification law may also be changed to require notice to affected individuals within 30 days of the breach. The law presently only requires notification to take place in the “most expedient manner possible without unreasonable delay.”
Based on these changes, Mom and Pop are going to need to take a close look at the data they are storing on Arizona residents and how that data is being protected. Further, Mom and Pop may also need to take a closer look at their procedures if a breach occurs. The time frame for their response and the notification to their customers has been taken from a subjective deadline to an objective, 30-day deadline. Mom and Pop have a lot of work in order to make sure they are in compliance with this law.
Other States Data Breach Notification Laws
Even if Mom and Pop happen to figure out their obligations under Arizona law, they still have to consider the laws for other states where their customers may reside. As data collectors for residents for a number of states, Mom and Pop face even more uncertainty. As it stands today, each state has its own data breach notification laws. Consequently, Mom and Pop may have different obligations, including numerous deadlines to provide notification, for a single breach that includes data for residents of different states.
- Mom And Pop’s Approach For 2018
From a practical standpoint, Mom and Pop are not realistically going to put much thought into complying with GDRP. However, they may make efforts to comply with their state data protection laws. While Arizona’s new data law may not be in perfect harmony with GDRP, it is an important first step to get Mom and Pop to at least begin to consider Arizona’s law and make an effort to comply. Maybe if things go right, Mom and Pop may consider buying an endorsement to their insurance policy for cyber protection in 2019.
Additionally, while it is great to see lawmakers begin to tackle these issues, it will be important to not overwhelm data collectors. 2018 promises to be an interesting year for data protection laws.