Request Demo

Data Privacy

California Consumer Privacy Act And The Future of Cyber Regulation In the U.S.

down-arrow

A CISO in today’s climate can feel like Hercules fighting the hydra - it feels like as soon as you and your team get your program compliant with one regulation, two more appear. What started with GDPR in the spring, has made it across the pond with Vermont’s Data Brokerage Regulation and California’s more broad scope California Consumer Privacy Act (CCPA).

With the CCPA and Vermont Data Brokerage Regulation, the legislation is much more focused on the disclosure and (if desired) stop of personal information sharing. References to security are loose - primarily centered on personal information (PI) data mapping and ensuring end-user access to review and remove. Although, what differentiates the CCPA from GDPR and Vermont Data Brokerage Regulation is it allows individual constituents to bring about legal action against a company in the event of a data breach (between $100 and $750 per incident). It is in these instances that security is a paramount bottom line issue that goes from the PR war room to the balance sheet and the board room.

Regulation like the CCPA and Vermont Data Brokerage Regulation are the prototypes for a greater groundswell - with California having led cyber regulation for decades and the average Vermont voter perceiving their data to be worth 2X more than the national average. While the government can move faster on a state level, a federal regulation similar to GDPR is no longer a matter of if.

“The question, is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.”

Senator Thune and the Senate Committee on Commerce, Science, and Transportation have begun the hearing process to examine the needs of both privacy advocates and industry representatives.

“It represents the beginning of an effort to inform our development of a federal privacy law that enjoys strong bipartisan support.”

Security is a critical pillar in the privacy discussion as we saw with GDPR and see with the CCPA and Vermont Data Brokerage Regulation. Conversations like these will continue to become more and more frequent - looking ahead to the Symantec Government Symposium we can expect to see calls for mandated standards emerge in order to protect end users’ privacy and security.

Two outcomes will start to take shape in the coming months and years

State governments will follow California’s lead

While Vermont’s new legislation is specific to data brokers, the CCPA is more broad reaching - designed to protect Californians, not regulate a given industry. Expect to see similar initiatives take shape as we enter midterm election season.

Over the new two to three years, American CISO’s and those dealing with Americans’ data will face a patchwork of data privacy and security regulation. Each bearing a similar resemblance but variated slightly. Certain protections and rights will exist in one state and not be recognized in the next. For a reactionary CISO, simply jumping through the necessary hoops, this will be a tough time and nigh impossible to accomplish. The bare minimum and a reactionary attitude will not be enough to make it through this wild west of privacy regulation.

Federal government sets a standard

Like GDPR governing the EU member nations, Congress is already working to draft new legislation in the same vein. As the Senate Committee on Commerce, Science, and Transportation takes opinions from all sides, and NIST starts work on a new voluntary privacy framework, these standards will take time to make it through. After the Facebook incidents following the 2016 election, expect 2020 to turn all eyes on privacy and cybersecurity. As with managing state level privacy regulation, a reactionist will not hold a CISO position for long.

How to weather the coming storm

CISOs need to take a proactive approach to successfully manage a cyber program as these new standards and practices emerge.

First, CISOs will need to speak the language of their fellow c-suite members and act as a translator for the members of the security organization. They must be able to show their progress, and successful navigation through the emerging regulatory landscape as easily as a CFO can show a balance sheet. Take ownership if your strategy and present it effectively and connected to business goals of the organization.

What you present is only as good as the strategy driving it. A reactionist will end up with a patchwork of overlapping standards and practices that will waste resources and frustrate their team. A proactive CISO will use a gold standard framework, like the NIST CSF, that was developed with both public and private sector input. With all signs pointing to U.S. regulation drawing upon standards from the NIST CSF and similar frameworks (DFARS, GDPR), a proactive CISO will skate to where the puck is going.

The CCPA and Vermont Data Brokerage Regulation are only the beginning of government regulation and imposed standards. In order for a CISO to remain relevant, they must act as a guide for their company through the minefield as these regulations begin to become standard. Draw upon existing standards that are going to be used by regulators to draft future regulation (NIST CSF). Ensure that you can translate your success into a meaningful representation for the c-suite and unite your organization with one singular vision.

You may also like

What is the CCPA and Who Must ...
on August 30, 2019

Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's ...

Alison Furneaux
CISOs in the Boardroom: ...
on September 19, 2019

This week, I had the opportunity to speak at the ISACA 2019 Governance Risk and Control Conference in Ft. Lauderdale, FL. Having spent a career as both a cybersecurity ...

George Wrenn
Why GRC Needs IRM
on September 3, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on August 29, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on September 3, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on September 3, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...