Monday, May 27, 2024

Introducing The American Privacy Rights Act - What You Need To Know

 


In the last couple of years of blogging, except for writing about AI, one of the hot topics I wrote about (and still continue to do so) is Data Privacy, and all of the laws that surround it.  I don’t ever recall this ever being such a widely debated topic until the COIVD-19 pandemic hit.  But of course by then, the total number of Cyberattacks multiplied, with Ransomware leading the way.

Phishing emails and redirecting unsuspecting victims to fake and phony websites became the norm.  Then, once CISOs finally started to figure out that migrating 100% to the Cloud (such as in Azure or the AWS), was the way to go, then Data Exfiltration Attacks became the norm, and still does so even to this day.

To protect people, countries around the world started to create and implement Data Privacy Laws, such as the GDPR, CCPA, HIPAA, etc.  The aim around these key pieces of legislation was twofold:

*To give citizens much more control as to how their personal datasets were being used;

*To put businesses on alert that they have to start taking data security seriously.  If not, they would be subject to a very exhaustive audit and face extremely harsh financial penalties.

While the intention of these laws is certainly very plausible, there has been one key problem:  There has been no uniformity in them.  While this has been achieved to a certain degree with the GDPR (as all member EU nations have to follow it), the same cannot be said of the other laws that have been enacted.  This is especially true here in the United States, as each of the 50 states are now creating their own Data Privacy Laws.

Because of this, many businesses, no matter how large or small they might be, are now wondering which law they need to abide by.  For example, what if an entity has transactions in all of the states?  Do they have to abide by each and every one of them? 

Theoretically, the answer to this would be “yes”.  But in the real world, this is not going to happen.  For instance, US based businesses are already having a tough time trying to come into compliance with the GDPR.  How on earth can this happen across 50 disparate Data Privacy Laws?  It would be an administrative nightmare to even think about.

So in response to this, the US Federal Government has finally taken the effort to at least try and create a Data Privacy Law that can be implemented on a national level.  The end result of this would be a set  of standards and best practices that each and every business in the US can follow, without any question.  Of course, this would then do away with each state’s own version of it.

So what is this new bill, you may be asking?  It is called the “American Privacy Rights Act”.  To see the exact text on this bill, click on the link below:

http://cyberresources.solutions/blogs/APRA.pdf

I did some poking around this on Google, and the only updates have been made in April of this year, but nothing substantial has happened.  It is hoped though that it will pass and become a Federal Law before this year’s Presidential Election. 

But given the way things are today, it will be a miracle if this actually happens (trying to be apolitical).  It was introduced as a bill by Science and Transportation Chair Maria Cantwell (D-WA) and House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA).

So, in order to make this bill a strong piece of legislation, it is important that it “learns” from the mistakes that were made  when the GDPR was first introduced.  Of course, there were many, but the top three ones are as follows:

*The GDPR even since its inception was gargantuan.  The early stages of it were not made public, and because of that, many businesses were shocked as to how much they would have to revamp their existing controls in order to start to come into compliance.

*After the GDPR was finally passed, the tenets and provisions of it were first released to the C-Suite, in an effort to champion it from a top-down approach.  But there was hardly any communication about it from the upper brass, and as a result, the levels of Cyber Hygiene totally deteriorated.

*Businesses had no . a how to ask for help in coming into compliance with GDPR, if they were having a lot of problems with the new law.  I am not sure if the EU had a government resource in place that could provide help, btu whatever was provided seemed to be very disjointed and disparate.

My Thoughts On This:

In my view, it is highly unlikely that the APRA will be passed even before the year is out.  But even despite all of the bickering, there seems to be an overall, strong momentum to eventually have something in place.  So, American businesses should start now to get prepared for it.  Two of the best ways to do this are:

*Hire a Data Privacy Officer.  You don’t have to have a direct hire position, rather, you can hire somebody on a contract basis, for a fraction of the cost.  This is very similar to hiring a vCISO.

*Start to review the tenets and provisions of both the GDPR and the CCPA.  Even if your business is not bound to them, imagine that you are, and assess your current IT and Network Infrastructure.  Based on this, then either put in new controls and/or upgrade the existing ones that you already have.

*Be open and transparent.  This is an issue that just does not affect the IT Department (contrary to popular belief), it impacts everybody in the organization. 

*Have regularly scheduled Security Awareness Programs to educate your employees as to what is happening in preparation for a possible passage of the APRA, and what they need to do maintain strong levels of Cyber Hygiene.

*Understand where all of your datasets reside it.  This is a must know, there is no way of getting around it.  But you are not alone in this, there are both AI and ML tools that are coming out that can help you keep track of what is where in your databases.

In the end, coming into compliance will be a royal pain, and it could cost some money.  For example, it has been cited that to come into compliance with the GDPR, companies have to spend an average of 1.3 Million Euros.  But in the end, that pales in comparison to what the actual cost of an audit and the financial penalties could be if you don’t come into compliance.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...