In the last
couple of years of blogging, except for writing about AI, one of the hot topics
I wrote about (and still continue to do so) is Data Privacy, and all of the laws
that surround it. I don’t ever recall
this ever being such a widely debated topic until the COIVD-19 pandemic
hit. But of course by then, the total
number of Cyberattacks multiplied, with Ransomware leading the way.
Phishing
emails and redirecting unsuspecting victims to fake and phony websites became the
norm. Then, once CISOs finally started
to figure out that migrating 100% to the Cloud (such as in Azure or the AWS),
was the way to go, then Data Exfiltration Attacks became the norm, and still
does so even to this day.
To protect
people, countries around the world started to create and implement Data Privacy
Laws, such as the GDPR, CCPA, HIPAA, etc.
The aim around these key pieces of legislation was twofold:
*To give
citizens much more control as to how their personal datasets were being used;
*To put
businesses on alert that they have to start taking data security
seriously. If not, they would be subject
to a very exhaustive audit and face extremely harsh financial penalties.
While the intention
of these laws is certainly very plausible, there has been one key problem: There has been no uniformity in them. While this has been achieved to a certain
degree with the GDPR (as all member EU nations have to follow it), the same
cannot be said of the other laws that have been enacted. This is especially true here in the United
States, as each of the 50 states are now creating their own Data Privacy Laws.
Because of
this, many businesses, no matter how large or small they might be, are now
wondering which law they need to abide by.
For example, what if an entity has transactions in all of the states? Do they have to abide by each and every one
of them?
Theoretically,
the answer to this would be “yes”. But
in the real world, this is not going to happen.
For instance, US based businesses are already having a tough time trying
to come into compliance with the GDPR.
How on earth can this happen across 50 disparate Data Privacy Laws? It would be an administrative nightmare to
even think about.
So in response
to this, the US Federal Government has finally taken the effort to at least try
and create a Data Privacy Law that can be implemented on a national level. The end result of this would be a set of standards and best practices that each and
every business in the US can follow, without any question. Of course, this would then do away with each
state’s own version of it.
So what is this
new bill, you may be asking? It is
called the “American Privacy Rights Act”.
To see the exact text on this bill, click on the link below:
http://cyberresources.solutions/blogs/APRA.pdf
I did some poking
around this on Google, and the only updates have been made in April of this
year, but nothing substantial has happened.
It is hoped though that it will pass and become a Federal Law before
this year’s Presidential Election.
But given the
way things are today, it will be a miracle if this actually happens (trying to
be apolitical). It was introduced as a
bill by Science and Transportation Chair Maria Cantwell (D-WA) and House
Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA).
So, in order
to make this bill a strong piece of legislation, it is important that it “learns”
from the mistakes that were made when
the GDPR was first introduced. Of course,
there were many, but the top three ones are as follows:
*The GDPR
even since its inception was gargantuan.
The early stages of it were not made public, and because of that, many
businesses were shocked as to how much they would have to revamp their existing
controls in order to start to come into compliance.
*After the GDPR
was finally passed, the tenets and provisions of it were first released to the C-Suite,
in an effort to champion it from a top-down approach. But there was hardly any communication about
it from the upper brass, and as a result, the levels of Cyber Hygiene totally deteriorated.
*Businesses
had no . a how to ask for help in coming into compliance with GDPR, if they
were having a lot of problems with the new law.
I am not sure if the EU had a government resource in place that could
provide help, btu whatever was provided seemed to be very disjointed and disparate.
My
Thoughts On This:
In my view,
it is highly unlikely that the APRA will be passed even before the year is
out. But even despite all of the bickering,
there seems to be an overall, strong momentum to eventually have something in
place. So, American businesses should
start now to get prepared for it. Two of
the best ways to do this are:
*Hire a Data
Privacy Officer. You don’t have to have
a direct hire position, rather, you can hire somebody on a contract basis, for
a fraction of the cost. This is very
similar to hiring a vCISO.
*Start to
review the tenets and provisions of both the GDPR and the CCPA. Even if your business is not bound to them,
imagine that you are, and assess your current IT and Network
Infrastructure. Based on this, then
either put in new controls and/or upgrade the existing ones that you already
have.
*Be open and
transparent. This is an issue that just
does not affect the IT Department (contrary to popular belief), it impacts
everybody in the organization.
*Have regularly
scheduled Security Awareness Programs to educate your employees as to what is happening
in preparation for a possible passage of the APRA, and what they need to do
maintain strong levels of Cyber Hygiene.
*Understand
where all of your datasets reside it. This
is a must know, there is no way of getting around it. But you are not alone in this, there are both
AI and ML tools that are coming out that can help you keep track of what is
where in your databases.
In the end,
coming into compliance will be a royal pain, and it could cost some money. For example, it has been cited that to come
into compliance with the GDPR, companies have to spend an average of 1.3 Million
Euros. But in the end, that pales in
comparison to what the actual cost of an audit and the financial penalties could
be if you don’t come into compliance.
No comments:
Post a Comment