The privacy landscape and the rules that govern it are always changing. In the October session of CohnReznick’s monthly virtual roundtable for chief information security officers (CISOs), our guest speaker, Alison Bird, a Partner at Turinas & Bird LLC, provided an overview of recent privacy-related developments:
- California Consumer Privacy Act (CCPA). Regulations were finalized in July 2020. Class actions are starting to trickle through the court system, and the California Attorney General is beginning to focus on enforcement.
- California Privacy Rights Act (CPRA). The proposed act has qualified for the Nov. 3, 2020, ballot in California, gathering more than 700,000 signatures. If approved by California voters, this new law would expand the rights of Californian consumers and also create additional implementation challenges for regulated companies.
- COVID-19. Businesses are addressing new privacy-related challenges as they confront the security risks inherent to the remote workforce, as well as safety concerns as they cautiously bring workers back to the office. Smart buildings and intelligent spaces are dealing with privacy-related concerns and challenges.
- Increased protection of biometric data. Many states are introducing new and often punitive privacy laws relating to the use of biometric information. Illinois’ Biometric Information Privacy Act (BIPA) has resulted in a flurry of class-action litigation. Portland, Oregon, just passed a city law on facial recognition as well. As companies are increasingly using biometric information in innovative ways, it will be important to be aware of applicable developments so that appropriate policies are put in place to comply with this relatively new area of privacy law.
- NIST Privacy Framework. Many government contractors and government agencies are leveraging the newly released National Institute of Standards and Technology (NIST) framework to establish privacy controls and measures within their respective environments.
- New York Department of Financial Services (NYDFS). The department recently brought its first enforcement action, highlighting privacy expectations for regulated entities and their service providers. (See our recent article to learn more.)
- Federal Trade Commission (FTC). The commission has shown an increasing focus on providing more specific guidance relating to minimum security standards. The Gramm-Leach-Bliley Safeguards rule is under review.
- Privacy Shield. The Court of Justice for the European Union (CJEU) invalidated the EU-US Privacy Shield this summer, meaning that businesses must consider alternate mechanisms for transferring EU citizens’ personal data out of the EU. Standard contractual clauses are still valid, but will need to undergo additional review and revisions to meet compliance obligations. Further guidance is expected from European regulators. More recently, Israel followed suit by invalidating the Privacy Shield as well.
Participants in the CISO roundtable had a range of opinions and comments on how privacy is viewed in their organizations and across their respective industries. Those who deal with privacy requirements on a regular basis because of the EU’s General Data Protection Regulation (GDPR) or the CCPA believe the stipulated requirements are just the tip of the iceberg for truly effective privacy management. For those who generally don’t have to address or deal with privacy challenges, it is one big dark hole with a lot of uncertainty and unknowns.
While there is plenty unknown when it comes to privacy and how emerging and evolving privacy-related matters will be handled by organizations in different jurisdictions and states, privacy as a business concern is not going away, and it will only become more of a topline issue, especially as workforces continue through the “new normal” shaped by the COVID-19 pandemic.
Bhavesh Vadhani, Principal, National Leader, Cybersecurity, Technology Risk, and Privacy
Coronavirus Resource Center
InsightThe importance of incident response plans in protection of data, finances, and reputationsBhavesh Vadhani, Thomas McDermottEstablish policies and procedures for detecting and addressing cybersecurity incidents, from minimizing consequences to notifying stakeholders. Read more.
InsightUsing the FAIR risk-analysis framework to make the business case for security initiativesBhavesh Vadhani, Daryouche BehboudiThe Factor Analysis of Information Risk (FAIR) framework can help CISOs make the business case for risk mitigation and security initiatives. Learn how.
InsightHEALTHCARE: Boost your cybersecurity and interoperability for the new remote landscapeCaroline Znaniec, Bhavesh Vadhani, Deborah NitkaAfter the rush to implement new technologies amid COVID-19, cybersecurity and privacy risks are higher than ever, and interoperability is critical. Learn more.
InsightNYDFS Cybersecurity Compliance: Maintaining Continuing ComplianceDaryouche BehboudiIs your financial services institution meeting the rigorous new cybersecurity requirements of 23 NYCRR 500? Here’s what to ask yourself, and how CohnReznick can help.
InsightFrom survival to revival: How CFOs can drive success in an upended economic landscapeKeith Denham, Swami VenkatIn the current business environment, chief financial officers can help maximize revenue, minimize costs, manage risk, and improve financial planning. Read more.
InsightImproving mobile app security in a BYOD worldBhavesh Vadhani, Deborah NitkaProtect your networks and data amid the rising use of personal devices for remote work and the security and privacy risks posed by Zoom, TikTok, VPN, and more.