Security Aspects of US Data Privacy Legislation

The General Data Protection Regulation is considered to be “the gold standard” among data privacy laws. Its impact is increasing day by day: more and more strict data protection legislation is appearing in many countries around the globe. The United States is no exception.
5 min read
All articles
By Dmitry Vyrostkov
Security Services
Security Aspects of US Data Privacy Legislation

Although the United States does not have a federal privacy law, all 50 states have already enacted breach notification regulations demanding organizations that own or license computerized personally identifiable information notify consumers if their personal data is compromised. These data breach laws extend the definitions of PII and necessitate specific security procedures. In this article, we will review US laws that are similar to GDPR data protection laws.

California Consumer Privacy Act (2018)

California was a pioneer in US data protection legislation, passing the California Consumer Privacy Act in 2018. The CCPA grants consumers the right to control personal data and know how this data is used. Consumers are defined as residents of the state and employees. Thus, it has become crucial for businesses to establish internal security processes. The law describes penalties for a “violation of the duty to implement and maintain reasonable security procedures and practices.” However, at the same time the legislation fails to define what is meant by “reasonable security procedures and practices.” Prior to CCPA, in 2016, the California Office of the Attorney General published a “Data Breach Report” and listed recommended security safeguards, emphasizing a set of twenty data security controls produced by the Center for Internet Security (“CIS Controls”) as the most effective measures for any information security program.

Nevada SB220 (2019)

Nevada’s SB220, or “Act relating to Internet privacy” (2019) is less descriptive in comparison with the CCPA. The law applies to operators of Internet websites or online services who collect personal information from consumers in Nevada. Generally, the one new right provided by SB220 for Nevada consumers is the right to opt out from the sale of their personal information using a "designated request address."

Massachusetts Data Privacy Law (2010)

The proposed Massachusetts Data Privacy Law is perhaps the toughest data protection law in the United States. The law is of concern to any company that handles the private data of Massachusetts residents. In order to comply with the legislation, organizations must revise their current data breach response plans and establish strict written policies and security procedures. In addition, businesses must keep a record of the data they work with and perform regular inventories of electronic and hard copy data. Furthermore, companies are required to develop, implement, and maintain a comprehensive information security program, with a description of the means used to detect and prevent security system failures. There are also specific security requirements for organizations’ computer systems, which must contain the following:

  • Secure user authentication protocols
  • Secure access control measures
  • Encryption of all transmitted records and files
  • Reasonable monitoring systems
  • Encryption of all personal information stored on laptops and other portable devices
  • Reasonably up-to-date firewall protection.

New York Privacy Act (2019-2020)

New York, in turn, proposed the New York Privacy Act (S5642) that shares most of the GDPR language. The law extends the term “personal information,” adding more identifiers to the list. Regarding security measures, the New York Privacy Act contains a new section – New York General Business Laws, Article 39F, Section 899-BB – requiring any person or business that owns or licenses computerized data with New York residents’ private information to “develop, implement and maintain reasonable safeguards.” The technical safeguards include:

  • Assessing risks in network and software design
  • Assessing risks in information processing, transmission, and storage
  • Detecting, preventing, and responding to attacks or system failures
  • Regularly testing and monitoring the effectiveness of key controls, systems, and procedures.

The Ohio Data Protection Act (2018)

Unlike the laws described above, The Ohio Data Protection Act prompts entities to establish a cybersecurity program and guarantees businesses protection against lawsuits, even in the case of a security breach, so long as the business can provide proof that it took “reasonable measures” to protect consumer data. A written cybersecurity program must contain administrative, technical, and physical safeguards for the protection of personal information and restricted information, and conform to an industry-recognized cybersecurity framework, such as NIST, HIPAA/HITECH, FedRAMP, GLBA, CIS Controls, FISMA, ISO 27000 Family, and PCI DSS. Moreover, a company’s cybersecurity program must:

  • Protect the security and confidentiality of personal information
  • Protect against anticipated threats or hazards to the security or integrity of personal information
  • Protect against unauthorized access to and acquisition of data.

Wrap Up

Overall, we see that the need for adopting comprehensive data protection policies is at an all-time high. For companies that wish to establish a cybersecurity program and set up effective security controls, the DataArt’s security team recommends the following actions:

  1. Perform an internal or independent external audit to understand the assets the organization has and the data it uses.
  2. Make sure that your confidentiality policy is compliant with the external regulations or create such a policy if it does not exist. Ensure that each piece of data is classified as “confidential” or “private” by default unless it is stated otherwise.
  3. Employ basic perimeter protection measures (identity management, firewalls, etc.) and set up security awareness and data confidentiality training for your employees.
  4. Get acquainted with security guidelines like NIST SP 800-171 in order to ensure that sensitive federal information (controlled unclassified information) remains confidential when stored, transmitted and processed. Perform a self-assessment to understand what the next objectives are.
Consult DataArt Security Experts Today
Sign Up for Updates!

Subscribe now to receive industry-related articles and updates

Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Sign Up for Updates!
Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
We are glad you found us
Please explore our services and find out how we can support your business goals.
Get in Touch Envelope