U.S. Privacy Protection Laws A Growing Business Problem

Multiple U.S. Privacy Protection Laws A Growing Business Problem

As privacy laws shift and evolve, business leaders are tasked with multi-layered compliance. Outsourcing to an IT expert allows leaders to focus on growth.  

Complying with the myriad of U.S. privacy laws requires a Herculean effort on the part of business leaders. That’s primarily because there are wide-ranging state, federal, and international thresholds companies must meet. The methods use, and ways an organization manages sensitive data determines whether it grows its client bases or has state and federal agencies impose fines.

What strikes thought leaders across sectors is the hodgepodge approach the U.S. takes versus the EU. And keep in mind, we live and work in a global economy where other nations expect companies to meet their privacy protection guidelines as well. That’s mostly why many enterprises operate with a third-party managed IT firm with experience in privacy law compliance.

U.S. Businesses Drowning In Privacy Mandates

Over the last few years, American privacy policies started to trend toward unification. The California Consumer Privacy Act (CCPA) emerged as perhaps the most comprehensive set of guidelines. In many ways, it reflected what the EU enacted with its General Data Protection Regulation (GDPR).

Both sets of regulations grant substantial rights to individuals over their data. Both the EU and California also implemented onerous business accountability rules. Even simple missteps can result in excessive penalties.

At the federal level, the U.S. Department of Defense imposed updated and stringent cybersecurity guidelines through its Cybersecurity Maturity Model Certification (CMMC) rollout. That effort requires defense contractors and supply chain outfits to implement high-level cybersecurity protections and gain accreditation to work in the industry. Although the CMMC brings together a wide range of cybersecurity controls under one umbrella, the DoD is on version 0.7. Even though a universal approach may be trending, these and the following laundry list of privacy mandates remain ongoing challenges.

• HIPAA: First passed in 1996, the Health Insurance Portability and Accountability Act changed the way health insurance organizations stored, moved, and protected data. With confidentiality viewed as its core value, HIPAA includes a little known Security Rule.
• COPPA: The 2000 Children’s Online Privacy Protection Act took proactive steps to ensure the personal data of minors. It prohibits online entities from collecting personal information from children 12 or younger without a parent’s express permission. Congress continues to update COPPA and make changes to meet emerging privacy challenges.
• GLBA: Gramm-Leach-Bliley Act of the 1990s appears to be a heavy-handed banking and financial sector law. But it also includes essential data privacy and cybersecurity guidelines that may be overlooked.

Congress has also passed laws that have privacy provisions engrained in them, such as the Fair Credit Reporting Act, among others. It’s not uncommon for companies to have footholds in multiple industries that trigger a variety of compliance and oversight. What compounds privacy and cybersecurity even further is that individual states routinely enact, update, and change privacy provisions.

Ambiguous State Privacy & Cybersecurity Laws

The lack of consistency between state and federal laws makes doing business costly. To comply with wide-reaching federal laws, as well as state minutia, requires either doling out substantial resources or enlisting a third-party managed IT consultant. Consider, for a moment, the potential for civil fines that could result from the sheer ambiguity of these state laws.

• CCPA: The California law defines personal data as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
• MDPL: Under the Massachusetts Data Privacy Law, consumers can level civil lawsuits even if they do “not suffer a loss of money or property as a result of the violation.” An innocent misstep that does not result in harm to an individual can prove costly.
• NYPA: The New York Privacy Act provides such a broad definition of how companies are expected to protect data that lawsuits are difficult to avoid. Businesses must “exercise the duty of care, loyalty, and confidentiality expected of a fiduciary concerning securing the personal data of a consumer against a privacy risk.”

When asked whether a company’s cybersecurity conforms with U.S. Privacy laws, the answer might be: Which ones?

Industry leaders can expect that the privacy law landscape will evolve, shift, and become increasingly complex. That’s why business leaders would be wise to consider contracting with a consultant. At ICS, our team of determined IT consultants manages privacy law and cybersecurity so you can focus on goal achievement. Visit ICS and schedule a consultation.