Why U.S. GDPR-Style Privacy Laws Are Good For Business

December 19 20:15 2019 Print This Article

In the U.S., there are 50 data breach notification laws (51 if you count Washington, D.C.). There are similarities in the way each U.S. state defines the key elements of a breach, like the personal data to be protected, conditions for triggering a notification and specific reporting required.

The differences between state and current federal laws, however, add considerable administrative and legal overhead to the process of handling a data breach. As just one example of this, medical insurer Health Net had to deal with multiple state regulators when it was breached in 2011, ultimately paying separate fines and undergoing additional audits.

It’s safe to say that many businesses would prefer a single data security law with a uniform set of rules as a way to lower costs. Research firm Ponemon has been tracking data security compliance costs over the years, and in 2017, it reported an average of over $5 million.

For this report, Ponemon also surveyed over 200 companies to learn which data laws or standards were hardest to meet: U.S. state data security laws came near the top of their list, even ahead of HIPAA, the complex federal medical privacy law.

That’s not too surprising once you delve into some of the things businesses have to keep straight about each law. For example, breach reporting triggers can differ depending on where the breach occurred: Some are based on a “harm standard” to consumers, while other laws use the raw number of affected accounts. Most states exclude encrypted data, but not all. A few states, such as New York, would count a ransomware attack as a data breach even though the data was not actually acquired by the hacker. Confused? You’re not alone.

The GDPR Edge

Unlike the U.S., the EU has one data security and privacy law covering its 28 member countries. A company operating under the General Data Protection Regulation (GDPR) can expect a single definition of personal data, a single set of rules defining data requirements including a 72-hour breach notification rule and a unified regulatory bureaucracy or “one-stop shop” for enforcement and fines.

U.S. multinationals with subsidiaries in the EU may be unhappy with the tighter data rules and higher compliance costs, but they’re facing well-understood and predictable regulatory mechanisms. While it may not necessarily be an easy data law to meet, U.S. companies that are now GDPR-compliant actually have an edge over companies just starting to think about privacy and personal data protection.

Why? The GDPR has been quietly influencing a new generation of U.S. state privacy laws and is helping shape a potential law at the federal level. Those companies that are GDPR compliant will be in a better position to be in compliance with this new wave of privacy legislation.

California is leading the charge with its recently enacted consumer privacy law, the CCPA, which will go into effect the start of the new year. Like the GDPR, the CCPA has a broad definition of the data that needs to be protected: email addresses, geolocation, biometric, IP addresses and more. It also gives consumers the power to access and delete their data — a “right to be forgotten.” The California law is also spurring copycat legislation in other states.

Perhaps we shouldn’t be too surprised that 51 CEOs from America’s largest companies are trying to get ahead of the curve. They recently sent a letter to Congress asking for a GDPR-style federal privacy law. These corporate heads are not advocating for all the complexities of the EU GDPR law. In a framework document, they introduce some of the same ideas that have influenced the GDPR, but in a simpler form.

The CEOs remind Congress that “as the regulatory landscape becomes increasingly fragmented and more complex, U.S. innovation and global competitiveness in the digital economy are threatened” and that “innovation thrives under clearly defined and consistently applied rules.”

Opportunity For Harmonization, Better Privacy And Lower Costs

Just as the GDPR gave the EU countries an opportunity to harmonize separate national data rules, the U.S. is approaching a similar inflection point. I think we can all agree that unifying laws is essential to avoid wasteful overhead and uncertainty.

There are other benefits besides reducing confusion and compliance costs. A federal data privacy law would also give corporate IT and security groups a chance to modernize data protection processes and controls.

For example, a consumer’s right to access and control who sees their personal data — as the CEO letter recommends — would be a unique chance for IT groups to analyze both their data security practices and the huge amounts of data accumulating in their file systems. A potential federal privacy law would most likely require that businesses understand the data they’re holding on behalf of consumers, the access rights associated with this data, whether they use it for valid purposes or not and whether they should delete it.

From my company’s experiences analyzing corporate file systems, we’ve consistently found sensitive personal information — the very existence of which was previously not known to management — exposed to far too many employees in the organization, despite considerable time and effort spent managing and reviewing access.

We’ve also discovered “stale” consumer data that’s rarely or never used. Underused consumer data unnecessarily raises security and privacy risks, and would be in violation of the proposed “privacy by design” principles the CEOs mention in their letter.

The goal of a federal privacy law is to reduce consumer risk of identity theft and the resulting financial harm that comes from a breach. Here too there are bottom-line benefits for business. Breaches erode consumer and business partner trust, impact brand appeal and dampen future purchases.

Let’s not look at this CEO proposal for a GDPR-style federal privacy law as unnecessary government regulation. Instead, it’s a chance for stakeholders — consumers, businesses, privacy advocates and Congress — to come together to set a privacy baseline that protects consumers and make U.S. businesses more competitive in the world market.

The original article was posted here: https://www.forbes.com/sites/forbestechcouncil/2019/12/19/why-u-s-gdpr-style-privacy-laws-are-good-for-business/

  Article "tagged" as:
  Categories:
view more articles

About Article Author

Yaki Faitelson
Yaki Faitelson

View More Articles
write a comment

0 Comments

No Comments Yet!

You can be the one to start a conversation.

Add a Comment