During 2019, new privacy laws were introduced, and many current laws evolved in the United States and across the global landscape. With the General Data Protection Regulation (GDPR) in full effect, we saw expensive fines levied upon companies that fell victim to data privacy breaches. As we move into a new year, probably the biggest takeaway from 2019 is that being proactive and having a data privacy strategy in place is important to help mitigate the risk of a data privacy breach.
The regulatory landscape continues to evolve as states and countries actively pass new expanded requirements for privacy and cybersecurity regulations. While laws in the U.S., like the California Consumer Privacy Act (CCPA), are getting significant attention, many other states and countries are actively amending their breach notification laws to include tighter restrictions. This can present a big challenge when it comes to incident response because, as noted by Forrester in a recent survey commissioned by IBM, only a few organizations feel confident in their ability to comply with emerging data privacy regulations.
Here are three worldwide trends in data privacy regulations that we observed during 2019 that we believe are likely to carry over into 2020:
- Expanded definitions of “personal information”
- Reduced time frames for businesses to report data privacy breaches
- New requirements regarding reporting data privacy breaches to supervisory authorities
Trend 1: Expanded Definitions of “Personal Information”
We see and hear about people using biometrics to speed up security at some airports, retailers coming up with new ways of collecting payments that involve numerous types of account information, and law enforcement agencies tapping into new technologies to identify individuals. These are just a few examples of how technology continues to evolve and open doors for innovation, but also provides opportunities for a greater concentration of personal data. In addition, according to Forrester, people use more digital devices than ever before, and big data analytics continue to become more sophisticated; therefore, the need to evolve the definition for “personal information” becomes apparent.
In the U.S. this past year, New York, New Jersey and Virginia were all states that expanded the definition of “personal information.” New Jersey’s law expanded the definition of “personal information” to include usernames, email addresses, passwords, and security questions and answers affiliated with an individual’s online account. New York’s law expanded its “personal information” definition to the following categories: biometric data, account numbers and credit or debit card numbers without a security code, usernames, email addresses, passwords, and security questions and answers.
Furthermore, Virginia’s law expanded the definition of “personal information” to include a passport number or military identification number when in conjunction with disclosing it with an individual’s name. It is very likely that we will continue to see other states expand their definitions of personal information. The state of Washington has already announced that it will expand the definition of “personal information” and set new notification requirements. Effective March 1, 2020, Washington’s definition of “personal information” will be expanded to include the following categories: birth date, unique private keys for signing electronic records, student, military or password identification numbers, medical information, biometric information, and online login credentials.
When it comes to cybersecurity and incident response, the evolving definition of “personal information” presents new challenges. These include keeping track of the different definitions for different jurisdictions, the uncertainty of whether an incident qualifies as a breach and a higher number of incidents to manage. This last one derives from data that was previously not considered personal information and now is.
Trend 2: Shorter Time Frames for Businesses to Report Data Privacy Breaches
In 2019, Maine’s data breach notification law required notification to affected residents within 30 days after an entity became aware of a breach of personal information. The prior version of the law did not include a specific time frame for such notifications. Another example is updated legislation in Texas, which became effective on January 1, 2020. Amendments to the Texas law require businesses to send breach notifications to affected individuals without “unreasonable delay,” but no later than 60 days after identifying such breaches.
Texas is just the start to 2020’s growing trend of shorter time frames and tighter requirements by state regulators. Effective March 1, 2020, Washington’s law will also reduce the prior 45-day notification timeline to 30 days. As displayed by the examples above — and illustrated by the updates made to the IBM Security Resilient security orchestration, automation and response (SOAR) platform in 2019 — some states across the U.S. have been setting shorter time frames governing by when a business must report a breach.
Meeting shorter time frames can be difficult, especially during a crisis, but that is why it is important for organizations to understand what data they collect and why they collect it. Having this basic understanding will help them plan and identify measures to reduce risk, as well as bring teams together, such as privacy and cybersecurity, so they are prepared to meet the new tighter deadlines and resolve incidents effectively.
Trend 3: New Requirements Regarding Reporting Data Privacy Breaches to Supervisory Authorities
More and more, individuals are becoming aware of their privacy rights, which in turn has influenced supervisory authorities, such as state attorneys in the U.S., to take a more active role in advocating for consumer protection and enforcing laws to protect their constituents. This has led some states to amend their data privacy laws that require prompt notifications to supervisory authorities. These new requirements can add confusion to an already overextended security team, as different authorities have different requirements that need to be presented in different formats at different times.
Some examples of state laws that have established new reporting requirements such as reporting breaches to the state attorney general include Arkansas, Texas and Washington. Starting in 2019, Arkansas law requires notification to the state attorney general if 1,000 or more individuals are affected. Starting in 2020, notification to the Texas attorney general must be given within 60 days of identifying a breach, provided that the breach affects at least 250 Texas residents. Furthermore, Washington’s law will require entities to provide updated notice to the attorney general if any information required to be provided to the attorney general is unknown at the time the notice is filed.
As well as updated U.S. state privacy laws, other countries around the world have been creating new regulations that have new specific reporting obligations. In 2019, Serbia and Thailand were two of many global regulators to use GDPR guidelines as a template to implement new data privacy laws. Serbia, like the GDPR, now requires data controllers to notify the Serbian Data Protection Authority within 72 hours of a data breach and will require them to notify individuals if the data breach is likely to result in a high risk to the rights and freedoms of individuals. Data processors must also notify the relevant data controllers in the event of a data breach.
On May 27, 2019, the Thai government published the Personal Data Protection Act (PDPA). The law is implemented, and companies have a 1-year period to bring their practices into compliance by May 27, 2020. The PDPA adopts a broad definition of “personal data” (any information which directly or indirectly identifies an individual) and an extraterritorial scope that extends its obligations to organizations outside of Thailand who either offer products and services to individuals in Thailand or monitor the behavior of individuals in Thailand. The PDPA also adopts the concepts of “controller” and “processor” consistent with various other privacy regimes.
Data Privacy in 2020 and Beyond
From 2020 to 2022, countries such as India, Switzerland and Brazil have already announced that they will implement stricter guidelines to their data privacy laws, which will add to the momentum of privacy law evolution. Therefore, as these U.S. and global laws continue to expand their reporting requirements and scope, organizations should scale and operationalize for these changes, potentially leveraging an automated process to keep track of these laws and requirements. Organizations that want to navigate this complex and fast-moving regulatory environment could benefit from a SOAR solution that centralizes up-to-date information regarding data privacy reporting requirements and that can help orchestrate the response process beyond the security operations center (SOC) to include their privacy experts, legal team and the wider business.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.