Blog

The Rising Stakes of Compliance: GDPR, CCPA, and Others

October 29, 2020
Steve Fox

Data privacy and protection is not a new initiative. The 1998 Data Protection Act aimed at addressing this very issue as our society quickly embarked on the digital age. Now, more than 20 years later, the conversation has continued with new and revised regulations to protect consumers and businesses. Among these regulations are the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Nevada’s Privacy Law, Washington State’s Privacy Bill, and New York’s Privacy Bill, among others.

In a time when everyone seems to be online and sharing more than ever before, the topic of privacy is rising to the top of legislative agendas. Let’s take a good, fresh look at some of these data privacy regulations and the rising stakes associated with compliance.

REVISITING GENERAL DATA PROTECTION REGULATION (GDPR)

Adopted in 2016 and effective in 2018, GDPR replaced an outdated data protection law that simply did not cover the new challenges and threats presented by the current digital environment. This revamped data privacy regulation specifically targets the protection of basic identity information, web data (e.g., location, IP data, cookies, RFID tags), health and genetic data, racial or sexual orientation information, as well as political views.

GDPR is rooted in seven key principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Are you required to comply with GDPR if your business is based in the United States? Yes. If your business conducts transactions or otherwise collects personal information from citizens residing in one of the EU member states, you must comply with GDPR. In fact, according to a PwC survey, 92% of U.S. businesses consider GDPR compliance a top priority.

PENALTIES AND RISK FOR NON-COMPLIANCE WITH GDPR

The first, and probably most obvious, the risk for non-compliance with GDPR is the issuance of one or more fines. There are two tiers for administrative fines for non-compliance, which applies to data controllers and processors:

  • Tier 1: Up to approximately $11.6 million, or 2% of the company’s worldwide annual revenue from the previous fiscal year (whichever is higher)
  • Tier 2: Up to approximately $23 million, or 4% of the company’s worldwide annual revenue from the previous fiscal year (whichever is higher)

Many companies opt to use a third-party service to manage transactions and data storage in an effort to protect themselves. However, despite using a third-party service, you will ultimately still be responsible for the transactions and data usage within your company, so it’s critical that you choose your partners wisely and monitor all activity to ensure compliance.

REVISITING THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

Similar to GDPR, CCPA is intended to protect the personal data of California citizens, placing rules and regulations on the types of personal information that can be collected and how that information will be stored and used in the future. Under CCPA, California citizens are granted four distinct rights:

  1. The right to know about the personal information a business collects about them and how it is used and shared;
  2. The right to delete personal information collected from them (with some exceptions);
  3. The right to opt-out of the sale of their personal information; and
  4. The right to non-discrimination for exercising their CCPA rights.

PENALTIES AND RISK FOR NON-COMPLIANCE WITH CCPA

The California State Attorney General will first issue a warning to give your business an opportunity to comply with CCPA within a 30-day window. If you do not comply, your business will then be faced with a civil lawsuit. “Civil penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation.”

STATE-ENFORCED PRIVACY LAWS AND PROSPECTIVE LAWS

In addition to California, there are other U.S. states who have elevated data privacy and protection as a legislative priority, including Washington, New York, and Nevada.

  • Washington State’s Privacy Bill: With overwhelming majority support in the Washington Senate, the data privacy bill passed in 2019. Taking cues from CCPA, this bill “allows for fines up to $7,500 per violation. If passed, the bill could be effective as soon as December 31, 2020.”
  • Nevada’s Privacy Law: Effective October 1, 2019, this law is very similar to CCPA with the primary difference noted in the way “sale” is defined. Nevada’s law is more lenient on financial institutions and does not cover all service providers.
  • New York’s Privacy Bill: In an effort to protect the citizens of New York, legislators introduced a privacy bill that would allow New York citizens to access, correct, delete, and withhold personal data from third parties. Citizens will also have the right to file a lawsuit against companies that breach their data.

In this digital age, data flows like water. But the more data flows, the more careful we all need to be about what types of data are collected, how they are stored, and how they will be used. State and Federal legislations are on the rise as legal authorities and consumers alike push for data protection and privacy. Is your business compliant?

«  Back To All Articles
Next Article
  »
Misconfigurations for Office 365
5 Most Common Attacks That Dodge Your Firewall.
4 Pentest Paradoxes You Must Get Right
Do a Risk Assessment before buying MDR
6 Rules of Engagement for any Penetration Test
Cyber Alliance Program
Your Perimeter is Disappearing
Cybersecurity Acronyms for Retirement Administrators
XDR, MDR, SOAR - Acronyms of Cybersecurity Detection & Response
Test Blog Post 3
Test Blog Post 2
White Paper - XDR for Retirement Systems
The Total Cost of Ransomware - 7 Categories
The Power of Data Continues to Grow
Who Shares Responsibility for Data Security in a Health Crisis?
Identifying Cloud Security Gaps in a Remote Workforce
Mid-year Threatscape Assessment and Review of Significant Cyber Incidents
Front Line Report: 2020 Election Cybersecurity Threats
The Rising Stakes of Compliance: GDPR, CCPA, and Others
Increasing Healthcare Cybersecurity With a Proactive Defense Strategy
5 Ways to Lower Risk and Maintain Privacy in Your Organization
9 Tips for Detecting and Preventing DDoS Attacks
5 Ways to Secure Your Access Control Vulnerabilities
6 Strategies to Prevent SQL Injection Attacks
7 Commonly Neglected Security Tasks: DMARC, DNS Calls, And More
The Impact Of A Cyber Attack On A Nation
History Matters: Cyber Attacks From The 1980S
What Healthcare Organizations Need To Know About Samsam Attacks
Reflecting On 2019: Blockchain, AI, Machine Learning, Cryptojacking, And More
California Consumer Privacy Act (CCPA): What You Need To Know
Why Covid-19 Phishing Criminals Love Machine Learning (Ml)
Malicious Bot Activity Continues To Rise As Employees Work From Home
How Crypto-Agile Is Your Organization?
How Businesses Can Prepare For The Coming Iot Surge
Where To Find Cybersecurity Help: Addressing The Security Expert Shortage
Ransomware: To Pay Or Not To Pay?
How Expensive Is A Data Breach?
Looking Ahead: The Cybersecurity Landscape In 2021
Attack On Solarwinds Infiltrated U.S. Government Networks: What It Means For You
5 Best Practices To Secure Your Remote Workforce
Top 5 Most Dangerous Ransomware Attacks — And How To Protect Your Business
Reduce Data Breach Costs With Artificial Intelligence
5 IoT Trends To Continue Watching In 2021
AI Poisoning: What You Need To Know To Protect Your Business
Zero Day Exploits: Advanced Cyberattacks
Why Users Should Never Auto-Fill Forms: Browser Exploit Overview
Don't Be Fooled By Padlocks And SSL Certificates
5 Ways To Shield Executives From Whaling Attacks
How Artificial Intelligence (AI) Is Helping Cyber-Criminals
Why Breaches Are Becoming More Difficult To Defeat
History Matters: Cyber Attacks From The 1960S
History Matters: Cyber Attacks From The 1970S
History Matters: Cyber Attacks From The 1990s
History Matters: Cyber Attacks From The 2000S
The Rise Of Mobile Malware
Growing Concerns Over Voice Phishing Scams
Stopping The Spread Of 5G Security Vulnerabilities
Why Small Business Is A Big Cyber Crime Target
Feeling The Heat: Geopolitical Cybersecurity Threats
The Role Of Artificial Intelligence In Effective Cyber Attacks
Absolute Zero: Zero Trust And Zero Standing Privileges
Data Security Challenges in the New Era of Remote Work
Why Penetration Testing Has Never Been More Important
5 Ways to Protect Your Business From Phishing Attacks in 2021

join our email list

Security Pursuit logo
LinkedIn iconlinkedintwitter logoTwitter iconFacebook iconFacebook icon
Professional ServicesProduct Solutionsaboutpartnersblogcontact
denver office
2000 Araphahoe Street, Suite 1
Denver, CO 80205
720-675-7668
LinkedIn iconlinkedintwitter logoTwitter iconFacebook iconFacebook icon
san francisco office
2315 Montgomery Street, 10th Floor
San Francisco, CA 94104
415-735-4225
© 2021
Designed by H1 Web Development