Keeping Up with State Privacy Laws
Although the United States continues to lag behind other developed nations when it comes to the protection of its citizen’s data, new privacy laws are starting to slowly crop up state by state. New York’s Cybersecurity Rules and Regulations (NYCRR 500) took effect in 2017, and the California Consumer Privacy Act of (CCPA) will go into effect on January 1, 2020. In 2019, Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Washington all introduced laws modeled after the CCPA, and many other states are beefing up existing laws.
Nevada, for example, strengthened its online privacy law with Nevada’s Senate Bill 220 that went into effect October 1st, 2019, adding a requirement for an online mechanism or toll-free number that lets consumers opt-out of the sale of their personal information, and providing exemptions for specific organizations, such as those subject to Gramm-Leach-Bliley or HIPAA .
Noncompliance with these new laws can be quite costly—up to $7500 per violation of the CCPA. The inconsistency from one state to another can present definite challenges to law firms around the nation, particularly those representing large organizations with businesses in multiple states. Here are just a few ways to give your firm’s privacy act compliance a head start.
Evaluate the path of data flow in your firm. How is private and personal data used, who has access, and how is it stored. If you utilize a third party vendor for storage, what are their security measures to maintain privacy protection of your data? Are there any high-risk areas that can be improved?
Evaluate your data collection process. This includes data on clients, attorneys, and staff. What data do you collect that falls under laws like the CCPA, like financial records, addresses, emails, phone numbers, dates of birth, and social security numbers. There are eleven different categories for protected information in the CCPA: Identifiers, Information in Customer Records, Legally Protected Characteristics, Commercial Purchasing Information, Biometric Information, Internet or Network Activity, Geolocation, Information Typically Detected by the Senses, Employment Information, Education Information, and Inferences from Any Category Used to Profile.
Update your current privacy & security practices. Be sure your firm had clear opt-in and opt-out protocols. How do you establish data collection consent? Can any of your policies put you or your firm at risk in the future? Good data security goes a long way toward preventing costly compliance breaches. Security awareness training for your staff helps defend against malware and ransomware attacks.