The good news is that most impending legislative initiatives recognize the security component of privacy.
Wyden’s bill would “empower” the Federal Trade Commission to “establish minimum privacy and cybersecurity standards.”
New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), signed into law this past July, includes new “data security protections,” due to take effect March 21, 2020.
Among its requirements are “to be in compliance with other applicable cybersecurity laws, such as the Gramm-Leach-Bliley Act, focused on financial institutions; HIPAA (Health Insurance Portability and Accountability Act), focused on healthcare; or the Cybersecurity Requirements for Financial Services Companies promulgated by the New York Department of Financial Services.”
Alternatively, organizations can implement a data security program that includes “reasonable administrative, technical and physical safeguards.” That declaration is followed by a list of specifics that gives some definitions of “reasonable.”
For example, the “technical” safeguards require that the organization “assess risks in network and software design; assess risks in information processing, transmission and storage; detect, prevent and respond to attacks or system failures; and regularly test and monitor the effectiveness of key controls, systems and procedures.”
Failure to comply with some privacy laws could eventually draw more than government penalties. Alastair Mactaggart, founder and chair of Californians for Consumer Privacy, wants to take the penalties in the CCPA a step further. The law should, he argues, enable consumers to sue businesses if “email address plus password” are stolen due to the organization’s negligence. This would “help cut down on identity theft by encouraging businesses to invest in good security.”