Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Wyden's Consumer Data Protection Act: How to Be Compliant

4 min read
Last updated September 24, 2021

Will 2019 be the year the US gets its own GDPR-like privacy law? Since my last post in this series, privacy legislation is becoming more certain to pass. Leaders from both parties are now saying they will focus on privacy in 2019. Consider yourself warned!

I’ll continue my journey from last time into the Wyden legislation since it’s a good baseline. Sure there are other bills, but they share some common elements. I’ve already discussed Wyden’s broader definition of personally identifiable information (PII), and its data risk assessment requirements in the last post.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

In this round, we’ll get into the bills stronger consumer rights (involving right to access and correct), and discuss the baseline security requirements that are mentioned. As before, I’ll add my predictions as to what to expect. And I’ll conclude with some ideas for getting ahead of the curve, so when we inevitably have a new law (in one form or another), you’ll be compliant from day one.

Right to Access

It shouldn’t come as a surprise that whatever legislation is ultimately approved, it will give the consumers more power over their data. This was roughly the consensus from the Senate hearings a few months back. Of course, the devil is the details.

The Wyden bill gives consumers more control over how the data is shared —  it calls for opt-out when sharing to third-parties. This legislation also allows consumers to see what personal data is held by companies, and asks for a process to allow them to correct inaccurate data.

In the Wyden bill, I did not see a “right to be forgotten”. Instead there is some language about minimization and asking companies to assess the risk involved in data duration. During the Senate hearings in September, there was obviously some resistance from the usual suspects about losing the power to keep tabs on online user forever. However, at least one executive from a major hardware manufacturer of cell phones, laptops, and pad computing devices was open to the idea (see response to question 4).

Right to Access
From the Wdyen bill. You’ll be able to make subject access requests (SARs).

Prediction: The recent California privacy law does have a “right to erase” requirement, but with some exceptions including this wide-open possibility: “Used solely for internal uses that are reasonably aligned with the expectations of the consumer.”  My guesstimate is that the US will have a weaker form of the “right to be forgotten” with enough wiggle room to allow search-engine and social media companies to continue their business practices. I think we’ll likely see stricter language on data retention that put limits on how long companies can keep data when there’s no longer a real business need. This option might be a more realistic way to implement data erasure, but it would force them to keep track of metadata –when the data was collection and the reasons for it.   

Data Security Baseline

The current crop of Congressional legislation is focused on privacy.  To no one’s surprise, strong data security ideas — restricted access, multi-factor authentication, encryption, retention limits, annual pen-testing, incident response, etc. — are not finding their way into these bills. What I’m seeing, at least in the Wyden bill, is boilerplate language for “technological and physical safeguards” to reduce overall risk.

However, these bills do leave additional rule-making to a regulatory agency — the Federal Trade Commission — and so tougher data security rules could be coming down the road.

Prediction: In the first round of privacy legislation, we’re not going to get the tougher security rules that GDPR has — for example, it’s Article 32 Security of Processing and its breach reporting articles 33 and 34. Instead, we’ll have required risk assessments, and annual reporting. For example, the Wyden legislation calls for a certified data protection report (for companies with revenues above $1 billion) to prove they are protecting the privacy and security of the data they hold. When there are enforcement actions, the company can minimize penalties by using the reports to show they’ve been doing their homework.

Next Steps

Data privacy and security changes are coming to the US. For many companies that are following common standards, such as PCI DSS, ISO 27001, or CIS Critical Security Controls, the coming legal requirements should not be too much of a stretch. Keep in mind that these laws are taking standard IT security ideas and now making them mandatory.

And there will be fines! The Wyden bill, for example, specifies civil penalties of up to 4% of total revenue.

If you’re starting from scratch or want to revisit your existing programs, here are three areas that are worth adding to your  IT New Year resolutions list:

  • Data classification of file systems – You can’t protect what you don’t know you have. Data classification is an essential part of any data security program. And in fact, the aforementioned standards have data classification requirements, which typically goes under the broader name of asset identification. For file systems, we’re talking about scanning its core elements of folders and files and searching for relevant data as defined by the laws. No, this can’t be done easily. You’ll need special automated software to efficiently index the file system and pattern match on the appropriate PII.
  • Risk Assessments – You’ve indexed, and classified the data. The next step is to determine what’s at risk. With file data, we’re interested in who owns the resource, who’s accessing it, and most importantly who should be accessing. We know from many years worth of hacking incidents, that once the attackers are in and steal the credentials of ordinary users, too often they have more than enough file privileges to access and exfiltrate sensitive data. The goal of data-oriented risk assessments is to find these overly permissioned folders, and then remediate by restricting access to appropriate users. Risk assessments that are data focused are far better at identifying the root cause of incident risk — the credit card or customer information contained in folders with “Everyone” permission!
  • Incident Response – While the current legislation may not have a “72-hour reporting” rule, it’s still important to have your ducks in line. You should have a response program in place that can quickly identify potential abnormal activities and notify IT in timely way. Sure, integrated security software that can classify, identify permissions, and log all file activity is in a far better position to notify IT when there truly is unusual activity associated with hackers.

While you’re mulling over this series, and start to revamp your own security programs in 2019, we’ll continue keep you posted on what’s going on in Congress.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Varonis joins Marsh McLennan Agency’s Cyber Resiliency Network
Varonis is teaming up with Marsh McLennan Agency. Together, we'll help organizations improve their cyber resilience with industry-leading DSPM solutions.
DSPM Report Highlights Risks That Lead to Significant Data Breaches  
Varonis' new DSPM report reveals that typical companies are widening their blast radius by oversharing permissions, excess ghost users, lack of MFA, and more.
Speed Data: Thinking From a Cyberattacker's Perspective With Dalal Alharthi
Dr. Dalal Alharthi talks about the importance of organizations anticipating a breach and seeing the world through the eyes of an attacker.
Behind the Varonis Rebrand
Discover the strategy behind Varonis' rebrand that involved a full transition to a hero archetype and the introduction of Protector 22814.