Wyden's Consumer Data Protection Act: How to Be Compliant

Will 2019 be the year the US gets its own GDPR-like privacy law? Since my last post in this series, privacy legislation is becoming more certain to pass. Leaders from both parties are now saying they will focus on privacy in 2019. Consider yourself warned!

I’ll continue my journey from last time into the Wyden legislation since it’s a good baseline. Sure there are other bills, but they share some common elements. I’ve already discussed Wyden’s broader definition of personally identifiable information (PII), and its data risk assessment requirements in the last post.

In this round, we’ll get into the bills stronger consumer rights (involving right to access and correct), and discuss the baseline security requirements that are mentioned. As before, I’ll add my predictions as to what to expect. And I’ll conclude with some ideas for getting ahead of the curve, so when we inevitably have a new law (in one form or another), you’ll be compliant from day one.

Right to Access

It shouldn’t come as a surprise that whatever legislation is ultimately approved, it will give the consumers more power over their data. This was roughly the consensus from the Senate hearings a few months back. Of course, the devil is the details.

The Wyden bill gives consumers more control over how the data is shared —  it calls for opt-out when sharing to third-parties. This legislation also allows consumers to see what personal data is held by companies, and asks for a process to allow them to correct inaccurate data.

In the Wyden bill, I did not see a “right to be forgotten”. Instead there is some language about minimization and asking companies to assess the risk involved in data duration. During the Senate hearings in September, there was obviously some resistance from the usual suspects about losing the power to keep tabs on online user forever. However, at least one executive from a major hardware manufacturer of cell phones, laptops, and pad computing devices was open to the idea (see response to question 4).

Prediction: The recent California privacy law does have a “right to erase” requirement, but with some exceptions including this wide-open possibility: “Used solely for internal uses that are reasonably aligned with the expectations of the consumer.”  My guesstimate is that the US will have a weaker form of the “right to be forgotten” with enough wiggle room to allow search-engine and social media companies to continue their business practices. I think we’ll likely see stricter language on data retention that put limits on how long companies can keep data when there’s no longer a real business need. This option might be a more realistic way to implement data erasure, but it would force them to keep track of metadata –when the data was collection and the reasons for it.   

Data Security Baseline

The current crop of Congressional legislation is focused on privacy.  To no one’s surprise, strong data security ideas — restricted access, multi-factor authentication, encryption, retention limits, annual pen-testing, incident response, etc. — are not finding their way into these bills. What I’m seeing, at least in the Wyden bill, is boilerplate language for “technological and physical safeguards” to reduce overall risk.

However, these bills do leave additional rule-making to a regulatory agency — the Federal Trade Commission — and so tougher data security rules could be coming down the road.

Prediction: In the first round of privacy legislation, we’re not going to get the tougher security rules that GDPR has — for example, it’s Article 32 Security of Processing and its breach reporting articles 33 and 34. Instead, we’ll have required risk assessments, and annual reporting. For example, the Wyden legislation calls for a certified data protection report (for companies with revenues above $1 billion) to prove they are protecting the privacy and security of the data they hold. When there are enforcement actions, the company can minimize penalties by using the reports to show they’ve been doing their homework.

Next Steps

Data privacy and security changes are coming to the US. For many companies that are following common standards, such as PCI DSS, ISO 27001, or CIS Critical Security Controls, the coming legal requirements should not be too much of a stretch. Keep in mind that these laws are taking standard IT security ideas and now making them mandatory.

And there will be fines! The Wyden bill, for example, specifies civil penalties of up to 4% of total revenue.

If you’re starting from scratch or want to revisit your existing programs, here are three areas that are worth adding to your  IT New Year resolutions list:

• Data classification of file systems – You can’t protect what you don’t know you have. Data classification is an essential part of any data security program. And in fact, the aforementioned standards have data classification requirements, which typically goes under the broader name of asset identification. For file systems, we’re talking about scanning its core elements of folders and files and searching for relevant data as defined by the laws. No, this can’t be done easily. You’ll need special automated software to efficiently index the file system and pattern match on the appropriate PII.
• Risk Assessments – You’ve indexed, and classified the data. The next step is to determine what’s at risk. With file data, we’re interested in who owns the resource, who’s accessing it, and most importantly who should be accessing. We know from many years worth of hacking incidents, that once the attackers are in and steal the credentials of ordinary users, too often they have more than enough file privileges to access and exfiltrate sensitive data. The goal of data-oriented risk assessments is to find these overly permissioned folders, and then remediate by restricting access to appropriate users. Risk assessments that are data focused are far better at identifying the root cause of incident risk — the credit card or customer information contained in folders with “Everyone” permission!
• Incident Response – While the current legislation may not have a “72-hour reporting” rule, it’s still important to have your ducks in line. You should have a response program in place that can quickly identify potential abnormal activities and notify IT in timely way. Sure, integrated security software that can classify, identify permissions, and log all file activity is in a far better position to notify IT when there truly is unusual activity associated with hackers.

While you’re mulling over this series, and start to revamp your own security programs in 2019, we’ll continue keep you posted on what’s going on in Congress.