By Harrison Welsh, CompTIA Security+, Intraprise Health
For more than two decades, cybersecurity has been an increasing priority across industries such as finance, retail, social media, e-commerce and healthcare. This is due to a number of factors, including the escalation of threats to enterprise information security, increased connectivity with third parties, the growing number of network enabled IOT devices, increasing human error, instances of insider threat and the enhanced sophistication of security attacks (e.g., Ransomware and Spear Phishing Campaigns). While organizations have focused on strengthening their cybersecurity posture, the concern for individual privacy rights has become an increasing challenge.
The healthcare industry has become one of the greatest targets for cybersecurity attacks. A single electronic health record (EHR) is now considered the most valuable piece of information for hackers and other malicious actors to acquire. EHRs are also commonly targeted by individuals committing fraud. You can cancel credit cards and even change your social security number if that information has been jeopardized, but medical records are different. They contain sensitive protected health information (PHI) such as cancer diagnoses and sexually transmitted diseases. Hackers can use this information to blackmail patients or sell the personal information contained in the medical record.
The importance of data privacy is often considered an afterthought compared to the importance of cybersecurity. With the creation of governmental privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), protecting individual privacy rights is now considered a MUST for all organizations, especially healthcare organizations.
What is GDPR and how does it impact my organization?
The GDPR is the toughest and most stringent privacy and security regulation in the world. It is also considered a guideline for other government bodies to create similar regulations. In May 2018, the GDPR was drafted and passed by the European Union (EU). It imposes obligations on any organization who targets or collects data related to citizens in the EU. Any organization which processes the personal data of or offers services to EU citizens or residents must abide by all rules specified in the GDPR.
If an organization does not interact in any way with the personal data of EU citizens, then the organization does not have to adhere to its strict guidelines. However, upon successful implementation of the GDPR, the United States government knew that they also had to step up and implement legislation to protect the privacy rights of United States citizens. With that being said, the U.S. government has not been as quick to act compared to state governments like California.
Why California?
Up until 2019, large organizations like Facebook or Google (headquartered in California) were not required to inform consumers of data that they had collected on them or what they did with this data. With all this data collected by organizations and a lack of regulations to provide protections or limitations, data breaches were inevitable. One popular example of a large breach impacting the privacy rights of millions involved Facebook and Cambridge Analytica.
Cambridge Analytica, a political consulting firm, harvested data from over 50 million Facebook users without obtaining consent. The data was used during the 2016 presidential election for political advertising. While this event was not technically a data breach because it did not involve a compromise of systems, this was considered a breach of individual privacy rights.
After this privacy breach, California regulators decided to take matters into their own hands. In order to help build back up consumer trust and protect privacy rights, California established the California Consumer Privacy Act (CCPA).
The CCPA allows California consumers to request all the information that an organization has collected and stored on them. Consumers can also request a full list of all third parties with which their data has been shared. Any organization that collects data from or provides services to California residents and has at least $25 million in annual revenue must comply with CCPA. This privacy regulation went into effect on January 1, 2020. California wasn’t the first state with a privacy regulation, but its regulation is more encompassing and stricter that other regulations and follows in the footsteps of the GDPR.
Other states are following in California’s footsteps to create their own privacy regulations, including Nevada and New York.
How the GDPR and the CCPA impacted U.S. state regulations
Nevada’s privacy regulation, called Nevada Senate Bill 220, went into effect on October 1, 2019. This law is similar to the CCPA but with a few unique differences. Nevada’s regulation does not cover all service providers and is more lenient on financial institutions. Both the CCPA and Nevada’s privacy regulation requires businesses to come up with a process to verify the legitimacy of a consumer opt-out request and require businesses to respond to the request within 60 days.
In May 2019, New York created a privacy bill, the New York Privacy Act, which allows NY citizens to access, correct, delete and restrict their data from being shared with third parties. This bill includes provisions and obligations for data fiduciaries and the right for citizens to file a lawsuit against companies if they are injured as a result of a violation. This regulation also incentivizes consumers to sue or go after companies that lack compliance.
With California, Nevada, , New York and various other states introducing their own privacy regulations, it seems only a matter of time until the U.S. establishes a nationwide privacy regulation similar to the GDPR.
Federal Privacy Regulation – What is to come?
In 2019, lawmakers sponsored numerous federal data privacy laws including:
- The Filter Bubble Transparency Act;
- The Social Media Privacy Protection and Consumer Rights Act of 2019;
- The Do Not Track Act;
- The Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act;
- The Balancing the Rights of Web Surfers Equally and Responsibly Act (BROWSER) Act; and
- Protecting Personal Health Data Act
Most notably, Senate Democrats introduced the Consumer Online Privacy Rights Act (COPRA) and Senate Republicans introduced the United States Consumer Data Privacy Act of 2019 (CDPR).
The COPRA and CDPR both span a wide range of privacy protections for U.S. consumers. Similar to CCPA and GDPR, both of these regulations would require organizations to obtain consent from individuals prior to collection, processing, or sharing their sensitive personal data. Both would also require organizations to:
- Provide clear and understandable privacy policies;
- Designate separate data privacy officers and data security officers;
- Conduct annual privacy risk assessments; and
- Prohibit organizations from attempting to restrict goods or services from individuals who seek to exercise their privacy rights.
Both regulations also have their own unique differences involving how “covered data” is defined and if other state regulations which provide a greater level of protection would still apply. Without being able to come to a clear consensus on how to protect consumer privacy rights, both of these regulations have failed to gain bipartisan support. Although neither regulation has passed, both of these acts prove that the U.S. is dedicated to establishing a nationwide data privacy regulation. The only question is … When?
What can I do about this?
Depending on the organization and their information security platform, you should be able to determine what kind of information is being collected on you. For example, try going to myaccount.google.com. By navigating to the “Data & Personalization” tab, you can see all the data that Google has been collecting on you.
Additionally, you can search for and review an organization’s privacy policy which will specify how your individual privacy rights are protected. Privacy policies are generally available to the public via a link on their website.
Lastly, it is important to consistently be on the lookout for any new privacy regulations. Conducting periodic compliance reviews, either internally or externally by an independent third-party, will help to determine if new regulations have been implemented which impact your organization.
Conclusion
Since the creation and implementation of regulations such as the GDPR and the CCPA, various state governments are taking proactive steps towards protecting consumer privacy rights. With recent data and privacy breaches impacting the lives of millions, governmental bodies have taken regulatory responsibilities away from private organizations. In order to properly protect individual privacy rights, reduce privacy risk and increase public trust, it is fair to assume that a national privacy regulation is right around the corner.