CyberSound

097 - Understanding the Data Privacy Patchwork: What You Need to Know

Vancord Season 1 Episode 97

It is crucial to understand the distinction between privacy and security, as these terms are often conflated. In this episode of CyberSound, co-hosts Jason and Michael are joined by Rob McWilliams, Data Privacy Consultant at Vancord, and Bill Roberts, Data Privacy Attorney at Day Pitney LLP to discuss the different aspects of both privacy and security and provide practical tips within the evolving landscape of cybersecurity laws.
There is a need for businesses to document their privacy processes, conduct inventories of personal data, and consider the implications of emerging technologies like artificial intelligence. The team delves into the current state of privacy laws, highlighting the lack of a comprehensive federal law and the increasing complexity of state regulations.

______________
Stay up to date on the latest cybersecurity news and industry insights by
subscribing to our channel and visiting our blog at https://www.vancord.com/💻.

Stay Connected with us 🤳
LinkedIn: https://www.linkedin.com/company/vancord
Facebook: https://www.facebook.com/VancordCS
Instagram: https://www.instagram.com/vancordsecurity/
Twitter: https://twitter.com/VancordSecurity

00:02

This is CyberSound, your simplified and fundamentals-focused source for all things, cybersecurity.


Jason Pufahl  00:12

Welcome to CyberSound. I'm your host, Jason Pufahl, joined now as a regular star of the CyberSound podcast, Michael Grande, our CEO. And we've got next to me, Rob McWilliams, Data Privacy Consultant whose worked with us now for a bunch of years. So welcome, Rob.


Rob McWilliams  00:28

Thank you, Jason.


Jason Pufahl  00:29

And we've got Bill Roberts from the Law Firm of Day Pitney. Bill, thanks for joining today.


Bill Roberts  00:34

Great, thank you.


Jason Pufahl  00:36

So we're gonna, I think we're gonna have I think, a privacy 101 discussion today, really. like what are practical privacy tips that hopefully, right, listeners can take away and say, alright, now I understand a little bit, what my obligations might be and sort of a reasonable strategy on how to meet them. So I'm going to I'm going to queue it up quickly with you, Bill, if you could spend, I don't know a couple of sentences on what is privacy versus security? Because I think people often conflate the two and don't know the differences.


Bill Roberts  01:07

Yeah, certainly. And that's actually something we see a lot as attorneys, where people will sometimes say like, you're, oh, you're a cybersecurity attorney, and therefore we need advice on what what firewall to be choosing? No, you don't hire an attorney for that type of work. So I think the best way to think about data privacy is the rules, and permissions that address how your data, your personal data is used, maintained and disclosed. The security is the safeguards, this data security is the safeguards and the tools and the procedures to ensure that the privacy rules are being met, protect that data from unauthorized access, use disclosure modification, and, and so forth. So one is the principles regarding how your data may be used. And the other is the tools that are designed to ensure the privacy.


Jason Pufahl  02:16

Perfect. So, somebody knows that they have requirements or expectations to meet certain privacy laws, is that, there's no federal law for privacy. I guess my first question is, can we expect one at any point in the near term?


Bill Roberts  02:16

Yes. So just,


Rob McWilliams  02:41

Perhaps, I'll just say something quickly, that are sectoral federal laws. So there is HIPAA, there is Gramm-Leach-Bliley, but they apply to particular sectors, health, or finance. What we don't have in the United States is a comprehensive federal law, sort of American GDPR, if you like, I'd be interested to know what everyone else thinks. But I personally don't see one of those on the horizon. Who knows what may happen after the elections at the end of this year? But I, I would be surprised if that's if that's coming along in the near future. So what we're probably going to be left with is a lot of state laws. 


Michael Grande  03:39

And one of the points speaking, as you know, a business owner, is the confusion amongst the sea of different, you know, sort of compliance or regulatory guidance and what applies, what doesn't apply. You know, it can feel onerous, and obviously, you attorney, the experts, such as Bill and yourself, that that's what we rely on, you know, as a small business for that guidance. You know, perhaps you can walk us through Bill, your approach and how your, how you pay attention to those concerns of your clients.


Bill Roberts  04:12

Yes, certainly. So first, I just want to echo what what Rob said, I am not optimistic in any way that we will see a comprehensive federal law. I do think there is some growing awareness at the federal level, that cybersecurity and data privacy rights are becoming burdensome, that they're becoming complex, often inconsistent, and the Biden Administration last summer, did start with baby steps on a cybersecurity law, or harmonization requirements or project that hasn't gotten a whole lot of movement yet, but I think there's at least an awareness that businesses are struggling, I completely agree with Rob. True relief in terms of federal comprehensive law is not coming anytime. So don't hold out, out out vote. But so when we're left with this, when we're left with this overwhelming, and it really is overwhelming number of state, and federal and often local laws to like we see with biometrics a lot. The most important first step is to pause and to consider two fundamental questions. First, is what Rob talked about when you were chatting before this this started is, what types of data the company has? Are you talking about student data, talking about patient data, talking about consumer data, baking data, etc.? And then the related part of that is to understand what type of business you're in and go slowly and be careful and thoughtful about what laws you're actually subject to. So you want to think about how so often, these are the kind of questions I will often go through with a new client. First is, are you licensed? Do you hold a license by the state? If If yes, what type of license because many times data privacy laws, for example, in the behavioral health, or substance use and healthcare, they follow from a state license? Are you a state contractor? If so, you may have slowed down requirements from everyone from like the Ag to Department of Housing. Same thing for the feds, if you're a federal contractor, you likely have some flow down requirements by virtue of that of your contractor status, the most famous of which is probably DOD. Then you want to think also about what type of industry are you in? Like Rob mentioned, there's a lot of federal sectoral laws. So you want to think about, are you in healthcare? Are you in education? Are you in finance? Insurance? You also want to think about kind of who you target? Are you targeting in terms of your customer base? Do you look, do you target towards minors? Do you target towards certain populations that maybe are outside of like the traditional healthcare provider ensure context, but you're doing a wellness act, so you may fall under the FTC's breach rules for healthcare? So there's a lot of like, really fundamental due diligence steps that a business wants to be doing? Because the worst thing to do is not to comply with the laws that you're you're subject to. The second worst thing is to comply with the laws you're not subject to, you're just wasting your time and money.


Jason Pufahl  08:11

So don't be overzealous necessarily. Right? Out of curiosity, how often do you see that though? So I feel like the conversations I have more often than not are, we don't, we don't really know what we are supposed to do and really haven't done anything. Do you run across a lot of companies that tried to essentially overcompliers? Or are they just doing maybe the wrong things, but not enough things? 


Bill Roberts  08:37

I would say it's not, it's more of a more so the case by mistake, where on businesses are complying with the laws, they actually don't need to be and we often see this in breaches, for example. So like a new company, and we've seen this unfortunately, quite a few times comes to Day Pitney, says we had a breach, we're being investigated by the Massachusetts Attorney General, for example. And we say, okay, start sending us some of your documents, and they send us their breach policy, and it's a HIPAA breach policy. But you're not subject to HIPAA, so that's kind of more what I'm getting at. There are times and we do have some clients who do this. we do for privacy reasons go beyond what the law requires. But that's a business decision. It's a sometimes it's marketing decision. I think more often is the case that companies are complying with laws, they don't need to be by mistake.


Rob McWilliams  09:40

I think HIPAA is a classic that I know many people just thought, well, if it's got anything to do with health, it's covered by HIPAA. And just ignoring the fact that you have to be a covered entity or the business associate of a covered entity. And if you're not, you're not covered by HIPAA. I guess the bad news to that good news is that increasingly, you if you, if you collect and use health data, and you're not covered by HIPAA, now the chances are, you may well be covered by something else, whether for breach or for more general privacy compliance requirements. Just one anecdotal thing about GDPR. I talked to an organization recently that said that they had sought advice about complying with GDPR. And this organization does have a requirement, in this case to comply with GDPR, even though they are in the US. But the advice they got was, on the one extreme was, oh, you don't have to comply, nothing, there's nothing at all you have to do, all the way to, there's this vast amount you have to do to comply with GDPR. It's going to overtake your organization for six months to do this. And both bits of advice were completely inaccurate. And there was, in fact, just something much more down the middle that they could do to cover everything they needed to do to protect themselves from GDPR exposures.


Bill Roberts  11:22

Yeah, that's a great point, Rob.


Rob McWilliams  11:26

There's quite a lot of misinformation out there at times.


Jason Pufahl  11:31

So thinking, you know, we have the the sectoral discussion here, right. But states have adopted their own privacy laws. And can one of you speak to, roughly how many states have at this point? And then I think maybe the slightly more important is, you know, are there underpinnings generally, are there things that sort of every state does? And are there ways to sort of broadly understand, perhaps comply, with some of the obligations the states put forth, in a way that's maybe straightforward or maybe easily addressable by the common business owner?


Rob McWilliams  12:11

Perhaps I could do the numbers and leave the difficult bit to Bill?


Jason Pufahl  12:16

Pretty broad at the end there, right?


Rob McWilliams  12:19

Correct me if I'm wrong, Bill, but I think right now, there are five states that have laws in effect, including California, Connecticut, Virginia, Colorado, Utah, if I've got them, right. There are significant states coming into effect this year, including Texas. And there's another is it Oregon, I think is coming next next year. And then in 2025, there's going to take take it up to about 13, or 14 states in total, including New Jersey, as you but they may not be 2025. But they're the latest state that has said they're on the cusp of having a data privacy law. And I'm sure that eventually, unless we do get a federal privacy law that's just going to become like breach that eventually every state will have its own privacy law, which will be burdensome.


Bill Roberts  13:23

Yeah, I'm pretty sure New Jersey was number 13. So if assuming if the governor signs it soon, I guess thinking it'll be, I think it was 365 days. So that'd be the first quarter of 2025.


Rob McWilliams  13:40

Okay, so they are next year. Alright.


Bill Roberts  13:41

Yeah, I think, yeah. So there's so yeah, so the theme here certainly is that there's a lot of laws being passed, these state based comprehensive laws, there are a couple of things. So we started out in the US with California CCPA, then later amended by CPRA. We also had a slightly different grouping where Virginia, Connecticut, Utah, all very similar language in there. So there is some awareness of the difficulty here. So for example, the Connecticut law tracked very, very closely sometimes word for word, the Virginia law, which is I think, wonderful, you know, there's, there's no need to re-invent the wheel. But, but regardless of that awareness to try to to have consistency, the laws are going in slightly different directions. You have one in Florida coming into effect in 2024, which doesn't even get much press because it only applies to companies with the gross revenue of a billion plus or something which is totally out of the norm for the other states, except, you know, if you're selling data there, it applies to a smaller group too. It's like all the Florida Privacy Bill of Rights. So it's a bit different. You do have states like Washington State that have taken far more aggressive approaches, particularly with respect to health data than other states have. The New Jersey law is loosely based upon the Washington act. So you do your I think we're going to eventually have a couple of buckets where like Virginia, Connecticut, New Jersey and Washington, are mirroring. But there is not a degree of consistency across the board, where compliance with one guarantees compliance with with being the other, the applications requirements differ, for example, I think out of the 13, the only one that applies to nonprofits, for some reasons, Colorado, while others, though, you have an extremely wealthy nonprofit is exempt. While a relatively midsize for profit, business needs to come to comply. So it's a little inconsistency there. But our approach is, it tends to be, not only because it was the first, but that is in part, there's also because it's the most developed, and in many ways the most difficult to comply with, we tend to start, if a business is national scope, we tend to start with California, and then build off of that. So what you know, there's various approaches, but you may have your California privacy, you may have your standard national scope, privacy policy, having addendum for California, and then another addendum, we just tweaked it for residents of Connecticut, Virginia, Utah, and Colorado. And then in the future, we're going to be seeing more like particularly as Rob pointed out, Texas is going to be a big one and Oregon's and Delaware, we're going to see a small state, but still, there's a lot of advantages, and we're gonna see a lot of of impacts there.


Rob McWilliams  17:16

In a way, perhaps the approach in the US will become a little bit like the international approach has been, which is internationally, you take GDPR as your base, and then tweak it as necessary if you're doing a lot of business in China or Brazil, or whatever. And that's mirrored in the US, we've taken California as the sort of the big one and then changing as necessary. It was interesting to me that I think it was Colorado became the first state to build into its law, the recognition of a universal opt-out mechanism. So people may not be familiar with this. But in some browsers, for example, you can check a box that says don't do not track my data. Now, I'm not saying that this is one of the universal opt-out mechanisms that will be recognized. But that's the principle that you could say once, don't track my data. And that any business that is that you're connecting to with your browser picks up that signal, and then you've given your instruction that you're not not to be tracked. And I think it's Connecticut has something to say about it, but I can't remember what it is. But, so those could be coming along too which will be I imagine very important for retail business particularly.


Jason Pufahl  18:50

So are that, maybe because I think we're coming up against time. So are there two or three. hey, small business, midsize business, you must at least do this right? Regardless of HIPAA, regardless of GLBA. Right, regardless of what state, I think we all have an obligation to protect the data that we collect potentially. Are there some underpinnings or some really fundamental advice that you might want to give? In case somebody's listening and says I think I can do that, and that's a good place to start.


Bill Roberts  19:26

I'd say you want to begin a documented process. Because if you're not in a state in which you are confident that you are in full compliance, now granted being in full compliance often lasts like three weeks anymore, right, with things changing, but should something occur, should you have a breach for example, or a lawsuit and this is a increasing risk, we're seeing more and more lawsuits is sort of like the new slip and fall type of case. You want to be able to demonstrate to a jury, a judge or a like in the attorney general, that you are taking privacy seriously, that you have a program in place. Yes, we may not be at 100% compliance. But we have a committee, depending on the size of your business, we have a person in charge, building that structure, that base, I think, is really vital. Because the worst thing to do is to say when you have a breach, and they asked for your privacy foreground, where you're being sued, is that what prviacy part?


Jason Pufahl  20:41

I've done nothing, 


Bill Roberts  20:43

You know, we've done nothing. So you really want to start building the bones of your having a governance structure, even if it is just one one person.


Rob McWilliams  20:52

I completely agree with that. And I think a fundamental component of it is an inventory of the personal data that you collect and use. And unless that inventory comes up with really basic processing, and particularly if it comes up with the processing of sensitive data, like health, or biometrics or whatever, then you you absolutely have to have that program that Bill referred to. And I think the other thing I throw in is, don't make promises that you don't fulfill. Because a lot of businesses have old privacy policies stuck up on their websites that say they don't do things that perhaps they do. And or they signed contracts, because they're desperate to get that first customer in, that commits them to do certain things, and then they put it in a drawer and nothing gets get happens with it. So I think that's very important, too. And there was something else that was on my mind, but it's escaped me. 


Jason Pufahl  22:02

But I think I mean, I think that, you know, that's practical, right? You can't protect what you actually don't know you have. So you know, that inventory is certainly critical. And I think, you know, we see it all the time just in in general security policy, where people have these grandiose ideas of you know what they're going to do from security standpoint, but then actually don't meet any of the things they've written down, which is, you know, arguably, arguably worse. So yeah,


Rob McWilliams  22:24

It's come back to me, I was going to say is artificial intelligence, obviously, is huge now. And if you're planning to do artificial intelligence, that utilizes datasets that contain personal data, particularly sensitive personal data, then you should be getting privacy advice now. So I can't take all of our personal data and just simply paste it into ChatGPT and say, do something with this? That's unacceptable? I hunch it might be,


Jason Pufahl  22:54

You think maybe?


Bill Roberts  22:55

Whatever you feed it, it owns. So, and not only for personal data, it's also just one little tip to have. I know, AI is probably a topic for a future session here. We could talk about that for hours, with respect to privacy, but corporate data, some time. One other tip is while privacy laws tend to focus on personal data for many valid reasons, when you're dealing with things like AI, and security, don't forget about your corporate data. Your employee data is crucial, of course, but if you're a defense company, one product and your blueprints are stolen, your trade secrets are stolen. That's also again. So while those are generally not covered by the laws, we're talking about here, they are often slow down requirements for state and federal contracts. And they are just important to keep your, your lights on. 


Jason Pufahl  23:58

Yeah. And then that's honestly a great point. We're talking so much about the regulatory requirements. But some of this is simply best practice, like how do you protect the data that your business actually cares about? And being mindful of that? And that again, I'd say you're starting with an inventory is a big help. So I think actually, I think I'm gonna hold you to that AI conversation because I clearly, there's a lot of opportunity to talk about the privacy risks there. And everybody's interested in in how to use it and the algorithms and all of this so.


Bill Roberts  24:32

Yeah, I just spent an hour on yesterday during an interview talking about this very topics is very, very fresh.


Jason Pufahl  24:41

We should do it sooner than later while it's top of mind. 


Rob McWilliams  24:45

Maybe maybe you could just bring ChatGPT onto the special guests.


Bill Roberts  24:52

Yeah, just really quick, though. During the interview, I tested it, and I asked Bard, if it's a cybersecurity risk, Bard said, yes, it can be a cybersecure. I asked ChatGBT that same question and said absolutely not. 


Jason Pufahl  25:08

So you're answer shocked, 


Michael Grande  25:10

Microsoft and Google have different perspectives. 


Bill Roberts  25:14

I'm feeling Bard is being the more honest though.


Jason Pufahl  25:16

It does seem that way. So I think I think some good stuff here for for people to sort of take away. I appreciate boiling down some of the state regs a bit as well. I think that's a huge help. Bill, I appreciate you joining for sure that we will follow up with that AI conversation. I mean, that's top of mind here. I'd say I think the one that'll be really interesting to have. And, Rob, thank you for your perspective here. Yeah, and hopefully great. If anybody has any, any questions, you'll feel free to follow up with us. You know, comment, we check comments. So we're happy to respond there. Follow us, like us, do all the things that help get this a little bit more visibility, because I think the data is great. And until next time, everybody, I appreciate you listening and have a good afternoon. 


Bill Roberts  26:06

Great, thank you. 


26:09

We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.