(270) 506-5140 CONTACT US

New State Privacy Laws: Preparation for You and Your Vendors

May 27, 2020 by Aaron Kirkpatrick

With a rise in data breaches, both cybersecurity and data protection should be top of mind for every organization. Additionally, as concerns around data protection continue, privacy initiatives will be a focus and expectations and requirements will only increase. If you’re in one of the states considering legislation like the CCPA, or a subset of it, what steps should you take?

4 Steps to Help You Prepare for State Privacy Laws

1. Research proposed laws.

On January 1st of 2020 the California Consumer Privacy Act went into effect requiring companies with its scope to make significant changes to their privacy and personal information management by July 1, 2020. Some of these changes will require organizations who fall within its provisions to not only provide detailed mapping of how an organization identifies, tracks and stores personal information within a network, but to update both online and offline procedures to reflect CCPA compliance; and to respond accordingly to consumers with privacy requests covered under the measure. Some of these requests will include the right to delete a consumer’s personal information and provide opt-out measures.

However, California is not the only state to consider these kinds of protective actions. Notable bills in both Washington and New York did not pass but are expected to be reintroduced in future sessions. Additionally, New Hampshire, Virginia, New Jersey, Florida, Nebraska, Illinois, Arizona, and Vermont have all drafted similar measures. Meanwhile, Maine and Nevada have passed privacy laws with very narrow applicability: Maine for Internet service providers (ISPs) and Nevada for data brokers.

Although New York’s privacy act did not pass, New York did pass the SHIELD (Stop Hacks and Improve Electronic Data Security Act) Act which became effective March 21, 2020. This is not a privacy law. The SHIELD Act expands on data breach requirements and outlines recommended reasonable security practices.

2. Weigh your internal systems against the new laws.

It’s important that you understand the provisions and stay ahead of the curve. Once you have a solid handle on the requirements, take a good look at where your organization’s cyber and information security systems lie against your state’s proposed laws.

Consider the following: 

  • Is the definition of PII that your organization uses changing alongside new and proposed privacy and data security laws?
  • Have you implemented a control environment that your security and privacy professionals as well as legal advisors feel covers the industry’s expectations based on types of data held and potential threats?
  • What kind of personally identifying information are you currently storing, and where?

Tip: It’s important to consider information well beyond social security numbers. There are so many other types of data that may possibly be tied to an individual. These include a simple name, email address or phone number. You’ll also want to look at IP addresses, biometric data and location data, to name just a few!

3. Lean on your community.

We’re all in this together! As a community, we should try to help one another better understand and prepare for these new laws. As long as data breaches and selling data remain an issue, privacy concerns are here to stay… and so are the laws to maintain reasonable levels of security. Vetting vendor security to ensure reasonableness is a part of this process.

4. Invest in education and training.

Alongside your community, it’s never a bad idea to commit to continued learning. Conferences and webinars are fantastic resources to help you stay up to speed with best practices and industry analysis. These are also safe environments to share research or connect with local privacy and security groups. You can often find resources to develop better training protocols for departments who work face-to-face with vendors every day and help improve and streamline gaps between vendors and third-party risk management efforts. And as you invest in education and training, ask yourself, are you vendors doing the same for their staff?

There’s no avoiding it — more state privacy laws are coming, so don’t let them sneak up on you. Make sure to review the recent enforcement actions and look for elements that may be present in your own practices. We can all hope for a federal privacy law to standardize citizen rights and protections, but will those rights and protections be enough for all states, or will a federal privacy law further complicate compliance?

Protect yourself from the rising vendor cyber risks with these 7 steps. Download the infographic.


Aaron Kirkpatrick

Written by Aaron Kirkpatrick

Aaron is a Certified Information Systems Security Professional (CISSP) who has acquired a wide range of organizational, technical and compliance knowledge, applying it within data center and financial institution services sectors. He’s created and successfully led security, risk and audit programs, including SOC engagements, for data centers and a financial application company, transitioning to Internal Audit at one of the largest financial system providers. He has paired a technical degree in Network Administration and Engineering with a Bachelor’s degree in Management Information Systems. Relevant professional certifications include: Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), GIAC Certified Incident Handler (GCIH) and GIAC Critical Controls Certification (GCCC). He is a member of ISACA and (ISC)2.

Follow Aaron Kirkpatrick

Subscribe to the Venminder Blog