Over the years, data breaches are becoming a norm than an exception, and that alone can hurt the reputation and pockets of companies. Equifax, for example, will have to pay more than $420 million to over 140 million people affected by cybercrime. What then could happen to fledgling companies, startups, and other types of small- to medium-scale businesses?
What makes the fight against data security difficult is the lack of a centralized law that promotes it. Fortunately, some states are taking steps to encourage businesses to invest in reliable cloud and hosting services.
The state has one of the most stringent data security regulations in the United States today. In its new law called the California Consumer Privacy Act, it provides more control or rights over Internet users. These include the right to:
- Know the kinds of personal information the website collects
- Demand the removal of these types of information from their database
- Access the data in a ready-to-use format
- Bring these types of information from one company to another
- Understand the reasons behind the collection of the data
- Pursue legal action against a company for non-compliance
This new law will take effect in 2020, and although it affects only California residents, it can have broad implications. For example, it leaves a lot of room for amendments. It can mean more specific and stricter regulations in the future. It can also serve as a model for other states such as New York.
2. New York
New York has also updated its list of data security measures with two new laws, including the SHIELD Act. SHIELD stands for Stop Hacks and Improve Electronic Data.
Under the act, the state expands its definition of private information to include data about Social Security numbers, account numbers, and credit card numbers. It also mandates businesses that own or maintain personal information to report any access to such information even if it didn’t result in an acquisition.
It can imply that an unauthorized employee, who can see these types of information, whether intentionally or unintentionally, might compel a company to report the incident to the state. The two new laws will also take effect in 2020.
All states have laws that compel companies with a data breach to report the incident as soon as it happens. Colorado has one of the shortest periods for communicating to consumers.
In its law passed in 2018, affected companies or businesses would have to inform their consumers about what happened within 30 days. If the incident impacts not less than 500 people, they need to report the matter to the attorney general. They also need to be clear to the consumers on how they plan to dispose of personal information from their database.
These regulations won’t guarantee that data breaches won’t happen. Instead, they empower consumers, especially when it comes to collecting data. Meanwhile, they teach businesses how to be responsible, accountable, and serious about data risk assessment, mitigation, and management.
Most of all, they highlight the reality that in this new age, data can be everything for the users, the businesses, and the cybercriminals.