It takes a minute for a regulatory mandate to hit the masses. Typically, after months or even longer, of “sitting in committee,” political punting, pontificating, organizational lobbying, debating, usually lots more pontificating and punting, that a bill that may have been “sitting on Capitol Hill” (thank you, Schoolhouse Rock, you classic, you) might be signed and implemented.
However, even then, while some might come out fighting “with teeth,” and actually be peppered with quite prescriptive guidelines and suggestions on policies, technologies and more, others still may be a bit wanting.
Really, there’s no sweet spot. There’s not necessarily a desirable outcome simply because conforming to these various compliance mandates can send many a CISO, CEO and CFO into having visions of a visit by – gasp – a regulator with hefty fines and more in mind.
This industry particularly has plenty of compliance mandates as it is. Ensuring conformity to them all without duplicating efforts while also avoiding the checkbox mentality is only just one guidepost as CISOs and strategize and manage resiliency and risk management plans.
Now enter the California Consumer Privacy Act (CCPA), one of the strongest state privacy laws. As we share in coverage of compliance and legislative issues this month, while CCPA took effect New Year’s Day, regulators are scheduled to only begin enforcing it come July.
Yet prior to that point, organizations doing business with California residents should be undertaking some preparation to be at the ready to meet the law’s related data privacy requirements. These organizations include any that exceed one of the following three levels: Annual gross revenues of at least $25 million; personal information collected on at least 50,000 California residents, households and/or the devices they use; or at least 50 percent of their annual revenue actually is based on selling California residents’ personal data.
Obviously, the requirements are lengthy in this landmark legislation and already has seen other states like Massachusetts and New York to push for their own, more stringent regulations. The states’ efforts could be the nudge to the U.S. government to finally form long-awaited federal privacy legislation.
Yet, whether or not a federal law is imminent – let’s again recall that classic song and cartoon about the “sad little scrap of paper” that was touted as having “a lot of patience and courage” – privacy demands by citizens everywhere are taking hold. From GDPR to now CCPA and other pre-existing data privacy laws, companies of all stripes are being forced to be much more constientious about their use, collection and safeguarding of customer and client data. Acting as a good shepherd of this information could indeed prove a competitive differentiator for many an organization and certainly, with the right cybersecurity resiliency planning in play, might keep those unwanted, profit-impacting fines at bay.
Illena Armstrong is VP, editorial of SC Media.