The United States does not have a federal law on the books similar to the European Union’s General Data Protection Regulation, so it’s up to individual states to pass legislation. On June 28, California led the way with the passing of The California Consumer Privacy Act of 2018.
Government data protection regulations help hold organizations accountable when there’s a breach or misuse of consumers’ private data, which is happening more regularly these days. Prior to this decade, data breaches were somewhat rare, and many of them occurred because of human error, such as the loss of a laptop, USB drive, or some other media. Others were caused by insiders or hackers who gained unauthorized access to computer systems.
Today, the number of data breaches has grown beyond anyone’s expectation or prediction, which has spurred some governments to pass privacy and data protection regulations.
Under the California law, businesses have a duty to “implement and maintain reasonable security procedures and practices” to protect personal data, and they may face civil liability if a data breach occurs as a violation of that duty. The regulation does not, however, provide any details on what are considered “reasonable security procedures and practices.”
Other recent data protection regulations passed in Canada and in the European Union have similar wording, leaving businesses wondering what exactly they’re supposed to do to become compliant. The answer is related to the legal concept of due care, which refers to the effort that an ordinarily reasonable party should make to avoid harming another party. In the context of cybersecurity, due care means that businesses must make every effort possible to protect consumers’ privacy by protecting their data.
One of the best recommendations to ensure your organization is doing everything possible to protect consumers’ privacy and data is to consider the specifics spelled out in the Payment Card Industry Data Security Standard (PCI DSS). All of the major credit card companies came together in 2004 to create this comprehensive set of security standards for merchants, and the PCI Security Standards Council has made several revisions to keep pace with the evolving threat landscape.
Organizations must follow PCI DSS requirements or they could lose their ability to process payment cards. These requirements include the implementation of network firewalls, web application firewalls, antivirus technology, intrusion prevention systems, logging systems, encryption technologies, and more.
PCI DSS also describes how to build and maintain secure networks and systems, maintain a vulnerability management program, create strong access controls, regularly monitor and test networks and applications, and maintain an information security policy. The standard has made a tremendous difference in protecting cardholder data and has significantly reduced the number of data breaches in the payment card industry.
Going back to the concept of due care and compliance with data protection regulations: If organizations want to demonstrate that they have truly made an effort to implement reasonable security practices and procedures, following the requirements in PCI DSS would be a major step in the right direction — even if they don’t process payment cards. It will be necessary for businesses to prove that they did everything possible to protect consumer privacy and data in order to avoid or lessen the civil actions that are likely to follow a data breach.