Data Privacy State Laws Series: What 2023 Means for VCDPA

CCPADocumentationGDPRPrivacy
January 31, 2023

Data Privacy State Laws Series: What 2023 Means for VCDPA

First in our 2023 data privacy laws series is the Virginia Consumer Data Protection Act (VCDPA). The VCDPA effective date was January 1st, 2023, with enforcement beginning the same day. VCDPA, sometimes referred to as just CDPA, is somewhat of a mixture of the EU’s GDPR (General Data Protection Regulation) and California’s CPRA (California Consumer Privacy Rights Act). While it shares similarities with each, it is sufficiently dissimilar as it likely will require its own compliance considerations. Much like CPRA, VCDPA will apply to any business that processes the data of over 100,000 of the state’s residents or processes the personal data of over 25,000 and derives 50% of their gross revenue from the sale of personal data.

Much like GDPR and CPRA, VCDPA introduces numerous consumer data privacy rights. These rights include the right to access personal data, the right to know personal data is being processed, the right to data portability, the right to deletion, the right to rectification, and the right to opt out of targeted advertising or the sale of personal data.

One of the most substantial differences between CPRA and VCDPA is how VCDPA treats the processing of sensitive data. While CPRA allows consumers to opt out of processing their sensitive data, VCDPA requires a data process to get opt-in consent to process a consumer’s sensitive data. Additionally, VCDPA defines sensitive data as any data that includes demographic information, geolocation data, or data from a known child. Another difference is in how VCDPA treats employee and business contact data. VCDPA does not classify employees as consumers, nor does it consider personal data processed in a business-to-business context in scope. VCDPA also has blanket exemptions for government agencies, businesses subject to HIPAA, institutions of higher education, and Gramm-Leach-Bliley subject financial institutions, while CPRA does not.

Outside of CPRA, other state laws going into effect in 2023 are modeled after VCDPA, and thus understanding VCDPA and what goes into a compliance strategy for it will go a long way in reaching compliance with the other laws. When building a compliance strategy for VCDPA, you should first map what data you store or process. Additionally, it would be helpful to conduct a readiness assessment to identify where the gaps in compliance are. Once you’ve located the gaps, you can prepare a remediation plan and develop controls to bring the business into compliance before sanctions incur.

read more
CCPADocumentationPrivacySecurity
January 19, 2023

2023 Data Privacy State Laws Overview

2022 was a big year for data privacy in the U.S., with many states passing or considering data privacy legislation and the American Data Privacy and Protection Act (ADPPA) nearly passing both chambers of Congress. Had it been successfully passed, it would have been the U.S.’s first national data privacy act, superseding the many state-level provisions. With 2022 in the rearview mirror, it’s time to look ahead to what awaits us for data privacy in 2023.  Five new laws at the state level are coming into effect this year, including CPRA that will supersede CCPA. Over the coming days, we’ll take a look at each one and review how they affect the data privacy landscape.

Many of the core tenets are shared by each state-level data privacy law coming into effect in 2023 and also should be comparable to the European Union’s General Data Protection Regulation (GDPR) in many regards. Though the language varies from statute to statute, each law requires certain consumer rights regarding data privacy to be honored by businesses and data controllers in these states. These rights include the right to access their personal data, the right to correct inaccuracies in their personal data (excluding the Utah Consumer Privacy Act), the right to delete their personal data, the right to a copy of their data, the right to opt-out of the sale of their personal data, and the right to opt-out of targeted advertising. 

Additionally, data controllers subject to these statutes will be required to provide consumers a privacy notice detailing how they handle personal data. In all of the 2023 laws, UCPA data controllers will be required to detail their data retention schedules along with their purpose for retaining such data. All of the 2023 data privacy statutes will also require data controllers to implement and maintain reasonable security controls to protect consumers personal data. Again, these will vary from statute to statute, but their inclusion will help to protect consumers’ sensitive personal data.

Our 2023 State Data Privacy Laws series will look at the requirements in each statute,  along with how each statute varies from another. The similar, familiar core to these data privacy laws should make general compliance manageable. However, there are some tedious edge cases that will only get more complicated as new data privacy laws pass across the nation. Sooner or later, there will be a need for a simplified nation-wide data privacy law like we almost saw passed in 2022. While we don’t know whether 2023 will build on what the ADPPA started, states certainly won’t wait for Congress to act on data privacy.

read more
AuditPrivacyRisk AssessmentSecurity
January 18, 2023

Why Ongoing Audits are Good for Business

If you browse cybersecurity literature long enough you’ll find the benefits a business can derive from a privacy or security audit are generally well understood and regarded, but lesser-known are the perks of ongoing audits. This is largely due to a generalized concern some businesses hold that subsequent audits may be redundant – which is a prudent question of cost-efficiency. What’s often misunderstood in this concern is that the benefits of continual audits are at the same time greater and different than those of singular audits, with the difference being seen largely in the distinction between proactive and reactive action. Let’s take a quick dive into this distinction, and discuss a few key benefits continuous audits will bring.

A simple way of highlighting the key point of utility of continual audits is by considering the audits like you might consider a medical check-up – after all, an audit essentially is a health check for your information security system, so this makes for an apples-to-apples analogue. If you’re feeling very sick you might well schedule a one-off check-up. From there a doctor will run tests, make a diagnosis, and create a treatment plan to get you back into good shape. This check-up is generally the role an isolated audit will perform, and it definitely is a step in the right direction. But it’s worth remembering that if routine re-visits aren’t made then afterward you’re liable to miss otherwise detectable signs of illness and become sick again. And although it’s true that you can schedule another appointment at that point, the fact you’re sick to begin with is damaging to the body, and the recovery process can be drawn-out, challenging, and expensive. It’s oftentimes a lot more efficient for both your health and wallet to mitigate the risk of sickness consistently by making check-ups a routine, which represents the emergent perks of continual audits. 

It’s likely you can see how this same concept applies with information security audits – the best way by far to handle incidents is to take measures to avoid them entirely, and these measures are directed by continual audits. With that in mind, let’s look at a few specifics of how exactly these ongoing audits keep your business healthier than ad hoc audits:

  • Layered Net: A single audit might not always detect all risks present – some issues only become apparent in trends between multiple audits. A continual audit process ensures that most every detectable risk present in a system is identified, not just those apparent at a single point in time.
  • Remediation Review: Following the conclusion of an audit should come the process of addressing the identified risks. A common issue with said process is that the remediation efforts are not always fully effective, leaving the organization exposed still to a risk they believe is mitigated. Subsequent audits will review remediation efforts to assess their efficacy and provide guidance on how to improve them. 
  • Currency & Compliance: More frequent audits mean less room exists in-between for organizations to unknowingly diverge from emerging regulations and best practices. This not only simplifies the maintenance of compliance by way of lending more time to react to and prepare for new requirements, but also lends a competitive edge by allowing for quick adoption of new security and privacy best practices. 
  • More Recent, More Value: Over time your organization and the risk landscape it’s exposed to changes, and thus audits lose relevance with time. This makes recency a large variable in the value an audit brings, both internally and externally. For instance, externally it’s often found that potential partners or clients only accept audits from the last year or six months, with more recency generally preferred. Internally, timely findings in developing systems are oftentimes extremely beneficial, as it’s far easier to adjust for security early in that system’s implementation than attempting to retrofit it far afterward.

Altogether, the benefits listed above are most apparent in (if not exclusive to) a continuous audit process. And these points don’t even account for the human benefits of the process, such as improving staff’s understanding of your organization’s risk posture over time or demonstrating your organization’s commitment to cybersecurity and data privacy to prospects. It’s worth remembering that security and privacy are not problems to fix, but an ongoing process of improvement – in that sense, with audits an increase in quantity often boosts the quality of the process altogether.

Is your business interested in the benefits of a new audit? Whether you’re looking to establish an audit process or conduct your first audit ever, CyberData Pros are experts in the process and can walk you through it – from scoping to a polished report. Contact us now for a free consultation and to learn more about our services.

read more