Privacy Regs Put Pressure on FIs & Finserv Organizations

Recently, the California legislature presented and ratified the California Consumer Privacy Act of 2018, which provides new rights to consumers and aims to deliver transparency over personal data use.

The law, AB 375, gives consumers the right to ask businesses for the types of personally identifiable information collected. It also requires businesses to divulge the purpose for amassing or selling information as well as the third-party entities receiving the data. The law also forbids peddling children’s’ personal data for those 13 and 16 years unless they specifically opt in, or those under 13 without a parent or guardian’s consent.

The CCPA does apply as well to credit unions, banks, savings and loans, credit card companies, insurance companies and other financial service companies; and allows consumers to put limits on what financial companies can do with personal financial information.

Consumers can also request the data deletion and instigate civil action if they think an organization neglected to protect their PII. Damages range from $100 to $750 per consumer per incident, or based on “actual damages, whichever is greater,” AB 375 stated.

“AB 375 responds to the recent data breaches that have affected millions of people – those experienced by Target, Equifax, Cambridge Analytica, and many more,” Assemblymember Ed Chau and other co-authors of the bill said in a press release.

“Consumers have more awareness into the collection and processing of their personal data, making security a critical piece to an organization’s data privacy strategy to ensure they can control and protect access to the systems that hold personal data,” Jonas Outlaw, senior product manager at Atlanta-based Bomgar, said.

There are indications the tech industry is not going to retreat from trying to amend or tone down CCPA. The Internet Association, composed of Amazon, Facebook, Google, Uber and other big tech firms, called AB 375 a “last-minute” deal that needs modification. Amending the law is possible prior to its going into effect Jan. 1, 2020.

Parts of AB 375 are like GDPR, which addresses the export of personal data within the European Union. Many U.S. firms, including financial institutions and financial service organizations, that do business with European Union customers and citizens/residents now need to deal with the EU’s GDPR, effective May 25, 2018.

Many large companies still have a long way to go in finishing the technical aspects of the EU’s GDPR, and now California companies need to be ready for CCPA a year and a half later, Terry Ray, chief technology officer at Redwood City, Calif.-based Imperva pointed out. “Most global organizations have already built the framework for these same requirements to meet GDPR over the last few years, so there are plenty of materials, processes and products available.”

Frederik Mennes, senior manager market and security strategy at Oakbrook Terrace, Ill.-based OneSpan explained, “The California Consumer Privacy Act requires organizations to be more transparent about the ways they use personal data and provides consumers more control about the usage of their personal data.”

Some of the requirements outlined in CCPA should be easy to meet if IT and security teams have data security and data incident response programs already in place, Terry Ray, chief technology officer at Redwood City, Calif.-based Imperva, suggested. Ray noted, “There are plenty of organizations that have yet to fully implement either of those programs around data, and for some who have, they have likely only focused on current regulatory target data, like credit card data for PCI-DSS, healthcare data for HIPAA.”

“The precedence of the GDPR demonstrates that such regulations, regardless of whether they will increase security and privacy in practice, have made lawmakers and consumers worldwide understand that such standards can be set,” Matan Or-El, CEO and co-founder of New York City-based Panorays said. “It is certainly likely that other states will adopt similar privacy regulations.”

Outlaw maintained how and where organizations process this data has moved from inside the traditional IT perimeter and server rooms into hybrid and cloud environments in data centers across the globe.

“Someone said to me recently, that data used to be like gold, but now it’s more like uranium, still very valuable but also highly radioactive,” Ray said.