GDPR Spurs Counterpart Efforts in US
Well, I did wonder a few weeks ago if US citizens might start pushing for a stateside equivalent of GDPR. Though nothing has yet materialized at the federal level, it does appear that certain states have begun such action on their own. While all 50 states had enacted notification laws by March of this year, these latest initiatives go further in expanding the definition of personal information, requiring implementation of certain formal security standards, and more.
Some states, like Alabama and South Dakota, are taking their first steps. Effective as of the past two months are both states’ first data breach notification laws. Others, like California and Vermont, are making robust changes, particularly to how businesses must process data. Colorado and Nebraska, meanwhile, will enforce heightened requirements and oversight for third party entities that process personal data for a company. And Iowa, interestingly, has passed legislation intended to regulate sites, online services and other applications that are primarily used by kids.
You can read further details about each state’s new regulations here. Companies who look to comply with them ought to consider best practice training for employees, transparency with their customers, and identifying mission critical data and how to properly discard what isn’t truly needed. These are just a few steps, of course. Ultimately, the impetus GDPR has provided to these states is apparent.
As have, naturally, the costs of mega breaches. After all, no business or agency wants to be the next major news story. A new IBM and Ponemon report on this front states that data breaches in which 1 million to 50 million records are compromised can cost an organization from $40 million to $350 million on average. In seeking the breakdown of breach costs, the study examined a variety of factors; for example, a third of the costs (nearly $118 million for breaches of 50 million records) are usually due to lost business.
Though the highest costs of data breaches still apply to healthcare organizations, this is an issue that affects every industry. And speaking of front page scandals, Facebook is still facing harsh condemnation across the board for its role in the Cambridge Analytica debacle. Today it was announced that the UK’s Information Commissioner’s Office will hit Facebook with the maximum allowable fine (half a million pounds). The social media platform has continuously been accused of poor transparency throughout this process, and the complaints and fines are not likely to abate anytime soon.
Nor will the push at the state, and perhaps eventually the federal level, for consumers to have better control over and protection of their data.