For better or for worse, California is often the place where great (and not so great) ideas and trends originate and ultimately sweep the country, if not the world. California gave us surf music, Pet Rocks, Valley-girl culture, Google, Apple, and eBay, among other cultural phenomena.
One of California’s more recent contributions to the American landscape is its data privacy law, known as the California Consumer Protection Act (CCPA). This law, signed by then-Governor Jerry Brown in 2018, goes into full effect in 2020. When it does, almost any company that does business with consumers in California will be required to meet a list of mandates that protect consumers’ personal data and give those consumers more control over whether and how their data is collected, stored, used, and shared.
The idea for such a state law is now spreading, literally from coast to coast. The New York state legislature is currently considering a bill, called the New York Data Security Act (SHIELD), which would go even further than its California counterpart.
New York Data Security Act
Officially the Stop Hacks and Improve Electronic Data Security Handling Act, SHIELD is a comprehensive update to the state’s already existing data breach laws. It coincides with a second bill being considered, the New York Privacy Act, which goes even further toward setting privacy standards.
As currently written, the proposed New York privacy regulations would differ from CCPA in several important and far-reaching ways. For example:
– Whereas CCPA is aimed primarily at larger businesses ($25 million or more in annual revenue, or handling data of more than 50,000 California residents), New York’s proposed data security law would apply to companies of any size.
– In CCPA, enforcement is left in the hands of the state’s attorney general, who can bring action (that is, lawsuits) against companies who fail to comply. In New York, any resident would be able to sue for relief, making companies vulnerable to hundreds or perhaps thousands of lawsuits.
Of course, the New York bill is not law as of this writing, and the language could change significantly before it passes, assuming it does.
How to Prepare For a Patchwork of State Laws
Whether or not New York passes its proposed data privacy law, the message is clear: In the absence of a comprehensive federal law with real consequences for noncompliance, states are going to take matters into their own hands. The result, potentially, is a compliance officer’s worst nightmare: 50 U.S. states, plus the District of Columbia, each with a different data privacy law. It’s a legal minefield where few will want to tread. What’s a company to do?
It’s not just about having the ability to locate and delete a customer’s information on request—a likely requirement of most, if not all, data privacy laws. It’s the ability to determine the impact of that deletion on the BI environment. For example, how will deleting a customer’s information affect your order and invoice history, and therefore revenue reporting?
And because a customer’s credit card number, for instance, can be called by different names (“CC,” “CC_No,” “credit_card,” and so on) and stored in different ways (last four digits or all of them), it becomes more difficult to gain a comprehensive understanding of your data assets and where this type of sensitive information resides.
The key to success in this brave new world of data privacy compliance is automation. The old, manual methods of tracking, cataloging, and controlling your data assets are no longer sufficient. Without an automated metadata management and data mapping solution, your compliance efforts will be largely hopeless.
Automated tools provide you with several advantages when it comes to SHIELD compliance:
– A visual map of your data environment, including all the places where sensitive data lives, regardless of the field names used
– The ability to conduct impact analysis and explore what happens if certain changes (such as requested deletions) are made, and take action to redesign ETL processes and reports accordingly
– The ability to show an auditor evidence of compliance, for example, that you are properly segregating sensitive data from other data
The state laws that are now, or soon will be, on the books—not to mention overseas initiatives, such as Europe’s General Data Protection Regulation (GDPR)—are not going away. The time to prepare is now, by implementing automated tools to gain understanding and control of your data.