Data Privacy and Security in the US

According to Pew Research Center, 64% of American adults have experienced data theft. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. With every new headline of a data breach, it seems like consumers are losing more control over what personal information is publicly available.

At the same time, it’s nearly impossible to go through an ordinary day without sharing personal information. There are businesses out there that know where you live, how fast you drive, how many hours of sleep you got last night, if you’re on-budget for the month, what type of music you listen to, how many times you’ve tweeted this month, if you’re meeting your fitness goals, and how many children you have – just to name a few categories. With the complexity and sophistication of the current threat landscape, regulators, lawmakers, and consumers must be more alert than ever. In 2018, numerous states have added or updated data privacy and breach notification laws, including:

  • The Alabama Breach Notification Act of 2018 went into effect on June 1, 2018 to heighten consumer protections.
  • Arizona amended its breach notification law, HB 2145, to expand the definition of personal information and refine notification timelines.
  • Colorado enhanced consumer protections through amendments to HB 1128, which went into effect on September 1, 2018.
  • Ohio passed The Data Protection Act, a scalable bill that focuses on businesses’ cybersecurity programs.
  • Iowa passed HF 2354 to regulate the protection of student information when used on an online service or application.
  • Louisiana amended Act No. 382 to create a more comprehensive data privacy and breach notification law.
  • Nebraska passed LB 757, a bill requiring “reasonable security procedures and practices” to provide consumer protection.
  • Oregon amended SB 1551 to extend the scope of its breach notification rules and went into effect on June 2, 2018.
  • The South Carolina Insurance Data Security Act, which goes into effect on January 1, 2019, emphasizes the need for cybersecurity programs and incident response plans in the insurance industry.
  • South Dakota enacted its first breach notification law in SB No. 62, effective on July 1, 2018.
  • Vermont passed 764, which will regulate data brokers’ information security program and data privacy practices.
  • Virginia extended its breach notification law, HB 183, to include information tax information.

The California Consumer Privacy Act of 2018 has stood out among state laws, though. Let’s discuss what this law is and why it is being perceived as the US equivalent of GDPR.

Introducing the California Consumer Privacy Act of 2018

In June, California Governor Jerry Brown signed into law AB 375, enacting The California Consumer Privacy Act of 2018 (CCPA). Despite opposition from industry leaders like Google, Verizon, Comcast, and AT&T, approximately 629,000 Californians petitioned to get the law on the ballot, and now, Californians have been granted the most comprehensive consumer privacy rights in the country. This is evidence that consumers want ownership, control, and security over their personal data.

The purpose of CCPA is to give consumers more rights related to their personal data, while also holding businesses accountable for respecting consumers’ privacy. Because of California’s reputation as a hub for technology development, this law speaks to the needs of its consumers which continue to evolve with technological advancements and the resulting privacy implications surrounding the collection, use, and protection of personal information.

For-profit businesses that do business in California and that fall under any of the following categories must comply with the CCPA:

(A) Have annual gross revenues of over $25,000,000,

(B) Buy, sell, or share the personal information of 50,000+ consumers per year

(C) Derive 50% or more of their annual revenues from selling consumers’ personal information

Has the GDPR Made Its Way to the US?

The European Union’s legislation, the General Data Protection Regulation (GDPR), has been a top regulatory focus of 2018, even among US companies. The first globally relevant data privacy regulation of its kind, GDPR is considered to be one of the most significant information security and privacy laws of our time. GDPR applies to any entity collecting, using, or processing personal data of any data subject in the EU, which means that the applicability of the law follows the data, wherever in the world that data resides.

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

We do see some similarities between GDPR and CCPA, especially in their purpose and definitions. Both GDPR and CCPA are heavily focused on consumers’ desire for privacy and control over their personal information. After reviewing both laws, you’ll find regulators designed both to give consumers more rights and hold businesses accountable for respecting consumers’ privacy. You’ll also notice that the two laws’ definitions for the terms “processing” and “personal information” closely align.

Many of the best practices that organizations are using to comply with GDPR will be effective when beginning to comply with CCPA. Data mapping, documentation review, contract management – these activities will assist organizations in their compliance journeys. Additionally, CCPA may become a model for other state privacy laws or even a federal privacy law, so compliance with CCPA may give organizations an advantage for compliance with other state or federal privacy laws.

If GDPR or CCPA applies to your business, we encourage you to begin your preparation by following the data, starting the paper chase, performing thorough internal documentation review, and identifying which security standards are appropriate for your organization. Contact us today for more information on how to comply with state laws or GDPR.

More Resources

The Cost of GDPR Non-Compliance: Fines and Penalties

10 Key GDPR Terms You Need to Know

What NY CRR 500 Means for Vendor Compliance Management

What is Cybersecurity?

Although the EU’s General Data Protection Regulation (GDPR) enforcement deadline has passed, many non-EU organizations are still questioning what they need to do to ensure compliance. Do they need a designated representative? Where does their designated representative need to be located? Is a designated representative the same thing as a Data Protection Officer? Who do they need to notify that they have a designated representative? How do they do this? In this webinar, learn as KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, and the Founder and Chair of the Board of EDPO, Jane Murphy, answer these questions and more.

The Hidden Obligation Under GDPR: Article 27

Many non-EU organizations have missed a component of GDPR compliance: appointing a designated representative within the EU. This requirement comes from Article 27 of the law, which many people refer to as the “hidden obligation” within GDPR. According to  Article 27, non-EU organizations must designate a representative within the EU if they monitor or process the personal data of EU data subjects. A designated representative can only act on behalf of their client (a controller or processor subject to GDPR) and  acts as a point of contact for supervisory authorities and European clients and assists controller or processors in breach notification.

How can non-EU organizations (that must comply with GDPR) determine if they need a designated representative? First, they need to identify how much and how frequently they are monitor or process personal data of EU data subjects. Second, they must determine if they have an establishment in the EU. This means that non-EU organizations must verify whether they have any organizational links to EU data subjects, which could include employees, clients, investors, or partners. There’s several factors, gray areas, and exceptions for determining whether a non-EU must delegate a designated representative that we’ll discuss in this webinar.

About EDPO

In this webinar, we’re pleased to be joined by Jane Murphy from the European Data Protection Office (EDPO). Jane is Founder and Chair of the Board of EDPO. She is a Belgo-Canadian lawyer specialized in GDPR, corporate law, M&A, and corporate governance. She is also an independent non-executive board director of listed and non-listed companies in Belgium and in France and a member of various committees (audit, risk, legal, compliance, corporate governance and remuneration). She is Vice-President of CanCham Belux, member of the IAPP, and of the DPO Circle. She holds law degrees from Canada and Belgium, an LLM in European and International Law, a Certificate in EU Data Protection from Solvay Brussels School of Economics and Management, and completed a summer program in International Business at Harvard.

EDPO is a privately-held Belgian company located in Brussels that acts as a trusted EU-based representative for companies located outside of the EU that fall under the scope of the GDPR. EDPO provides a certificate that confirms compliance with Article 27 of the GDPR and unlimited assistance in the handling of requests from individuals and data protection authorities across the 28 Member States of the EU. EDPO’s mission is to enable non-EU companies to continue to have access to customers in the EU. Its team of experts creates value for non-EU companies by ensuring legal certainty and by protecting them against sanctions that can reach up to €20 million or 4% of global revenues, whichever is greater.

For more information on selecting a designated representative for non-EU organizations or to find out how your organization can begin your journey toward GDPR compliance, watch the full webinar. To learn more about the GDPR services we offer, contact us today.

Vendor compliance management is the process by which organizations understand and control the risks associated with working with vendors, third parties, or business partners. If your organization utilizes vendors to conduct part of your business process – whether that be billing, customer service, data processing, etc. – the risks associated with that partnership could ultimately put you out of business.

An effective risk management strategy includes a strategic process for assessing and monitoring vendor compliance. Some vendors go to great lengths to secure their services and processes, but others may leave you with consequences to pay. Vendors need to prove what they are doing to reduce risk to you and your customers. You’re putting a great deal of control into vendor’s hands, so managing vendor risk must be an integral part of any business.

What happens if your operations depend on the availability of your vendor’s services, but their service has an outage? If your vendor goes out of business, how does your organization continue to operate? If your organization shares cardholder data with a vendor and that vendor has a breach, what are the consequences to your organization? These are the types of scenarios your organization must consider when selecting vendors and effectively managing vendor risk.

Working with vendors puts your organization at risk for data breaches or security incidents, often leaving you to deal with operational, financial, and reputational damages. By having an effective vendor compliance management program, you will be able to identify, mitigate, and better control vendors’ risk and improve the security of your organization. Not to mention, for many industries, validation of a vendor’s security practices is not optional. For example, for HIPAA, PCI DSS, NY CRR 500, and SOC 2 compliance, organizations must have some form of vendor compliance management programs in place and functioning.

As businesses increasingly look to outsource various components of their organizations, it’s more crucial than ever to have a strong vendor compliance management program. Ready to get started on yours?

Independent Audit Verifies NCS’ Internal Controls and Processes

Van Nuys, CA – National Commercial Services (NCS), a subrogation and commercial collection agency, today announced that it has completed its SOC 1 Type II audit. This attestation verifies that NCS has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of NCS’ controls that may affect its clients’ financial statements. SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes NCS’ description of controls as well as the detailed testing of its controls over a minimum six-month period.

“NCS is committed to providing our clients with the most secure, while efficient, collection and subrogation services nationally. Completing the SSAE 18/SOC 1 Type II Audit is part of the regulatory framework recommended to provide secure services to both our clients and the public. NCS will continue to renew our SOC certification on an annual basis to verify that we stay abreast of industry and standard improvements,” said Natalie Mansour, Vice President and Chief Operating Officer of NCS.

“Many of NCS’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, NCS has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by NCS.”

About NCS

National Commercial Services (NCS) is a California Certified Corporation located in Los Angeles County. With 22 years of experience in the fields of Subrogation and Commercial Collections, NCS is a Premier Sponsor of the National Association of Subrogation Professionals and is licensed and bonded in every mandated state. NCS is dedicated to compliance with Federal and State Specific Fair Debt Collection, TCPA, PCI, and all best practices protocol.

What is a SOC 1 Audit?

The SOC 1 audit is based on an attestation standard developed by the American Institute of Certified Public Accountants (AICPA) to be used in the auditing of third-party service organizations, whose services are relevant to their clients’ impact over financial reporting.

A SOC 1 Type I report is an attestation of controls at a service organization at a specific point in time. It reports on the description of controls provided by management of the service organization and tests that the controls are suitably designed. A SOC 1 Type II report is an attestation of controls at a service organization over a specified period of time. It reports on the description of controls provided by management of the service organization and attests that the controls are suitably designed, implemented, and operating effectively.

What are SOC Controls?

SOC controls are a service organization’s internal controls that are tested during an audit from the System and Organization Controls (SOC) suite, which was developed by the AICPA.

These controls are integral to internal compliance, security, and privacy, and in turn inform many critical business and governance decisions.

SOC 1 Compliance Checklist

Are you looking to begin your SOC 1 compliance journey? Are you in need of guidance to get started? Do you want to know what your auditors will be looking for? This exclusive SOC 1 compliance checklist outlines the specifics on each system component that will be evaluated by your auditor during your SOC 1 audit, including:

  • Does your organization have a defined organizational structure?
  • Has your organization designated authorized employees to develop and implement policies and procedures?
  • What is your organization’s background screening procedure?
  • Does your organization have established workforce conduct standards?
  • Do clients and employees understand their role in using your system or service?
  • Are system changes effectively communicated to the appropriate personnel in a timely manner?
  • Has your organization performed a formal risk assessment?
    • Has your organization identified potential threats to the system?
    • Has your organization analyzed the significance of the risks associated with each threat?
    • What are your organization’s mitigation strategies for those risks?
  • Does your organization perform regular vendor management assessments?
  • Has your organization developed policies and procedures that address all controls?
  • Does your organization perform an annual policy and procedure review?
  • Does your organization have physical and logical access controls in place?