Recently, a client told me that he did not have any personal information on his systems, so he wasn’t subject to privacy laws. At that point, I knew he was in trouble.
The problem is that there is no one definition of personal information. The concept varies widely depending on what you do and where you do it. However, the idea that U.S. organizations are exempt from privacy laws, unlike Europeans, is simply wrong. Every U.S. organization is subject to some sort of privacy law. Every U.S. organization handles information that may require contact with the authorities in some situations. Every U.S. organization should have a process to deal with these regulations.
The source of the misinformation
Let’s start with what I assume is the source of the misinformation. Many U.S. organizations have heard of the EU’s GDPR (General Data Protection Regulation), which came into force in 2018. The Regulation, which superseded the 1995 Data Protection Directive, sets out strict guidelines for processing the personal information of EU residents.
One of the great things about the GDPR is that it is exceptionally well written and very consistent. The Regulation’s definition of personal data – “any information relating to an identified or identifiable natural person” – has been widely copied. For example, the CCPA (California Consumer Privacy Act) defines ‘personal information’ as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Laws similar to the GDPR have now been adopted by more than 25 countries. Meanwhile, in the U.S., Virginia recently enacted a state privacy law similar to the CCPA, and five other states – Minnesota, New York, North Dakota, Oklahoma, and Washington – are considering doing the same. Since these all use near-identical definitions of personal information, that should make the concept reasonably simple. No, there’s more.
For example, Article 9 of the GDPR refers to special categories of personal data. This includes delicate personal information like racial or ethnic origin, religious beliefs, genetic data, biometric data, and data concerning a person’s health, sex life, or sexual orientation. The GDPR prohibits any processing of this data unless one of ten exceptions applies.
The alphabet soup of U.S. privacy laws
In the U.S., laws concerning sensitive information relating to health have been around for more than 20 years. The HIPAA (Health Insurance Portability and Accountability Act) defines PHI (protected health information) as health information that is created or received by or on behalf of the health care component of the covered entity, and places extensive restrictions on the use and disclosure of PHI and its electronic counterpart, ePHI.
Other laws concerning biometric information, such as physical characteristics, voice prints, handwriting samples, photographs, fingerprints, and just about anything relating to the human body, are also becoming popular. The best known is the Illinois BIPA (Biometric Information Privacy Act), although other states have recently enacted similar statutes or are considering them.
The new CPRA (California Privacy Rights Act) includes a provision for a category of personal information that it calls “sensitive information.” This includes health information, biometric information, and many of the categories listed in Article 9 of the GDPR. It also includes other information often referred to as sensitive information in other statutes, including social security numbers, driver’s license numbers, state identification card or passport numbers, login information, financial accounts, debit or credit card numbers, and any security or access codes, passwords, or credentials allowing access to an online account.
Each state’s breach-reporting statute has its own specifications as to who reports what information to which body. In general, the statutes usually require an organization that processes this type of sensitive information to report any data breach to a governmental agency, often the state’s attorney general.
Protecting personal information
Information, including personal information, is no longer ancillary to your business. It is your business. If you do not protect it and fail to comply with cybersecurity and privacy laws, you will lose customers, partners, and business, and may even be subject to regulatory prosecution or civil lawsuits.
At IT Governance USA, we are cybersecurity and data protection experts. From providing advice to offering support implementing security frameworks, we can help you protect your organization from noncompliance to various data privacy laws. We can help you protect the personal information your company holds.
Free PDF download: Cybersecurity 101 – A guide for SMBs
Cybersecurity requires careful coordination of people, processes, systems, networks, and technology. However, many SMBs (small and medium-sized businesses) don’t know where to begin, and are at a disadvantage due to a lack of expertise and resources.
Download ‘Cybersecurity 101 – A guide for SMBs’ to find out how to get started with the basics of cybersecurity while keeping costs to a minimum.