Truvantis Blog

Three steps to Cyber Security Programs for CPRA, HIPAA, GDPR, PIPEDA, CCPA.

Written by Matthew Corwin | Oct 18, 2021 4:00:00 PM

Many new data privacy laws are emerging. Businesses must continually prove privacy compliance. Review current data privacy laws and get advice on how to build a multi-compliance Security & Privacy program.

In today's data economy, businesses collect and use gigantic amounts of consumer data. Intentionally or not, personal data is used in surprising ways, such as targeting ads or adjusting interest rates. More companies are profiting from Personally Identifiable Information (PII) data which often gets passed between countless third parties, each enabling possibilities for privacy compromise.

Many new consumer privacy laws have emerged over the last few years. Most states have consumer privacy legislation, with California, Colorado, Virginia, and New York having the most active and comprehensive laws thus far. Given the growing privacy concerns by voters and legislators, changes in state privacy laws will likely continue to evolve rapidly.

According to Matthew Corwin – Attorney and Privacy Consultant, "Businesses are often concerned with proving privacy compliance often as a contractual requirement."

Here is an overview of some of the more prevalent consumer data privacy regulations which may apply to your organization. More importantly, advice on how to build a multi-compliance Security & Privacy program.

U.S. State Laws

California Privacy Rights Act (CPRA)

In the fall of 2020, ~55% of California voters approved Proposition 24, the California Privacy Rights Act (CPRA) expanded the California Consumer Privacy Act (CCPA). The complete law becomes operative January 1, 2023, with a couple of critical changes for 2022 and covered organizations need to prepare. Notably, when CPRA goes into full effect on January 1, 2023, it will apply to all data collected as of January 1, 2022.

CPRA Highlights:

  • CPRA terminates the existing CCPA Employer-Employee exemption  
  • Consumers should have the tools necessary to limit the marketing use of their PI.  
  • It increases fines for misuse of children's data 
  • Expands breach liability to the disclosure of account login information  
  • Specifies the length of time a company may retain a consumers' information 
  • Requires companies using third-party vendors to mandate contractually that those third parties exercise the same level of privacy protection to data shared with them as the first party.  
  • Deletion Expansion - Upon a consumer's request to delete, organizations must be able to tell other third-party organizations they've shared PI with also to delete that information.  
  • Chain of custody – data transferees, must offer the same levels of privacy protection.  
  • Establishes the California Privacy Protection Agency (CPPA) will be empowered to fine transgressors, hold hearings and clarify privacy guidelines effective July 1, 2023.  
  • It expands the Private Right of Action provision in the case of PI security breaches.  
  • Requires Annual cybersecurity audits and risk assessments for high-risk data processors 

CCPA vs.GDPR

Effectively the CPRA brings the CCPA up to par with GDPR and beyond with, for example, the consumers' privacy-right-of-action provision. To maintain compliance, organizations should conduct a privacy risk assessment considering new and existing requirements. Use the results to draft or update security controls, privacy policies, protocols, procedures, and training appropriately.

CPRA / CCPA Compliance Checklist

  • Transparent Privacy Notifications 
    • Businesses should inform how, what, and why they collect PI and how consumers can exercise their CPRA rights. 
  • Purpose Limitation and Data Minimization 
    • Only collect and process the information necessary for the clearly stated business purposes. 
  • Method for servicing legitimate consumer requests 
    • Consumers should have the ability to exercise their rights without undue burden. 
  • Security and Privacy-by-Design 
  • Obligations regarding vendors and third-party processor agreements 
    • Chain of custody – vendors and service providers must offer the same levels of privacy protection. Update vendor agreements and service contracts accordingly. 
  • Automated decision-making requirements 
    • Businesses must publish meaningful information and opt-out rights on the use of automated decision-making technology used for profiling. They must include information on the logic involved as well as the probable outcome to the user. 
  • Privacy risk assessments, gap analysis, and remediation 
    • Businesses must maintain annual audits based on suitable standards
  • Employee Training
    • Train all employees so they understand their roles and responsibilites

California Financial Information Privacy Act (CFIPA)

CIFPA applies to financial institution's ability to use and share consumers' "nonpublic personal information" or their Personally Identifiable Financial Information (PIFI). PIFI relates to any personal information collects as a part of a transaction between a consumer and the financial institution.  

Illinois Biometric Information Privacy Act (BIPA)

BIPA is interesting as one of the first laws defining protected biometric information. It limits how biometric data can be collected or used and requires consumer consent and use notices. It also enables consumers to sue for infractions.

Virginia Consumer Data Protection Act

Passed on March 2, 2021, VCDPA defines personal data similar to those outlined in CPRA California. According to experts, the law has somewhat broader exceptions for the uses of data from which consumers cannot opt out.

Similar to other states, VCDPA applies to companies that 

  • Control or process the personal data of 100,000 or more consumers OR 
  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling private information

Colorado Privacy Act (ColoPA)

In June 2020, Colorado passed ColoPA, which;  

  • Specifies how systems must fulfill duties regarding consumers' assertion of their rights. 
  • Requires organizations to conduct a data protection assessment for each of their processing activities  

The attorney general or district attorneys may enforce it.  

PIPEDA

Canadian Privacy Laws 

Personal Information Protection and Electronic Documents Act (PIPEDA) 

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in a commercial activity. 

Organizations covered by PIPEDA must generally obtain an individual's consent when collecting, using, or disclosing that individual's personal information. People have the right to access the personal data held by an organization. They also have the right to challenge its accuracy. 

Organizations must use personal data only for stated purposes. If an organization is going to use it for another purpose, it must obtain consent again. Appropriate safeguards must protect personal information. 

PIPEDA Compliance 

Businesses must follow the 10 fair information principles to protect personal information, set out in Schedule 1 of PIPEDA. 

The principles are: 

  1. Accountability 
  2. Identifying Purposes 
  3. Consent 
  4. Limiting Collection 
  5. Limiting Use, Disclosure, and Retention 
  6. Accuracy 
  7. Safeguards 
  8. Openness 
  9. Individual Access 
  10. Challenging Compliance 
    • A consumer's ability to challenge an organization's compliance with privacy and security rules 

HIPAA Certification 

The industry-specific HIPAA Privacy rule applies to healthcare providers and their business associates. HIPAA addresses the use and disclosure of sensitive personal health information (PHI). The goal is to allow health care consumers to have knowledge and control over their sensitive data while still allowing the necessary data flows to support patient healthcare.  

The Health and Human Services (HHS) enforces HIPPA. 

What is HIPAA Certification? 

Since 2003, covered entities must be compliant with HIPAA privacy rules. There is no HIPAA certification that an organization can achieve. The Office of Civil Rights (OCR) has resolved 98% of cases through corrective actions. 

Covered organizations must perform annual audit reviews to show how policies and procedures meet the security and privacy requirements. 

What is PII in healthcare? 

The term Personally Identifiable Information (PII) used in other laws is replaced with Protected Health Information (PHI). While the acronyms are both pronounced 'pie,' the same PHI is specific to HIPPA regulations in the healthcare continuum.   

Personal Health Information: 

  • A person's past, present or future health conditions 
  • Specifics of health care to the individual 
  • Related patient payment information 

Similar terms for Protected Personal Information - pronounced 'pie': 

  • PII – Personally Identifiable Information 
  • PHI – Protected Health Information 
  • PI – Protected Information 

Is IP Address PII? 

An IP address must be considered a Unique Personal Identifier when it can be used to uniquely identify a consumer.  

Unique Personal Identifier 

Persistent identifiers which can be linked to a consumer time and across services: 

  • A device identifier like a MAC address or a device serial number or digital signature 
  • IP address 
  • Cookies, beacons, pixel tags, mobile ad identifiers or similar technologies 
  • Unique customer numbers, unique pseudonym or alias 
  • Telephone number or other probabilistic identifiers 

What is not PII? 

  • Data that cannot be used to recognize a person's identity 
  • Anonymized or de-identified information  
  • Personal information that is intentionally made public by the person identified is generally not 'protected.'  

What is a Privacy Policy? 

Notice of privacy policy is a hard requirement in CPRA and other regulations. An online privacy policy is a legal statement describing what information is collected, why personal data is collected, how the organization uses information, where or with whom it will be shared, and allow consumers to opt-out of data sharing.   

A privacy policy internal to an organization is part of the employee training regimen on the proper collection, use, and storage of sensitive companies and protecting consumer information.   

What is a Data Retention Policy? 

A data retention policy describes how data should be stored and for how long. It details why an organization retains specific data and the established protocols for destroying data to comply with business needs, contractual and legal obligations. 

How a Privacy Consultant Saves You Time and Money 

Most organizations do not have the internal bandwidth or expertise to develop and manage privacy operations independently. A good consultant can save time and streamline the process by tailoring the privacy scope to fit your organization.   

Turvantis has the experience to examine privacy policies, protocols, and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization.   

We have helped hundreds of organizations address the challenges of conveying complex privacy concepts with clear policies, procedures, training, and outward-facing documentation. 

Why choose Truvantis? World-class competence, expertise, and experience. 

Turvantis has the experience to examine privacy policies, protocols, and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization. We have helped hundreds of organizations address the challenges of conveying complex privacy concepts with clear outward-facing documentation.   

We have the expertise to examine from both a technical and legal compliance lens and manage any projects required to fill any gaps. Our team is good at what they do, but they are also recognized leaders in the industry. 

We do everything. 

Unlike so-called boxed solutions, which only give you checklists, templates, basic instructions, and video training, then leave you with the work. Truvantis can also do the hard work for you and simplify nuances of interpreting regulations and assessing the effectiveness of privacy controls.   

The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. We can help build a robust central privacy program capable of supporting the entire matrix of international, federal and rapidly changing state laws and regulations affecting your business. 

Truvantis Three Steps to an Effective Privacy Program 

We help your organization take an organized and prioritized approach to your privacy program. 

  1. Privacy Workshop
    • Understand your privacy goals
    • Define and scope your privacy management system
    • Build executive and departmental stakeholder awareness  
  2. Privacy Risk Assessment 
    • Conduct and analyze privacy risk information across policies, people, and processes 
    • Formal Privacy Gap Report and Recommendations 
    • Prioritized Remediation Roadmap 
  3. Implementation
    • We work with your vendors, third-party service providers, stakeholders from IT, IG, compliance, security, legal, and discovery departments. We do everything for you from training, risk assessment, data-flow mapping, document preparation, technology integration to guiding compliance audits. 

Ready to move forward? 

 Contact Truvantis for more information and to start your pre-audit consultation.