When it comes to valuable assets, data is the new oil. That phrase was coined by the British mathematician and entrepreneur Clive Humby in 2006 — and the years since have only proven how true this is. Given the value of data, and its sensitivity when it comes to the personal information of users around the world, it’s no surprise that data protection has become an increasingly hot topic.
Over the past couple of decades, the regulatory landscape regarding data has become busier and more complex. Some laws related to data protection, such as the Payment Card Industry Data Security Standard (PCI DSS), have been around for well over a decade. Others like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are now approaching half a decade since they were first touted.
But new laws continue to be introduced. In early 2021, Ralph Northam, Virginia’s governor, enacted a new state data protection act called the Virginia Consumer Data Protection Act (CDPA). Virginia became the second state to do so after California, and the first legislation of its kind to be signed on the East Coast of the United States. The new rules will come into effect on January 1, 2023, meaning that companies have got until then to make the necessary changes to the way they conduct business that might be affected by the legislature.
New Laws Enter The Arena
This new CDPA regulation is similar in some ways to both GDPR and CCPA in that it is intended to protect the privacy of individuals. Under the law, consumers in Virginia have the right to access, make corrections to, and delete a copy of any personal information about them that a company gathers. They can also opt out of particular data-processing activities, with businesses obliged to explicitly obtain consent before gathering or processing any sensitive data.
Violations of the new rules will be met with potential fines of $7,500 per incident, potentially meaning hefty fines in the event that the data of multiple users is not properly safeguarded. (Some of the biggest data breaches in history have involved the records of well over 100 million user records.)
CDPA applies to any business or individual controlling or processing personal data belonging to upward of 100,000 Virginia residents in any calendar year, or any that controls and processes data from at least 25,000 residents and gains upward of 50% of gross revenue from selling personal data. The definition of personal data is any information that could be linked to an identifiable person.
The Importance Of Data Protection
This kind of data regulation is much needed, and increasingly demanded by voters. But it’s not straightforward. Legislation can be complex. Even more complicated is the way that different legislations require different compliance. Broadly speaking, all seek to protect users’ personal data from misuse. However, the way that they do this can differ. All of the aforementioned laws have differences between them. That means that, for instance, compliance with CDPA would not necessarily mean compliance with CCPA or GDPR. Some of the differences may be as simple as locality, but others are broader, more overarching questions of definitions, and more.
Things are likely to become even more complex as well. At least eighteen other states all currently have privacy bills at various stages of discussion. More will no doubt follow over time. This means that, short of GDPR-style rules that were unintended to unify privacy laws across Europe, there will likely soon be a patchwork of different state laws in the US, all requiring different compliance measures. Even if unified rules were to be established, international compliance remains complex.
Businesses must make sure that they keep on top of these different rules. Ignorance around compliance will not be an excuse for failing to comply. Fortunately, the tools are there to help protect data.
The Right Tools For The Job
Data discovery and classification tools can help businesses to keep tabs on the location, volume, and context of data that’s stored both on-premises and also in the cloud. Meanwhile, database activity monitoring tools can be used to monitor relational databases and other data storage solutions and generation alerts in real-time when there are potential policy violations.
Beyond this, companies should take steps to safeguard their data so as to avoid potential breaches. For example, database firewalls can block threats such as SQL injection and evaluate potential vulnerabilities. Data masking and encryption can also be used to obfuscate private data so that it would not be readable even if it was somehow exfiltrated. In addition, behavioral analytics can show how data is accessed, utilized, and potentially moved around within an organization.
The question of data protection is one it’s impossible to bury your head in the sand regarding. This is a critically important area, and one that is only going to become more so over time. Failure to protect user data could result in reputational damage, heavy fines, and more. Putting the right measures in place to protect yourself against this is essential — before the regulatory landscape becomes even more complex than it already is.