Musings of a Privacy Professional

My random hopes, fears, thoughts, predictions, advice, and personal observations on GDPR, CCPA, NSA, and other privacy and data security matters:

• Despite the intense lobbying efforts of tech companies and others, Congress — fearful of the California Consumer Privacy Protection Act (CCPA), which becomes effective January 1, 2020 — will not pass a new comprehensive federal privacy and data security law this year.
• Plaintiffs’ lawyers will start gearing up for the class action lawsuits they hope to bring under the CCPA. Lawyers who have already benefited enormously from the Telephone Consumer Protection Act (TCPA) private right of action for noncompliant text messages and robo calls will likely add this new lucrative specialty to their practices.
• Regarding the General Data Protection Regulation (GDPR), fatigue has set in and, except for one large fine against Google, we have seen limited enforcement actions by the Europeans. Expect to see more actions against companies who have failed to comply with GDPR requirements regarding transparency, data breach, cross-border data transfer, and data access requests. It is never too late to consider a GDPR compliance review.
• Likely due to the potential of large fines and a new GDPR requirement that regulators be notified within 72 hours of a data breach, EU data protection authorities received over 59,000 notifications within the first eight months since the GDPR became effective last May. How many of these data breach notices involved the unauthorized access and use of personal data that may have caused harm to individuals? How many notices were given simply to avoid potential fines arising from failure to comply with the new GDPR legal mandate to notify? How often do American businesses similarly notify a state attorney general’s office to comply with state breach notification laws? Do these notifications help promote data security?
• As we get closer to January 2020, I will start getting more and more calls from clients asking about the CCPA, whether it applies to them, and if so what they must do to comply. Déjà vu to the weeks leading up to May 25, 2018, when the GDPR took effect and the frantic calls from clients concerned about GDPR compliance. Do you have processes in place to respond to requests from California residents (and possibly EU residents) regarding access to and information about their data?  Do not wait until December 31 to consider a CCPA compliance review.
• People will continue to respond to phishing efforts to obtain personal information and security credentials that compromise data privacy and security. It is not enough to invest in firewalls and other security safeguards. Do not forget the human element. Train and educate your employees on data security.
• People will continue to respond to emails that appear to come from the CFO requesting that electronic payments be made with new routing information and instructions provided in the email. Before authorizing such payment, pick up the phone and confirm with the CFO (or other responsible person to whom the money is owed) that the new payment instructions are legitimate. Much easier than trying to recover funds diverted to Shanghai! Train and educate.
• Small and medium sized businesses will remain unprepared for data breaches that may come in the form of ransomware, inadvertent disclosures by employees or contractors, or unauthorized access. Be prepared and, at a minimum, have a written incident response plan so you at least have a process and team in place when the incident occurs. Your customers will increasingly request a copy of your plan along with a copy of your written information security program or WISP.
• You cannot lose what you do not have. Data minimization is key to any privacy and data security compliance program. I am amazed at how much personal data (including social security numbers) are maintained and stored by businesses on customers and others that are of no benefit and no longer needed. Storing such unnecessary data is a recipe for disaster in the event of a notifiable data breach.
• Last month I was at the National Security Agency (NSA) in Fort Meade, Maryland, to hear my son speak about recent (but much belated) legal proceedings in Germany against a Nazi guard who was at Stuthoff concentration camp, where my grandmother Mina was murdered in the gas chamber. I thought of Edward Snowden as we passed a large prism- shaped building and I read the tagline above us as we entered this military complex: Mission First –Security Always.
• According to cybersecurity experts, allegedly hackers now use the EternalBlue tool — initially created by the NSA for government surveillance — to spread malware and ransomware worldwide, and are already hitting cities in the USA, such as Baltimore, where aging digital infrastructure is vulnerable to such attack. Expect to see more such cyber attacks whereby frozen computers and shutdown email accounts disrupt government and other services.
• Finally, as concerns about the collection and sharing of personal data by Facebook, Google, and others and our perceived loss of privacy, consider the plight of the Uighurs and other Muslim minorities in Xinjiang, China, where government surveillance is used to identify and segregate people in indoctrination camps. Will this government-sanctioned surveillance expand beyond Xinjiang? Is this the harbinger of things to come? I hope not.