How California and Virginia Privacy Laws Will Affect Companies Across the U.S.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] welcome to NASDAQ trade talks I'm Jill malandrino Global Market reporter at NASDAQ cyber security awareness month which takes place in October and in its 19th year is a way for Enterprise and communities to come together to learn the best way to protect themselves from cyber security breaches it also empowers everyone to protect their personal data from digital forms of crime Sarah Hutchins partner lead with cyber security and data privacy at Parker Poe joins me to discuss how California and Virginia's privacy laws will affect companies across the United States it's great to have you with us Sarah welcome to Market site thank you so much Jill what are the key themes that businesses need to know about the new data privacy laws that are going into effect so there's a number of data privacy laws like you said that are coming into play in 2023 California and Virginia kick off January 1 and there soon can be followed by Colorado Connecticut and Utah and at their core these laws are really going to deepen the regulations but also the penalties for businesses that operate across the United States even those that don't necessarily make data part of their core business so a lot of there's a lot of commonality in these laws and one of the big things is really data knowledge so The Regulators want companies to be really thoughtful about what they're collecting but they also want the consumer to have knowledge about what they're giving how it's going to be used how it's going to be stored and ultimately how it's going to be destroyed with that there's a lot of efforts the company needs to go through like data assessments really knowing where their data is so that they can respond to some of the requirements and the regulations which might require kind of data mapping really seeing where they store a person's data and who they give it to and with that businesses are likely going to want to minimize the data that they collect to reduce the burden another key theme is individual rights so some of these laws that already existed kind of established the idea that a consumer actually has a property right in their data but that's a real shift from where the U.S has been in past decades so these laws deepen that and kind of codify it and they also expand who we think of as far as individuals having these rights it's not just consumers anymore it's employees as well and finally these laws really emphasize that the cost of non-compliance is huge So Gone are the days that a business could kind of Slide by and hope that they got under the radar there's more Regulators looking at this The Fallout from a security incident is much more common and since we're in budgeting season for a lot of your listeners this is the time to put in that line item to deal with cyber security in the budget it sounds like we're starting to catch up with gdpr and our counterparts in the EU but if I understand it correctly the state laws have implications far beyond the California and Virginia borders so what types of businesses will these laws apply to so really um the the California law and the Virginia law and the other ones that are coming afterwards are focused on businesses that operate in that state not just businesses that have a physical presence in that state so um you know e-commerce and things like that is really widened the network for where businesses are operating now there are volume thresholds if you will for um who's going to be roped in it's not going to be every single mom and pop there's going to be businesses that get roped in because they collect a massive amount of personal information on individuals in the state of Virginia for example a hundred thousand there's going to be businesses that come in to regulation because they make a profit make Revenue off of a portion of the sale of the personal information they collect but with California you could also be roped in just by being of a certain size gross revenue of 25 million and doing business in that state if you have information on California residents you may need to comply and what that comply science means is that you're going to really need to focus on your outward facing documents about what you say you do with a consumer's data how do you store it how do you collect it who do you share it with and if you sell it you also in many of these regulations are going to need to offer opt-out rights giving the consumer some cases the employee the ability to say no I don't want you to do that with my data I don't want you to sell it or engage in targeted advertising you're also going to see a lot of Regulation that's going to enhance the security that companies need to apply to the data that they store not just how they keep it in-house but many businesses rely on other vendors to operate and use their Data customer relations platform through software contract in those instances these statutes are really going to detail the type of security regulations that that a company needs to enforce on those they give the data to at their core these laws are really focused on minimizing what a company collects to the legitimate business needs of the company it needs to be adequate it needs to be reasonable and relevant to what the business is actually going to be doing yeah how is this different than what's already on the books in California for example the California consumer privacy act right so the US sort of kicked off its comprehensive privacy and security statutes through the CCP Act and that really as you mentioned before kind of was akin to some of the regulations that already existed in Europe like gdpr what the California privacy Rights Act which comes into play on January 1 does is really enhance the protections that exist for consumers and potentially employees and deepen some of the requirements uh some of the things that the ACT does that didn't exist before one key one is that it establishes a privacy agency that's fully focused on enforcing this act no longer is it just the AG's office who's really focused on so many different things that the state of California needs there's going to be Regulators that are solely focused on business compliance with this regulation again we spoke about individual rights before these existed under CCPA like the right to delete and the right to inquire about the type of data that a company may have on a California resident but there's so many more expansions under cpra there's the right to get information about how long data is retained for importantly there's the right to correct information which may cause a lot of back and forth with companies and they'll really have to have a process in place to comply I mentioned before the contractual restrictions that a company may need to have with those that they give the data to those are massively enhanced under cpra in order to really kind of set forth that a company can go in and audit their vendors and make sure that they're keeping the security promises that they say you know know it's interesting I remember when asset managers had to start complying with gdpr and it was such an urgent process that they had to take a number of years ago what are the what are the most urgent steps that companies must take to remain compliant once these laws go into effect right and and there's um this is going to apply to so many more companies now with States like Virginia and Connecticut and Colorado so really the uh the scope of the application has has enhanced all of this so companies really need to have a moment to get to know their data they need to assemble a team that's going to be thinking about what do we actually have what do we collect and why and that team should not just be I.T this is an opportunity for marketing for HR for the c-suite to come together and think through the data that they have the next thing that the companies really need to do is assess their own unique risk really prioritize what they have and and try to get in compliance you made the point that it was really difficult when gdpr rolled out to get in compliance and still is for many companies this is not an overnight success opportunity companies should work with legal counsel to prioritize what's the the the biggest risk for that they're facing is it their outward privacy policy is it their lack of a written information security program that some of these laws require is it that they have no contractual protections on the data that they're sharing with others and sort of prioritize and develop a road map that companies can adhere to to sort of make immediate steps to start getting in compliance with these laws because it's going to be the first time that some of these companies have really even thought about it and the final thing that I would say is a key Focus area is now and always be prepared for a security incident while these laws don't necessarily materially change a company's obligations with respect to a data breach and a notice to the affected parties I can tell you that nothing shines a spotlight on your practices like a security incident so if you're already dealing with the difficulty of business loss Interruption and dealing with your consumers and your customers and your vendors you also don't want to have a regulator coming in and asking questions you want to be in a defensible position and able to provide those policies and practices that the regulars want to see so that they're blaming the bad actor who broke into your systems and not the company itself and Sarah in the last minute here what do you think the overarching messages that these laws are sending to companies when it comes to Consumer data well I really think they're saying more is to come this is just the beginning we're are going to see many more States having similar statutes in place to continue to rope in more and more businesses into protecting individuals data and recognizing data rights the risk is there from The Regulators with the fines and and the compliance that will be required but it's also there with the litigants the you and me if we have if our information is subject to a security incident we are more empowered to pursue those rights because we see those rights embodied in these statutes and it's again that defensible position of if you get ahead of it now have your written information security program in place and your plan to address privacy and security issues you'll be in a much better position if the inevitable happens all right Sarah we appreciate the Insight thanks for joining us on trade talks and thanks for joining me I'm Joe malandrino Global markets reporter at NASDAQ

Info

Channel: Nasdaq

Views: 317

Rating: undefined out of 5

Keywords: nasdaq, stock market, stocks, finance, financial, trading, trader, stock

Id: I-U1x6B8gEg

Channel Id: undefined

Length: 10min 48sec (648 seconds)

Published: Wed Oct 12 2022