Building a Privacy Program that Works Across Jurisdictions

Privacy and security were historically two separate disciplines. However, over the years, the two have grown closer together. Moreover, as the landscape of privacy regulations continues to evolve, the most recent comprehensive privacy laws close that gap even more. With this convergence, there's an opportunity to blend what is known as best security practices and incorporate them into best privacy practices. 

Five states, CA, VA, CO, UT and CT, have mandated privacy laws, and roughly half of U.S. states have cybersecurity laws requiring covered organizations to maintain "reasonable" security practices. Given today's ceaseless barrage of cyber-threats and the increases in legislation, organizations are concerned about both data breach and the threat of litigation.  

Jurisdiction 

'Jurisdiction' becomes interesting and complex in the context of internet commerce, consumer data and rapidly changing U.S. privacy laws. According to iapp.org, jurisdiction is "the authority of a court to hear a particular case. Courts must have jurisdiction over the parties to the dispute (personal jurisdiction) and the type of dispute (subject matter jurisdiction). The term is also used to denote the geographical area or subject matter to which such authority applies." 

CPRA on Jurisdiction 

In general, CPRA, including the private right of action, applies to potential plaintiffs who are California residents that suffer harm in the state and to defendant organizations "doing business in the state of California" and qualify under at least one of the following criteria: 

• Have gross revenue of $25M+ 
• Buy, receive, sell or share "personal data" of 50M+ CA consumers 
• Derive 50%+ of revenue from selling consumer data

Since the CPRA has a somewhat vague definition of "do business in the State of California," courts will likely refer to relevant case law to provide guidance. Cases where an organization is registered in the state and/or maintains a physical presence in CA, are relatively simple in terms of 'jurisdiction.' Determining jurisdiction may likely be more complex in cases where organizations are based outside CA. For large organizations operating across the country, it may be challenging to determine which state jurisdiction(s) they are subject to. This issue is aggravated in class-action lawsuits involving plaintiffs from across the country.  

A Three-pronged Approach to a Unified Problem 

There are many upcoming legal changes in U.S. privacy laws. As they evolve, these laws converge with regulations and guidance of standard security practices. As a result, you can use security practices to make privacy programs more resilient to frequent changes in the law.  

Using a three-pronged approach of risk assessments, policy and control frameworks, and security testing, you can derive reasonable and actionable steps to maintaining single security, privacy and compliance program that works across international, state and industry-specific jurisdictions. 

1. Formal Risk Assessment 
   We live in a budget-constrained world, so picking which battles to fight and when to walk away is crucial. Running any organization involves risk. The practical goal is to balance budget with risk tolerance to achieve business objectives. A formal risk assessment, including data flow mapping, helps you understand your risk profile and prioritize projects based on their value to the business. In addition, you likely need a risk assessment for compliance. PCI DSS, SOC2, ISO 27001, NIST, HIPAA and other standards consider a risk assessment a crucial part of a robust security program. A proper risk assessment is a fundamental building block for any company's information security posture.
2. Policy and Controls Frameworks
   Security and privacy professionals are fortunate to have a rich tapestry of standards that exemplify different perspectives and approaches to managing security and privacy risk. Therefore, it's essential to select the proper framework or blend of frameworks and carefully customize the program specific to your organization. You can achieve Information security by complying with an adequate set of security policies, standards and procedures. Of course, there is no such thing as 100% secure, but if you comply with an appropriate set of security policies, standards and practices, your organization is actively managing its risk.
3. Security Testing
   The unique value of a penetration test and what distinguishes it from a vulnerability assessment is the application of human cunning. A properly conducted pen test finds corners of risk that your adversaries can see. Penetration testing uses creative, blended attacks like real-world adversaries to find weaknesses in tested systems. By simulating real-world attack scenarios, pen testing is invaluable for locating and assessing system configuration issues, hardware and software flaws, and deficiencies in countermeasures. 

Truvantis Information Privacy Program 

While privacy law specifics across jurisdictions are in flux, experts advise organizations to prepare ahead of time for a smooth transition and minimal disruption. If you are wondering where you stand regarding privacy and what you need to comply with emerging laws, consulting a Truvantis expert is an excellent place to start.  

The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations to which businesses may be subjected. 

Ready to move forward? Contact Truvantis for more information and to start your pre-audit consultation.  

Truvantis is a cybersecurity, privacy and compliance consulting organization. We specialize in helping our clients by implementing, operating, auditing and testing information security programs that work – balancing budget with organizational risk appetite.