State data privacy laws, regulations changing CISO priorities

Companies and their CISOs are facing a growing number laws governing cybersecurity, data protection and privacy -- most notably the California Consumer Privacy Act that goes into effect in 2020. Many other states have also enacted or proposed new or updated legislation targeting these areas as well, and more regulations are certainly on their way, said Scott Giordano, an attorney serving as vice president data protection at the data security software company Spirion.

In this Q&A, Giordano discusses these new state data privacy laws and how they will influence companies' data management processes. According to Giordano, CISOs will need to work closely with their organization's legal teams and expand their job scope if they want to comply with the myriad requirements put forth by the slew of existing and anticipated state data privacy laws.

Editor's note: This interview has been edited for clarity and length.

What's top of mind in the privacy field right now?

Scott Giordano: The individual states are taking a lead on addressing privacy and security concerns for U.S. consumers. It started in earnest last year, with about a dozen states passing laws. These data protection laws incorporate both security and privacy; they consider data protection and privacy as one. The Europeans also take the view of data privacy and security as one. It goes way back, with the Data Protection Directive of 1995. It required the European Union members to create their own national standards for privacy based on a set of principles. That was in effect until the General Data Protection Regulation, (which was passed in 2016 and took effect in 2018,) replaced it.

You have said that you like what's happening in this space in Ohio. Why is that?

Scott Giordano

Giordano: What's interesting in Ohio is the data protection act doesn't require you to do anything, but instead it gives you incentives. It says if you adhere to any standards, like HIPAA [the Health Insurance Portability and Accountability Act of 1996], and can prove adherence, and you do get a breach, you get [a safe harbor]. It's called an affirmative defense. It says if you aim high and you can prove it, you won't be punished in civil court. I love that because they're using a carrot, not a stick. And a stick hasn't worked so far.

Why hasn't the stick worked?

Giordano: CISOs are always starved for money. They'd love to implement the ISO/IEC 27000 family of standards, but they're typically not going to get the money to do that. To have legal come to them and say, 'We want this affirmative defense, we'll lobby the CFO to do this, and now there's incentive, and money and need,' that changes everything.

What do CIOs and CISOs need to know about the California Consumer Privacy Act?

Giordano: The biggest takeaway is they need to become best buddies with the general counsel or the [assistant general counsel] responsible for privacy because this act incorporates both privacy and data protection. For example, the act gives consumer the right to not have their data sold to a third party. Consumers can direct companies not to sell their data -- that's not even in GDPR. So, suppose a consumer sends an email to customer service at company X and says, 'Don't sell my data to a third party.' What's next? What do you do? Is that an information security issue? I don't think so. It's a compliance issue; it's a legal matter. But the CISO is going to be stuck with [handling] that task, but we can't ask CISOs to be lawyers -- that's why [organizations] have legal departments. Together, CISOs and legal have to figure out how to make this work.

I don't think companies appreciate just how broad the definition of personal data has become.

They need to determine what happens when a consumer makes a demand and they need to determine if a demand is legitimate. [For example,] what if a consumer asks a broker-dealer to delete their data, but the law states the broker-dealer has to keep the data for seven years? There are exceptions to consumer requests for deleting data. CISOs and legal need to determine what they are going to be asked by consumers, what they're capable of doing, and where the data is. And it's not just because of California's law; other state laws are coming up, too.

Texas, for example, has not one but two regulations winding their way through. Unless CISOs are incorporating legal into this, they're going to be left adrift. They can't do this by themselves. They're beginning to be asked to make legal determinations, and that's not something they can do. They're beginning to be asked to make risk assessments. Legal and security are now joined at the hip. There's no avoiding it.

What strategies should CISOs consider to keep their organizations as secure as they can, while also protecting privacy?

Giordano: All these statutes are going to require a large audit of your capabilities: What are you doing now for security and privacy? What personal data do you have? I don't think companies appreciate just how broad the definition of personal data has become. The [proposed] New York law turns almost everything into personal data. Even inferences of personal data are personal data. Say I have your GPS location and I tracked it over a week or so, I can infer a lot about you: where you work, where you like to go for fun. It's remarkable how little information you need to infer things about people. Companies don't appreciate this enough. They just don't understand how far privacy has come in a very short time.

Where are CISOs most vulnerable when it comes to meeting the requirements of these state privacy laws and other new regulations?

Giordano: They're most vulnerable when they're dealing directly with consumer demands. They're used to protecting their organizations. I don't know if consumers are yet calling these companies, but once they're apprised of what their rights are, you can bet they will call. In the EU, they were calling -- or worse, complaining to -- authorities.

And besides money, I think the next one is just getting the attention of senior management, the CEO and the board and to get them to understand how important this is. They don't have an equal seat at the table yet. I'm hoping these laws will change that dynamic.

What steps should they be taking to better meet the regulations?

Giordano: Identifying personal data is its own discipline and a discipline that's underappreciated, but it's going to be a discipline that has to be cultivated in an organization. You want to be able to be very precise and that's going to take some work. Once you're good at it, you have to determine how to police it and ensure you're meeting the requirements of the laws for you and, in some cases, those third parties who are also required to meet these regulations.

Collectively, all these state statutes are going to force us to look at what personal data is and whether what we're doing with it is legitimate. The attitude in the U.S. has been to collect everything. That has been turned on its head.