Yesterday, I had a great podcast with two guests. They were both on at the same time, and to be honest, this is the first time where I have actually moderated a podcast. It was really a lot of fun. The topic yesterday was that of the CCPA, which is the recent data privacy law that was just recently passed in California.
In this podcast, I had the same guest from before in which we talked about the GDPR, as well as a high-powered attorney who specializes in laws surrounding data privacy, especially as it relates to the CCPA.
The first part of the show was dedicated to what the CCPA is all about, and all of its legal ramifications. From there, it segwayed into what it means to the standpoint of businesses of all sizes that hit the criterion for being CCPA compliant.
We also talked about what the CCPA means for the average American citizen, and what he or she should do in case they believe their Personal Identifiable Information (PII) has been compromised in any way.
Heck, we even talked about what the legal steps are in order to file a lawsuit against in the case that an individual believes that they have been breached, and to what sort of qualifications that they should look for in a good data privacy attorney. The second part of the show then went into the security aspects of the CCCPA.
Interestingly enough, the CCPA is very vague in how a particular business entity should implement good security practices, or “Cyber Hygiene” in order to ensure that are up to the compliance standards of the law. I thought this to be very odd, given just how detailed the CCPA stipulates noncompliance, and the associated fines and penalties that go with it.
The guest who handled this part of the show said it all comes down to having not only a fortified barrier of defense, but also making sure that the source code you use to create and deploy your applications are secure themselves, especially when it comes down to using third party APIs. Only a good penetration test can reveal any weaknesses or holes, as well as ascertaining the corrective actions to be taken.
Of course, this penetration testing has to be done on a regular basis in order to ensure that your business is up to snuff with everything. Finally, one of the last questions that I asked both guests was that given the dynamics of the Cyber Threat Landscape, and the plethora of data privacy laws that are expected to abound this decade, if it would be even worth it have a separate, federal department something like the “Department of Cybersecurity” to handle all of this stuff.
They both said that this possibly could happen, but it probably won’t actually transpire for some time to come, unless of course, there is some cataclysmic Cyber event that takes place here in the United States. This is how the Department of Homeland Security (DHS) was created, in quick response to 9/11. So, it is by no coincidence, that some of the news headlines this week have actually been around this very same theme.
The latest headline to come out was just actually a couple of days ago. Apparently, the bill as introduced by U.S. Kirsten Gillibrand, would create a separate entity under the Data Protection Act (DPA), if this bill were to be actually passed. Some of the macro goals of this proposed entity would include the following:
*Enforce data privacy laws:
*Have the means to carry out the enforcement procedures – which includes civil and even criminal penalties, and even stiffer fines/penalties than what is being imposed currently by the CCPA;
*Stimulate and promote further data privacy ideas to both the public and the private sectors;
*The creation of a list of best standards and practices that all businesses can use in making sure that they are following a uniform guideline when it comes to hardening and protecting the databases that store the PII;
*The establishment of a set of specific guidelines as to what kind of PII businesses can share amongst one another or other third parties (assuming of course they have the explicit consent of the individual I question).
The DPA would also have three, specific core missions which are as follows:
*Americans would have control over their own data:
By this, you and I will have the ability to question a company without fear of retaliation if we believe that our PII has been violated by any means. In this manner, we could hypothetically, file an investigative request with the DPA, and from there, then they would take the appropriate legal actions into looking into this matter further, and see what is really going on.
*Ensuring that everybody has equal access:
This part would make use of what are known as “Privacy Enhancing Technologies”, or “PETs” in order to help create that list of best standards and practices for businesses across all industries. Also, this component would ensure that all American citizens have the fundamental right to question where and how there PII is being stored, by making use of the mechanisms as afforded by the DPA. This is, for purposes of illustration, very similar to our Constitutional right to have an attorney in any legal proceedings that we might ever face.
*Preparing for the future:
One of the points raised in the podcast is that the Cyber laws that are currently in place as well as the proposed bills simply cannot keep up with the constantly changing Cyber Threat Landscape. In this regard, this is where the DPA would then step in. For example, this entity would keep both the Congress and the Senate updated with the latest threats in this particular landscape, as well as any other privacy or Cyber technology issues that could very well crop up whenever. Also, the DPA would represent the United States at international conferences when it comes to Cybersecurity and data privacy, and even have signing power to make any proposed international treaties into actual, enforceable laws.
More detail about this bill can be seen here at this link:
My Thoughts On This
Honestly, I think having a something like this is a great idea. But in my opinion, it should fall under as a subset of a newly “Department of Cybersecurity”. So yes, I am giving my affirmations that something like this is needed and should be implemented sometime this year. Look, the Cyber Threat Landscape will never cease to exist, and nor will the Cyberattacker. There will be newer and much more sophisticated that will keep coming out, which will almost be impossible to keep up with.
Also, the technologies that are being used are also advancing a fairly rapid clip, especially in those areas when it comes to Artificial Intelligence (AI) and Machine Learning (ML). In other words, there is a lot of disparate gaps out there, and we need another agency that can synthesize all of this together and provide a common repository of knowledge that all businesses and even individuals can access.
Plus, this proposed new department would have full and complete enforcement powers, and even have their own law enforcement staff, such as having another version of the Secret Service or FBI. In this regard, this new enforcement arm would even work with these teams in order to apprehend and bring to justice suspected Cyberattackers.
As the CCPA has been passed, there are also other states in the Union that are working on crafting their own set of related laws and enforcing them. Heck, there is even talk of having a separate Cybersecurity coordinator for each state. In the end, there will be nothing but chaos as every state will be doing things in their own ways. Thus, that is why we further need a separate Department of Cybersecurity in order to harmonize and gel all of this together.
But there is fear that if this department were to be actually created, it would just lead to more bureaucracy in an already overlayered institution. That is why both the Federal Government and the American private sector are needed to work hand in hand together in order to make sure that things happen quickly and efficiently (if that is even possible???)
Also, this new Department of Cybersecurity would clearly spell out what the fines and penalties are for non-compliance, which is actually still quite vague in the CCPA. Finally, believe it or not, the United States is the only country in the free world that does not even have in the remotest sense a central agency that deals with Cybersecurity at a national level – all of the other democratic countries do.
It’s about time finally that we have one in place and ready to go.