US cybersecurity and data privacy laws are, to put it lightly, a mess.
Years of piecemeal legislation, Supreme Court decisions, and government surveillance crises, along with repeated corporate failures to protect user data, have created a legal landscape that is, for the American public and American businesses, confusing, complicated, and downright annoying.
Businesses are expected to comply with data privacy laws based on the dataâs type. For instance, thereâs a law protecting health and medical information, another law protecting information belonging to children, and another law protecting video rental records. (Seriously, there is.) Confusingly, though, some of those laws only apply to certain types of businesses, rather than just certain types of data.
Law enforcement agencies and the intelligence community, on the other hand, are expected to comply with a different framework that sometimes separates data based on âcontentâ and ânon-content.â For instance, thereâs a law protecting phone call conversations, but another law protects the actual numbers dialed on the keypad.
And even when data appears similar, its protections may differ. GPS location data might, for example, receive a different protection if it is held with a cell phone provider versus whether it was willfully uploaded through an online location âcheck-inâ service or through a fitness app that lets users share jogging routes.
Congress could streamline this disjointed network by passing comprehensive federal data privacy legislation; however, questions remain about regulatory enforcement and whether statesâ individual data privacy laws will be either respected or steamrolled in the process.
To better understand the current field, Malwarebytes is launching a limited blog series about data privacy and cybersecurity laws in the United States. We will cover business compliance, sectoral legislation, government surveillance, and upcoming federal legislation.
Below is our first blog in the series. It explores data privacy compliance in the United States today from the perspective of a startup.
Every year, countless individuals travel to Silicon Valley to join the 21st century Gold Rush, staking claims not along the coastline, but up and down Sand Hill Road, where striking it rich means bringing in some serious venture capital financing.
But before any fledgling startup can become the next Facebook, Uber, Google, or Airbnb, it must comply with a wide, sometimes-dizzying array of data privacy laws.
Luckily, there are data privacy lawyers to help.
We spoke with D. Reed Freeman Jr., the cybersecurity and privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler Pickering Hale and Dorr about what a hypothetical, data-collecting startup would need to become compliant with current US data privacy laws. What does its roadmap look like?
Our hypothetical startupâletâs call it Spuri.usâis based in San Francisco and focused entirely on a US market. The company developed an app that collects usersâ data to improve the appâs performance and, potentially, deliver targeted ads in the future.
This is not an exhaustive list of every data privacy law that a company must consider for data privacy compliance in the US. Instead, it is a snapshot, providing information and answers to potentially some of the most common questions today.
To kick off data privacy compliance on the right foot, Freeman said the startup needs to write and post a clear and truthful privacy policy online, as defined in the 2004 California Online Privacy Protection Act.
The law requires businesses and commercial website operators that collect personally identifiable information to post a clear, easily-accessible privacy policy online. These privacy policies must detail the types of information collected from users, the types of information that may be shared with third parties, the effective date of the privacy policy, and the processâif anyâfor a user to review and request changes to their collected information.
Privacy policies must also include information about how a company responds to âDo Not Trackâ requests, which are web browser settings meant to prevent a user from being tracked online. The efficacy of these settings is debated, and Apple recently decommissioned the feature in its Safari browser.
Freeman said companies donât need to worry about honoring âDo Not Trackâ requests as much as they should worry about complying with the law.
âItâs okay to say âWe donât,ââ Freeman said, âbut you have to say something.â
The law covers more than what to say in a privacy policy. It also covers how prominently a company must display it. According to the law, privacy policies must be âconspicuously postedâ on a website.
More than 10 years ago, Google tried to test that interpretation and later backed down. Following a 2007 New York Times report that revealed that the companyâs privacy policy was at least two clicks away from the home page, multiple privacy rights organizations sent a letter to then-CEO Eric Schmidt, urging the company to more proactively comply.
âGoogleâs reluctance to post a link to its privacy policy on its homepage is alarming,â the letter said, which was signed by the American Civil Liberties Union, Center for Digital Democracy, and Electronic Frontier Foundation. âWe urge you to comply with the California Online Privacy Protection Act and the widespread practice for commercial web sites as soon as possible.â
The letter worked. Today, users can click the âPrivacyâ link on the search giantâs home page.
Spuri.us, like any nimble Silicon Valley startup, is ready to pivot. At one point in its growth, it considered becoming a health tracking and fitness app, meaning it would collect usersâ heart rates, sleep regimens, water intake, exercise routines, and even their GPS location for selected jogging and cycling routes. Spuri.us also once considered pivoting into mobile gaming, developing an app that isnât made for children, but could still be downloaded onto childrenâs devices and played by kids.
Spuri.usâ founder is familiar with at least two federal data privacy lawsâthe Health Insurance Portability and Accountability Act (HIPAA), which regulates medical information, and the Childrenâs Online Privacy Protection Act (COPPA), which regulates information belonging to children.
Spuri.usâ founder wants to know: If her company stars collecting health-related information, will it need to comply with HIPAA?
Not so, Freeman said.
âHIPAA, the way itâs laid out, doesnât cover all medical information,â Freeman said. âThat is a common misunderstanding.â
Instead, Freeman said, HIPAA only applies to three types of businesses: health care providers (like doctors, clinics, dentists, and pharmacies), health plans (like health insurance companies and HMOs), and health care clearinghouses (like billing services that process nonstandard health care information).
Without fitting any of those descriptions, Spuri.us doesnât have to worry about HIPAA compliance.
As for complying with COPPA, Freeman called the law âcomplicatedâ and âvery hard to comply with.â Attached to a massive omnibus bill at the close of the 1998 legislative session, COPPA is a law that ânobody knew was there until it passed,â Freeman said.
That said, COPPAâs scope is easy to understand.
âSome things are simple,â Freeman said. âYou are regulated by Congress and obliged to comply with its byzantine requirements if your website is either directed to children under the age of 13, or you have actual knowledge that youâre collecting information from children under the age of 13.â
That begs the question: What is a website directed to children? According to Freeman, the Federal Trade Commission created a rule that helps answer that question.
âThings like animations on the site, language that looks like itâs geared towards children, a variety of factors that are intuitive are taken into account,â Freeman said.
Other factors include a websiteâs subject matter, its music, the age of its models, the display of âchild-oriented activities,â and the presence of any child celebrities.
Because Spuri.us is not making a child-targeted app, and it does not knowingly collect information from children under the age of 13, it does not have to comply with COPPA.
No concern about data privacy compliance is complete without bringing up the European Unionâs General Data Protection Regulation (GDPR). Passed in 2016 and having taken effect last year, GDPR regulates how companies collect, store, use, and share EU citizensâ personal information online. On the day GDPR took effect, countless Americans received email after email about updated privacy policies, often from companies that were founded in the United States.
Spuri.usâ founder is worried. She might have EU users but she isnât certain. Do those users force her to become GDPR compliant?
âThatâs a common misperception,â Freeman said. He said one section of GDPR explains this topic, which he called âextraterritorial application.â Or, to put it a little more clearly, Freeman said: âIf youâre a US company, when does GDPR reach out and grab you?â
GDPR affects companies around the world depending on three factors. First, whether the company is established within the EU, either through employees, offices, or equipment. Second, whether the company directly markets or communicates to EU residents. Third, whether the company monitors the behavior of EU residents.
âNumber three is what trips people up,â Freeman said. He said that US websites and appsâincluding those operated by companies without a physical EU presenceâmust still comply with GDPR if they specifically track usersâ behavior that takes place in the EU.
âIf you have an analytics service or network, or pixels on your website, or you drop cookies on EU residentsâ machines that tracks their behavior,â that could all count as monitoring the behavior of EU residents, Freeman said.
Because those services are rather common, Freeman said many companies have already found a solution. Rather than dismantling an entire analytics operation, companies can instead capture the IP addresses of users visiting their websites. The companies then perform a reverse geolocation lookup. If the companies find any IP addresses associated with an EU location, they screen out the users behind those addresses to prevent online tracking.
Asked whether this setup has been proven to protect against GDPR regulators, Freeman instead said that these steps showcase an understanding and a concern for the law. That concern, he said, should hold up against scrutiny.
âIf youâre a startup and an EU regulator initiates an investigation, and you show youâve done everything you can to avoid trackingâthat you get it, you know the lawâmy hope would be that most reasonable regulators would not take a Draconian action against you,â Freeman said. âYouâve done the best you can to avoid the thing that is regulated, which is the track.â
Spuri.us has a clearly-posted privacy policy. It knows about HIPAA and COPPA and it has a plan for GDPR. Everything is going wellâŠuntil it isnât.
Spuri.us suffers a data breach.
Depending on which data was taken from Spuri.us and who it referred to, the startup will need to comply with the many requirements laid out in Californiaâs data breach notification law. There are rules on when the law is triggered, what counts as a breach, who to notify, and what to tell them.
The law protects Californiansâ âpersonal information,â which it defines as a combination of information. For instance, a first and last name plus a Social Security number count as personal information. So do a first initial and last name plus a driverâs license number, or a first and last name plus any past medical insurance claims, or medical diagnoses. A Californianâs username and associated password also qualify as âpersonal information,â according to the law.
The law also defines a breach as any âunauthorized acquisitionâ of personal information data. So, a rogue threat actor accessing a database? Not a breach. That same threat actor downloading the information from the database? Breach.
In California, once a company discovers a data breach, it next has to notify the affected individuals. These notifications must include details on which type of personal information was taken, a description of the breach, contact information for the company, and, if the company was actually the source of the breach, an offer for free identity theft prevention services for at least one year.
The law is particularly strict on these notifications to customers and individuals impacted. There are rules on font size and requirements for which subheadings to include in every notice: âWhat Happened,â âWhat Information Was Involved,â âWhat We Are Doing,â âWhat You Can Do,â and âMore Information.â
After Spuri.us sends out its bevy of notices, it could still have a lot more to do.
As of April 2018, every single US state has its own data breach notification law. These laws, which can sometimes overlap, still include important differences, Freeman said.
âSome states require you to notify affected consumers. Some require you to notify the stateâs Attorney General,â Freeman said. âSome require you to notify credit bureaus.â
For example, Floridaâs law requires that, if more than 1,000 residents are affected, the company must notify all nationwide consumer reporting agencies. Utahâs law, on the other hand, only requires notifications if, after an investigation, the company finds that identity theft or fraud occurred, or likely occurred. And Iowa has one of the few state laws that protects both electronic and paper records.
Of all the data compliance headaches, this one might be the most time-consuming for Spuri.us.
In the meantime, Freeman said, taking a proactive approachâlike posting the accurate and truthful privacy policy and being upfront and honest with users about business practicesâwill put the startup at a clear advantage.
âIf they start out knowing those things on the privacy side and just in the USA,â Freeman said, âthatâs a great start that puts them ahead of a lot of other startups.â
Stay tuned for our second blog in the series, which will cover the current fight for comprehensive data privacy legislation in the United States.
The post The not-so-definitive guide to cybersecurity and data privacy laws appeared first on Malwarebytes Labs.