Advertising Privacy to Consumers

On October 13, 2022, The Wall Street Journal had a full one page ad about consumer privacy rights.  My first impression was of wonder.  But then realized it was a vendor of privacy solutions, much like us.  Regardless of the reason for the ad, the importance of it is that it focused on educating consumers that they have a right to privacy and a right to exercise it. 

The right to private action is one of the largest risks businesses will have to face once these laws are enforced.  California and Virginia and California being the first law that gives consumers the right to private action, 2023 will be an interesting year to see where the topic of privacy and security affects businesses due to consumer pressures and expectations.

Laws and Acts Effective Dates

In 2021 and 2022 several laws were passed specific to consumer privacy.  Although all 50 states have data breach reporting requirements, only 5 have comprehensive privacy laws, however at least 22 states have pending consumer privacy laws.

Start with Fundamentals

Ignorance is no longer acceptable. Regulators and your customers no longer will accept it as a reason for not doing anything to protect the data you collect from your customers and employees.  Although it may seem daunting to need to develop another program, a security and privacy program is a requirement to do business now. 

Just like learning a new sport, developing a security and privacy program starts with the fundamentals.  Over time with better practices and testing will you get better.  No one can expect to be a professional level player out the gate.  

Small to medium size businesses are collecting data, so the fundamentals for a privacy and security program starts with:

1. Be aware of your vulnerable “entry points”, your website and your firewall.
2. Develop some of your core policies, such as a Privacy, Incident Response, Disaster Recovery, and Personal Information Management Policies.
3. Train your employees and contractors about your policies and make sure they are aware of potential threats that may cause data loss, ie: phishing.

Although a comprehensive program requires more, the goal is to get started and build on your program as your organization grows.  Maturity is a key to an affective program and ensuring that the policies and practices that are instituted in the company are reviewed and modified to take into consideration the current operations is critical and shows maturity.

A privacy and security program can be manageable and doesn’t have to break the bank.  Start off small and make a plan, implementing best practices.  Since the threat ecosystem is constantly changing, businesses need to rely on tools to help make this program development and maintenance feasible.  uRISQ provides that tool set:

1. Threat Scanning – automatic monthly scanning of your website and firewall
2. Privacy Assessment – Policy and plan templates
3. Data Breach Support – the first step in your Incident Response Plan
4. Data Subject Access Request – Compliance with regulated access request requirements
5. Vendor Management – mitigating your risk of third party data loss