Even though there are already data privacy initiatives being mulled in Congress, the passage of a comprehensive data privacy bill similar to the EU’s GDPR is no sure thing. Not only does the United States risk losing leadership in data privacy and security to the EU if no credible protections are introduced, the entire industry will be hampered if American companies have to contend with different data privacy laws for each state.
Yaki Faitelson explains the problem in this article from Forbes:
Even if a U.S. law is not enacted in the next year or two, it’s clear that state governments are willing to step in to fill the gap. How do U.S. companies manage what is an inevitable sea change in U.S. privacy and security laws? Even taking a conservative view of a future U.S. privacy law, there are three primary IT-related issues that will have to be addressed.
First, as the California Consumer Privacy Act already introduced, personal data will encompass not only standard identifiers — name, address, phone number, driver’s license — but also internet-era handles, such as IP addresses, URLs and geo-location information, as well as anything that can help identify an individual. The first step in protecting and controlling access to data is to find it, but by no means is this an easy problem to solve. Think of all the variations on basic account numbers, let alone more complex internet-era patterns. Developing algorithms to match these patterns will require more than an ad-hoc solution.
Second, this new wave of U.S. privacy laws will require companies to process consumer subject access requests (SARs), which will involve either updating or deleting personal information. To help zoom into specific parts of relevant files, highly granular indexes will have to be built, similar to what search engines use in the background to find text within HTML pages. Then, the files will have to be quarantined and ultimately processed to modify or remove the subject’s personal data.
Finally, a core level of data security will be required — “safeguards to protect against unauthorized access” is the standard language used in these laws. At a minimum, companies will have to perform risk assessments to establish what data is vulnerable — due to overly broad access permissions, for example — and plan to remediate vulnerabilities.
