Close this search box.
Update of State Data Security Laws

EP 116: Update of State Data Security Laws

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

October 11, 2022

Did you know there’s an avalanche of state and federal privacy laws and regulations that are either being actively debated or have been passed and will soon take effect starting in January 2023? Let’s find out which ones matter most with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at and

Kip Boyle: Jake, hey, man. What are we going to talk about? This is episode 116 of the Cyber Risk Management Podcast.

Jake Bernstein: Hey, Kip. Today, we're going to talk about the avalanche of state and federal privacy laws and regulations that are either being actively debated or have been passed and will soon take effect starting January, 2023. So, it's well past time for a regulatory update, so let's do it.

Kip Boyle: Okay. All right. Yeah, it's something we all have to track, so we're grateful that you are here to help us to do that. So let's see. And now, I'm wondering how many new or changing laws and regulations could there possibly be since we last discussed this topic?

Jake Bernstein: Well, I have to say, I don't remember exactly the last time we did an episode on this, but I feel like it's been quite a while. If we find out before the end of the episode, we'll let people know. Otherwise, we'll put a link in the show notes.

Kip Boyle: Yeah, definitely do that.

Jake Bernstein: But let's start out with the biggest deal that probably will ultimately fizzle out and be a big nothing burger. And yes, I look for opportunities to say that. It's not really a phrase I use, but I've heard it and I think it's funny. And unfortunately, I'm speaking of the American Data Privacy and Protection Act. It has passed out of its committee in the House of Representatives slated to be discussed by the full House and maybe the Senate, though it's got some serious headwinds.

Kip Boyle: Okay. But that's a big deal, right? Because this is going to standardize at the federal level, right? And people have been asking about that. And so I don't know if this is what everybody's going to call it, but we'll call it the ADPPA. Why not?

Jake Bernstein: Yep.

Kip Boyle: Right?

Jake Bernstein: That's what people call it.

Kip Boyle: It's going to be a lot better than saying it in full every single time I want to talk about it.

Jake Bernstein: Yep.

Kip Boyle: All right. So, at this point, if I learned anything from Schoolhouse Rock!

Jake Bernstein: Schoolhouse Rock!

Kip Boyle: It's not a law. It's just a bill.

Jake Bernstein: It is just a bill. That's correct. And the ADPPA is an exciting bill. In fact, it's the first bipartisan/bicameral, meaning that it has at least some support in both the House and the Senate comprehensive privacy bill to be seriously considered in over 20 years. And Kip, when I say comprehensive, I really mean it. The ADPPA, again, in my opinion, is stronger than the CCPA and the CPRA. And honestly, it could be considered in the same league as the GDPR, the European General Data Protection Regulation.

Kip Boyle: Okay. That's a big deal. That is a huge, huge deal because when you roll back the clock to 1999, when a predecessor to GDPR was-

Jake Bernstein: '95, actually.

Kip Boyle: Yes. Yeah. Well, that's what I'm saying. Prior to 1999 at least, so go back to '95, the difference in the approach to privacy between Europe and America couldn't have been more different. It was almost the polar mirror opposite. And now, in 2022, we're talking about potentially flipping the script in America to align with Europe. Am I seeing this correctly?

Jake Bernstein: Yeah, I think you are. And I think it really is as big a deal as we're making it out to be. And I think I've thought a lot about this. You'll have to indulge the philosopher in me for a moment here.

Kip Boyle: That's why you became an attorney. Isn't it?

Jake Bernstein: It is, yeah, pretty much. I used to be what I would call a privacy unconcerned. That's a phrase that some people have used to discuss the various camps of people who think about or the way people think about privacy. In other words, I was like, "I have nothing to hide. I don't care."

Kip Boyle: As in your personal privacy rights?

Jake Bernstein: Yeah, yeah, yeah.

Kip Boyle: You were on board with Scott McNealy who infamously said, "Privacy's dead. Get over it."

Jake Bernstein: Yeah. Yes, I would say that was true. All of that, for me, began to really change with the Cambridge Analytica scandal of, at that point, Facebook. And I would say that in the years since, I've really, really changed my tune. And let me tell you why is that the... And I apologize for the impending doom and gloom, but I strongly believe that we have created unintentionally, of course, I mean, no one did this on purpose. But we have created a scenario whereby there is so much data collected that we have handed. I mean, we've created a national security crisis. I mean, we've handed so much intelligence in the CIA term of intelligence to our nation state enemies for free. They just have it. And they didn't have to do anything.

Kip Boyle: Right.

Jake Bernstein: It's just there. We did it to ourselves. But not only that, we have created a situation where we don't even realize how manipulated and affected we are by the data that is collected on us. And I was struck, we're recording this amusingly after we recorded episode 117, which will air in the future. That's the fun of recording podcast in the past to be aired in the future. But what happened yesterday on the date of recording was on September 8th, 2022, the FTC held its public forum on commercial surveillance and lax data security practices as part of its Magnuson-Moss rulemaking that it has been making a lot of noise about. And this is a big deal. And let me tell you why, is that, first of all, even though it was a five and a half hour webcast, it wasn't just for fun.

I actually even told the associates I work with to pay attention to this because under the Magnuson-Moss Act that is... I'm not going to get into the details of Mag-Moss rulemaking versus Administrative Procedure Act rulemaking, even though I know everybody wants to hear it. The thing about that event was that it's building a record. It is part of the public record. And here's why this is so important. Everything said in that event, oh boy, was it a lot, is now part of what's going to be called the administrative record for what the FTC is going to use to make rules. And if you go back, it's going to be, I mean, by definition, it's public record. It will be available. It was all recorded. It will be made available. Each people, anybody involved in cyber and privacy, probably should go back and listen to part of it, if not the whole thing, including you, Kip.

Kip Boyle: Okay.

Jake Bernstein: And because it really tells different stories that we don't always hear. For example, did you know that Black women are not shown advertisements for certain jobs. And they just never get the opportunity because the algorithms have decided that based on all the data that gets collected, that demographic just doesn't get to see those advertisements. These are things I didn't really know. And why would we necessarily, unless we are steeped in the advocacy component of privacy. And so the American Data Privacy and Protection Act, is it going to solve all of these issues? No, not necessarily, but it was a start. And we need something like it, because even if we're skeptical of some of the claims of the advocates about discrimination, although I do think all of it is very real.

Here's a piece that we should not be skeptical about, which is there are countries that are more than happy to gather data, use that data to train AI algorithms that can make manipulation even more effective. And if anybody listening thinks that our elections and everything about our society hasn't been affected by these practices over the last half decade, I'd be surprised. I bet you everyone is fully on board with what I'm saying. And the only way that we can protect ourselves is privacy. We probably need to stop collecting so much data. And part of me can't believe I'm saying that, because five years ago, I would've never ever come even close to thinking that, let alone saying it on a podcast.

But if you think about the threats, how much damage can be done to a society when your children don't even realize they're being advertised to and manipulated via an early, early component. And real quick kind of horrifying example that one of the panelists gave was of a younger girl whose age was not given, but she had written to a large social media company and asked them if they would please delete her algorithm because she wanted to stop seeing content that triggered her eating disorder. And of course, she got no response. This is already way deeper than I would've expected this episode to go because when I was preparing for it, this event hadn't happened. But you can see that this event is a big deal. And the testimony given is really critical to understand the ways that people are affected. And so...

Kip Boyle: It's not only that, right? I want to add just another dimension to this before we continue in the episode. But another thing about privacy is that... Take YouTube, for example. Every time I go onto YouTube, it just offers me the same stuff I've always been watching.

Jake Bernstein: Oh, yes.

Kip Boyle: Which I don't like.

Jake Bernstein: No, that's a really, really important point.

Kip Boyle: I like variety. I want to be shown new things. That's just who I am. I don't want to watch the same garbage over and over and over again. If I watch a video on how French fries are made in a factory, I don't want my entire page of videos to be how this is made in a factory and how that's made in a factory. And would you like to know how potatoes are grown? And it's like, "No, stop." That's a silly example.

Jake Bernstein: But it's just not.

Kip Boyle: Because I'm just talking. Well, okay, but the reason why I'm bringing it up is because I want to build on it. If I am a political extremist and I watch extreme content, then the algorithm's just going to keep serving me. That extreme content's going to put me in this echo chamber where my very ability to discern what is true and what is not true, it comes into question.

Jake Bernstein: No, that's exactly it. And you're really hitting on probably the end game of what concerns me most, which is we look at... People look at political extremists and think, how can they think that? How can they possibly believe any of that? And the problem is that they have been shown nothing but statements that they agree with. They think that they are the only sane one. Right?

Kip Boyle: Right.

Jake Bernstein: And it's a major... This is the kind of thing that can... I mean, this can result in... This is life or death, not just of a society, but of individual people and...

Kip Boyle: American Democracy, right?

Jake Bernstein: And American Democracy. It really is true. So, I look at ADPPA because that's, remember that's where this conversation started. And look, I recently co-wrote an article with my partner, and here's my shout out to longtime listener, Whitney McCollum.

Kip Boyle: Hi, Whitney.

Jake Bernstein: You've now been mentioned on the Cyber Risk Management Podcast. Come, be a guest. We'd love to have you.

Kip Boyle: Yeah. Whitney, come, guest.

Jake Bernstein: And it was published in the Puget Sound Business Journal discussing how the ADPPA is good for everyone or would be good for everyone. And I mean, both consumers and business regardless of their size. And one of the reasons is simply consistency. The ADPPA would mostly, with some exceptions, preempt state law and smooth over that unworkable patchwork of state rules and regulations that is currently causing so much problems. And I don't know, Kip. What do you think? Would you rather have one law to deal with?

Kip Boyle: Yeah, I would. And I think the case in point is when you and I were working a potential data breach last year, about 18 months ago now, I remember we were talking to the owners of the company and they didn't understand data breach rules and so forth. And I remember we were essentially saying, "Well, without a detailed analysis of your business records to know exactly where everybody in that you've been serving lives, we can't really tell you what you need to do yet because there's 50 different rules, one for every state, and it's going to take some time to figure it out." So just a practical example of how a simplified federal rule would be much better.

Jake Bernstein: It's so unnecessary. Do we really need 50... And let's say it's not 50. Realistically, let's say it's 20 different. But do we even need 20 different sets of rules for how to notify people if a breach occurs? We don't.

Kip Boyle: Right. Yeah. Yes. And so I think that practical example, I hope, makes the point that I believe it would be preferable to have a single set of rules to follow on the topic. And not only that, but if you factor in some of the things that we just soapboxed on, I don't want there to be a haven in the United States where you have a small number of states that will not regulate this and try to push back the dominance of algorithms in our life.

Jake Bernstein: Yeah, that's right.

Kip Boyle: I want a uniform regulatory set of rules that's going to protect everybody all at once.

Jake Bernstein: Yep. No, I think that's right. That's very much true. So, hey, I don't want to spend too much time talking about the ADPPA, because right now, as we record this, it doesn't look like it's going to make it even to the full House for a hearing.

Kip Boyle: What? I thought you said it was bicameral support.

Jake Bernstein: Well, it is, except that... Let's not discuss that because then this will become a political complaint podcast.

Kip Boyle: Okay,

Jake Bernstein: I don't want to do that. So let's think about what's... But before we leave the ADPPA, I do want to hit on one thing, which is...

Kip Boyle: Okay.

Jake Bernstein: This is the Cyber Risk Management Podcast, not the Privacy Risk Management Podcast, but the ADPPA says a lot on cybersecurity. And in fact, it would formalize requirements for cyber risk management, which I mean, how could we not love that on the Cyber Risk Management Podcast? It would create a series of certification requirements that are reminiscent of Sarbanes-Oxley only cybersecurity instead of company accounting. And most importantly, it really does have a broad enforcement set of rules by both federal and state authorities and a private cause of action. So there you go. And Kip, why don't you tell us... Give us the list. What are the seven specific risk management requirements in the ADPPA?

Kip Boyle: Yeah. And remember everybody, just because the ADPPA may not pass today on this session, it's establishing inertia.

Jake Bernstein: It is.

Kip Boyle: And some form of it will probably pass in the future. So this is great. So if this one should happen to pass, here are the seven items. The first one is you have to assess your vulnerabilities, which is great. The second one is you need to take preventive and corrective action based on what you find. There's a obligation to evaluate your preventive and corrective action to...

Jake Bernstein: Over time.

Kip Boyle: Yep, over time. And I'm just listing them, right? We can kind of unpack them a little bit too, if you want. The fourth item is you have to consider information retention and disposal. The fifth item is you have to do training. The sixth is a designation requirement. And the seventh is incident response. So what's-

Jake Bernstein: Since I wrote, since I was poorly preparing you for that designation requirement, let me just say that that's designation of basically someone to own the cybersecurity.

Kip Boyle: Okay. I would've guessed that.

Jake Bernstein: Yeah, that's what that means.

Kip Boyle: Now I want to make a comment about the relationship between cybersecurity and privacy, which you're going to hear this again in episode 117. So just take this as a form of... What do they call that in a novel when you foreshadowing? Foreshadowing. There we go.

Jake Bernstein: Signposting foreshadowing? Yeah, foreshadowing.

Kip Boyle: Yeah. Yeah. Chekhov's gun. So here's the thing. I don't personally like the convergence that's happening. I know, Jake, you've accepted it. I will probably accept it, the convergence between cybersecurity and privacy. But I will acknowledge that you can't really achieve full privacy without cybersecurity. So I love the fact that this is codified in ADPPA, but I want to point out that there's something in here about the information. You'll notice, and I think if I'm seeing this correctly, none of these seven things really talk about what data to collect, because I don't think that's a cybersecurity responsibility. Those are business rules that need to be made. In other words, the business has to decide what data it's going to collect, and then it's kind of the cybersecurity program's job to protect it once it's collected. But we don't really have a voice in what to collect, how much of it to collect, when to start, when to stop. So, to me, that's a hard partition between the two disciplines.

Jake Bernstein: It is. And one of the things that we... I've done a presentation on this, is what is cybersecurity versus what is privacy? It might even be worth its own episode at some point, but privacy is much more about what you do with data and how you use it as opposed to how it's protected.

Kip Boyle: That's right.

Jake Bernstein: Stuff like that, right?

Kip Boyle: Yeah.

Jake Bernstein: Totally different.

Kip Boyle: Absolutely. And by the way, did we talk about... I don't think we've reasserted why it is that the Europeans have such a different perspective on...

Jake Bernstein: It has been a while. I'm sure I've said it before, but I'll say it again. And here's the phrase that I think gets most people. It certainly always quiets a room when I bring this up, which is just imagine what Hitler would do with Facebook, right?

Kip Boyle: Right.

Jake Bernstein: Because that is the history that we're dealing with here, is that the European Union, as it formed in the aftermath, the devastation of World War II looked around and saw that Nazi Germany was the first user of big data. And they used it for not nice things.

Kip Boyle: Right.

Jake Bernstein: It's bad. The Holocaust was caused by the abuse of big data.

Kip Boyle: Well, it was enabled, absolutely, enabled by.

Jake Bernstein: Enabled by, right.

Kip Boyle: And then after World War II, the East German state secret police maintained detailed files on its citizens to the point where they wasn't even computerized. They just had index cards and giant catalogs of all this information they were collecting on all the citizens and the abuses that led to, and let's face it, Putin has been weaponizing Facebook against us in the 2016 elections. And so we're already seeing political abuses of privacy in this country. So that's why the Europeans are so sensitized to it because it's been life and death for them. And now, we are starting to experience. I don't think life and death yet, per se, for...

Jake Bernstein: It's close.

Kip Boyle: ... citizens, but it's-

Jake Bernstein: Actually-

Kip Boyle: ... life or death of democracy.

Jake Bernstein: January 6th, I mean, again, I'm not going to make this a political podcast. I don't think it's particularly controversial to say that January 6th was enabled by data collection and abuse.

Kip Boyle: And algorithms, yeah.

Jake Bernstein: And algorithms.

Kip Boyle: Yeah, I think that's fair.

Jake Bernstein: I think that's a fair. I mean, I'm going to say it's fair.

Kip Boyle: Okay. All right. All right. All right.

Jake Bernstein: Okay, so that's the ADPPA. One of the last thing about that, that I want to bring up, is that there's a common concern, and I'm going to just going to go a completely different direction than where we've been, is that how does a small business deal with regulations that are meant for big business and the ADPPA to its credit. And I hope that whatever version of it eventually gets passed someday retains this, but it understood that and did create... It put different sets of requirements, not fundamentally different, but different enough to calm the fears, that, "What do you mean my small business is going to be expected to do the same thing as Microsoft?" Right? The law isn't going to expect that. It doesn't expect that of you now.

Kip Boyle: It's per se unreasonable if they did. Right?

Jake Bernstein: I would agree with that per se. Good use of that. Yes. Okay. All right, Kip, what do you want to discuss next?

Kip Boyle: Okay. What do you think about what's going on in California?

Jake Bernstein: Okay, fair. Except I want to save California for the end because it has the most to talk about.

Kip Boyle: Oh. Oh, okay. All right. So you don't want to talk about California yet?

Jake Bernstein: No.

Kip Boyle: You asked me what I wanted, what you want.

Jake Bernstein: I just realized that I reversed the script again. This is what happens when we go off script, but... So let me hit on a few highlights from 2021 in the first three quarters of 2022. And I'll start with the...

Kip Boyle: Okay, so just general highlights of different...

Jake Bernstein: General highlights of laws and changes and regulation and cybersecurity. And I don't think we've ever mentioned this on the podcast, but it's great. In January, 2021, so almost two years ago, Congress enacted an amendment to HIPAA and HITECH and what it did... Oh, 42 USC (a) section 17941 for those who want to Google it. What it did is create a not quite safe harbor that kind of basically gives the enforcer of HIPAA, which is, in case you didn't know, the Office of Civil Rights within the Department of Health and Human Services. Strange place for it, but that's where it's always been. And what this amendment does is it allows OCR to say, if you have implemented and are using "recognize security practices," this is a defined term, you know how I love my defined terms, then essentially, we'll take it easy on you if you have a health data breach. I mean, that's obviously not the wording on the statute, but it is the concept of the statute.

And what I love about this is that it defines recognized security practices as basically, and again, not a direct quote, anything that NIST says and anything that C-I-S-A or CISA says, that's being a little bit flippant. But essentially what it's doing is codifying, as a "recognized security practices," all the stuff we love, the NIST cybersecurity framework, the Special Publication 800 series, the various tools and warnings put out by the cybersecurity and infrastructure security agency, CISA. So pretty awesome, like a new trend of this.

Kip Boyle: Real quick question. What if I follow this Essential Eight, which is an emerging thing from Australia, which I think really moves the needle? But what if NIST and CISA never says anything about Essential Eight does? What would your interpretation be?

Jake Bernstein: My interpretation, because it's actually pretty straightforward, is that wouldn't count as it stands right now.

Kip Boyle: Oh, that's not good. I don't want to unpack that. We can unpack that later. Yeah, I just thought it would be interesting.

Jake Bernstein: Now, remember, the thing is, though, if you could find any NIST or CISA document that even suggests that something like the Essential Eight is useful, then you basically bring it under...

Kip Boyle: You're golden.

Jake Bernstein: ... recognized security practices, then you're golden.

Kip Boyle: Yeah. Okay. Got it. Got it. Okay.

Jake Bernstein: All right.

Kip Boyle: Fascinating.

Jake Bernstein: Back in 2021, there was also the adoption of national privacy laws by Brazil, South Africa, and China. We also saw the passage of comprehensive privacy legislation in Colorado, Virginia, and of course, the California Privacy Rights Act update to the CCPA. And then last but not least, we had, in December of 2021, to soon go live. In December of this year, we have the FTC update its safeguards rule under Gramm-Leach-Bliley. So we've discussed that before. There's a whole episode on that. We'll put it in the show notes. So, yeah, that's some stuff. Kip, why don't you tell us about what NIST has been up to because they've been busy, busy, busy?

Kip Boyle: Yeah, they have been. And in fact, I was very appreciative that you recently watched a livestream that they did on their efforts to produce a version two of NIST cybersecurity framework, but that hasn't happened yet. But what has happened is-

Jake Bernstein: Lots of breaking news, Kip, is that I forwarded you this morning of recording a link to the full recording of the journey to CSF 2.0 workshop, which is now publicly available.

Kip Boyle: Well, okay. Breaking news yet again. Let's not make this a habit because we're not news-

Jake Bernstein: Just to be clear, we are not a news podcast. You cannot be a news podcast when you record six weeks in advance.

Kip Boyle: Or nine or whatever we happen to be.

Jake Bernstein: Yes. What you get though is a consistent release schedule, right, Kip? Yeah.

Kip Boyle: Which everybody loves plus evergreen topics. So, you go back and listen to so-called old episodes, but they will actually smell just as fresh as the day we baked them. All right.

Jake Bernstein: Or reasonably proximity of fresh.

Kip Boyle: Yeah. Well, okay. But anyway, what NIST has been up to in 2022? Well, here's the big thing. The Biden administration issued an executive order and...

Jake Bernstein: Which we talked about in a previous episode.

Kip Boyle: Yep. NIST, one of the things it did is it published a big update to Special Publication 800-61, which is related to cybersecurity supply chain risk management, which is excellent. We absolutely need help with that. Think about Kaseya and a whole Laundry, your list of other supply chain exploits, including going back to 2017, NotPetya was actually a supply chain exploit. The NIST has done a large report on ransomware risk management. They've published some industry profiles for the NIST cybersecurity framework. And they've actually translated the framework into seven or more languages, which is great, because here's the thing, in the past, especially in Europe, there was a kind of tilt against adopting a lot of US standards for a lot of things. And I wasn't sure-

Jake Bernstein: It's changing and I love it.

Kip Boyle: Yeah. I wasn't sure what the international adoption rate would be for CSF, but yeah, it's doing really, really well. And I would just say there's a whole cauldron of bubbling activity over at NIST. They've updated so many other documents. And it's fun to see and satisfying to see that much effort going on there.

Jake Bernstein: It really is. It really is. I think it's great. And as you mentioned, there is this journey to CSF 2.0. I think it's going to be great. And this was an interesting point at the CSF 2.0 kind of public webinar hearing thing, is that none of what NIST does is law per se, and they want it that way. They don't want to be in the business of writing regulations, which I think is great, which is important, but-

Kip Boyle: Messy and difficult.

Jake Bernstein: It absolutely matters because it does evolve the professional standard of care. And that is what goes into defining reasonableness for courts. So even though it's not law, it kind of also isn't not law. And I don't even know how many negatives I just said, but still, it matters. It matters a great deal even if you're not in HIPAA, HITECH, and you've got the whole recognized security practices deal. And then real quick too, I think we actually did a podcast about the SEC's actions back in early 2022, but I just wanted to mention those because I think those are important rulemakings that are part of the kind of story of the regulatory update that we're seeing right now this year. But let's go ahead.

I realize looking at the time, this is going to be one of those 45-minutes podcast episodes for sure, but I want to wrap this up by talking about California and the CPRA, and so I'm going to do it again. I didn't even know, but a slight breaking news, even though it's not breaking anymore by the time you listen to this, but the California AGO in August of this year, 2022, did finally issue the first ever fine under CCPA. It was against Sephora, which is yes, the cosmetics company. And it's a big deal because one of the weaknesses of the CCPA, in my opinion, has really been the lack of enforcement activity. Remember that there is a private right of action, but it's only for data breaches. And that means that all of the California privacy rights, like the right to be forgotten and the right to access and the requirements about non-discrimination and just everything that's not a data breach can only be enforced by the California AGO. And it took two and a half years. Now, I give some...

Kip Boyle: Leeway?

Jake Bernstein: Leeway just because of the pandemic really distracted all of us from doing stuff like this. But the California Privacy Protection Agency, the CPPA, is about to take over enforcement in January from the AGO. So it's not like this enforcement's going to slow down. But what's great is essentially the fine was about failure to listen or, I should say, respect, do not track signals using the general privacy control. And we're not going to go into too much detail on that, but essentially it's going to be a big deal on industry, how they deal with that. So, yeah, the last gasp I think of CCPA is going to be that, and then soon we will be in the CPRA era.

Kip Boyle: And then do we have time to make a comment about CPRA and how that affect cyber risk management?

Jake Bernstein: Yeah, I think we do. I don't think a ton has changed in the CPRA with respect to cybersecurity, but I just mentioned it a second ago. The biggest change is simply the creation and funding of the California Privacy Protection Agency. There are a number of tweaks and changes to the privacy components. Not a great deal about cybersecurity. I think this is a missed opportunity for California. It's one of the weaknesses in my mind of the CPRA simply because, as we were talking about, cyber risk management is showing up more and more around the world and in these laws. And California law just hasn't quite gotten there yet, which is a frustration. So that's where that comes into play. But it's happening elsewhere. We already talked about the ADPPA. It turns out that New York DFS, years ago, we talked about the DFS cybersecurity rule, which was one of the first cybersecurity rules that basically borrowed heavily from the cybersecurity framework. They're working on an update to that rule, which will incorporate even more cyber risk management requirements, which is great.

Kip Boyle: Yeah, well, that just kind of actually accelerates this idea of converging cybersecurity and privacy. I just hope it doesn't go too far because I think there is some hard barriers there.

Jake Bernstein: I don't think it will. And it's always be obvious. I still think that privacy and cybersecurity are going to remain different departments in most companies so that it shouldn't be too worried. I do want to mention before we wrap up finally for real, that there are a bunch of other states that we should at least mention. So, you've got the Consumer Data Privacy Act in Virginia. For those keeping track of all the acronyms, that's the CDPA to go along with the CCPA, the CPRA, and the CPPA. I'm just having fun now.

Kip Boyle: You are.

Jake Bernstein: The Virginia Consumer Data Privacy Act will have or has an effective date of January 1st, 2023 as well. They do have a safeguard rule that involves certain contractual requirements. They require data protection assessments. It's another one where the state ag has the exclusive authority to enforce. So that's interesting. You've got the Colorado Consumer Privacy Act. This is just the CPA, which will always be the Consumer Protection Act to me.

Kip Boyle: Oh, the folly of acronyms.

Jake Bernstein: But you know what, it's a good thing. They didn't call it the Colorado Consumer Privacy Act, Kip, because that would be another CCPA.

Kip Boyle: It's crap.

Jake Bernstein: Yeah, that's true. And similar, at this point, all of these laws are converging a bit because what happens is one state right's one, other state legislators are like, "Oh, I'm going to take that."

Kip Boyle: Well, there's probably a model law out there that they're all looking at too, right?

Jake Bernstein: That's right. That's correct. And so that one has an effective date of July 1st, 2023.

Kip Boyle: Yeah. It's kind of making the case for the federal laws.

Jake Bernstein: Oh, it is. It is.

Kip Boyle: "Hey, here comes all the state stuff, ADPPA, get your butt in here."

Jake Bernstein: Now, we have what is probably not the final name and act concerning personal data privacy and online monitoring from Connecticut, also with an effective date of July 1st, 2023. This one is probably the strongest after CPRA. It's got, again, data protection assessment requirements. It's got enforcement activities built in. It's got the requirement for data controllers to actually use reasonable administrative, technical, and physical measures to protect inaudible.

Kip Boyle: Data controllers, that's right out of GDPR, isn't it?

Jake Bernstein: That is GDPR. I think I've gone on record before, but I'm just going to say it again. Controller and processor are the only two words that we need. They are the best description and labels for these concepts. I wish that we would just use them anyway. Neither here nor there. So the Connecticut law does actually have a requirement to protect the confidentiality, integrity, and availability of personal data. So that's great. That is a cybersecurity component. And then last but not least is the Utah Consumer Privacy Act. Another CPA with an effective date of December 31st, 2023. And it's probably, not to offend anyone, but it's probably the weakest. It's just not quite as strong as the others. Kip, that's a lot. We don't even know what's going to end up happening in all the states this coming year. I expect that this is going to be... We probably could do this episode once a year for the next several years.

Kip Boyle: Well, then we'd be a legal podcast. And I don't think that's really what we set up.

Jake Bernstein: No, no, no. Just one time a year. Because there's going to...

Kip Boyle: Okay, maybe one time.

Jake Bernstein: My point is that there's going to be so much... I think we're kind of hitting the hockey stick, right? Part of the growth curve of privacy laws.

Kip Boyle: Yeah, to me, that's really the takeaway from the episode today. We've shared so many data points, but if you plot those data points, you get the hockey stick. And I think that's really what we're trying to say is.

Jake Bernstein: It is.

Kip Boyle: Everything is trending to federal legislation on privacy, and it will probably resemble GDPR and it's going to flip the tables over for a lot of people in America.

Jake Bernstein: It's coming. That's the bottom line.

Kip Boyle: I think that's true for all the reasons we talked about in the beginning of the episode and probably more. And I think it's a good thing. I'm skeptical of regulation. I'm cautious about regulation. I think we need this though. I mean, if that was a political statement for you, for you or anybody else, okay, but that's my professional judgment on the matter, so I'm glad we got a chance to talk about it.

Jake Bernstein: Yeah, me too. So let's go ahead and wrap it up.

Kip Boyle: Well then, let's wrap up this episode of the Cyber Risk Management Podcast. And today, there is an avalanche of new impending laws and regulations around cybersecurity and privacy in the US. We took a look at them. And what did we see? Well, we're trending in a certain direction here. I won't repeat myself. You know where we're going, so I'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.