Search
Close this search box.
EPISODE 150
Privacy Laws Driving Demand for Cybersecurity

EP 150: Privacy Laws Driving Demand for Cybersecurity

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 30, 2024

Twelve US states now have major privacy laws, up from only five last year. How is that driving demand for cybersecurity? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So, Kip, what are we going to talk about today in, wait for it, episode 150 of the Cyber Risk Management Podcast?

Kip Boyle: We did it. So I-

Jake Bernstein: We did it.

Kip Boyle: I was a little premature when I got so happy on episode 149, but now you can't get mad at me.

Jake Bernstein: No, it's a big deal. I don't know the statistics, but 150 episodes seems like a lot.

Kip Boyle: It is a lot. And especially because we only release every other week.

Jake Bernstein: It's true.

Kip Boyle: So it's not like 150 issues... Yeah, episodes of a weekly or God help us a daily.

Jake Bernstein: That's true. I mean, it's twice a month, right? Well it's roughly twice a month. We did this math. There's 52 weeks in a year.

Kip Boyle: Yeah, it's about 26 episodes a year.

Jake Bernstein: 26 episodes a year.

Kip Boyle: So do the math. That's like five years, right?

Jake Bernstein: It is. All right. So what are we going to talk about today in this episode, 150.

Kip Boyle: All right. Once I get over my elation at episode 150, what we're going to talk about is the incredible proliferation of state comprehensive privacy laws in just the past year. Just in 2023. And we're also going to touch on some important updates involving state level rulemaking. If you don't know what rulemaking is, we'll explain that too. Rulemaking is important. And look, sometimes I kid and I say, "Well, this is the legal episode or the privacy episode." And if you don't want to talk lawyer, tune out now, but don't, because this is actually very important for all of you in the audience. Even if you're not an attorney or you're not a privacy professional, keep listening. Right, Jake?

Jake Bernstein: I couldn't agree more, Kip. I mean, this stuff is absolutely critical and I do want to give a disclaimer right at the outset that there's no possible way that we're going to be able to get into detail on everything that's happened this year. Our goal is to help the audience gain awareness of what's going on, what happened this past year and what's likely to happen over the next few years. And for today, to narrow the scope a bit, we're only discussing state level privacy laws and regulations. We've very recent-

Kip Boyle: So in the United States?

Jake Bernstein: In the United States, yes. We've recently discussed some federal rules. We talked about the new SEC rules in a relatively recent podcast episode. I know we've talked about FTC activity. We've talked about DOJ activity in other episodes, but this episode is pure state law.

Kip Boyle: All right. So there's only 50 of those little things running around. Where do we start?

Jake Bernstein: Yeah. So let's start with a quick review of where things stood on January 1st, 2023.

Kip Boyle: All right.

Jake Bernstein: So on that day... First of all, there were four laws that started to take effect and those laws had been passed in 2021 and 2022. And I say took effect. Again, details we're not going into that. Some of these took effect that day. Some of them took effect later on in 2023. My point here is that we had certain laws that existed as of that day, and those are the California Privacy Rights Act, which was a significant update to the CCPA, the Virginia Consumer Data Privacy Act, the Colorado Privacy Act, and Connecticut's privacy bill, which as far as I know doesn't have a catchy name, which is probably for the best because given the name of the state, it would be just another acronym with a bunch of C's, P's and A's. We can't get away from it. It's ridiculous.

Keep in mind that Utah's privacy law was also passed. It also existed as a past law as of January 1st, 2023, but it will have taken effect quite recently by the time you listened to this episode on December 31st, 2023.

Kip Boyle: Okay. So that means there were already five state laws existing at the beginning of 2023. Now, before we move into new states because I think that's where we're going and new laws. Did anything important happen with respect to just these ones that came on in 2023? Is there anything that we need to say about them first?

Jake Bernstein: Why, Kip, thank you for asking. Yes, both California and Colorado engaged in a lot of "rulemaking".

Kip Boyle: Okay. So this is the part of the episode where we get to pay off on the promise I made in the top of the episode, which is rulemaking. What in the world is rulemaking. It can't possibly be as simple as it sounds, right?

Jake Bernstein: Oh, Kip, you know me so well. So rulemaking one word is a formal legal process whereby administrative agencies write rules, hold public hearings, take in and process public feedback, and ultimately publish a final set of rules that we will generally call regulations. And there are several different types of rulemaking throughout the country, both at the state and federal level. Again, details. We're not worried about that right now. But not all follow a model that has been standardized by or based on the Federal Administrative Procedures Act, and then the many, many state versions of it. So there's a federal administrative Procedures Act, sometimes just called the APA, and then many states have essentially copied it.

Kip Boyle: So it's like having a model rule that everybody-

Jake Bernstein: Yeah, exactly. And there's no need to get into detail about how it all works. I'll just put it this way. There is an entire law school class called administrative law. Yes, I took it. Yes, the book is thick.

Kip Boyle: And you liked it.

Jake Bernstein: I actually did like it, particularly since I started my career working for an agency. And in fact, within the first two years of my career, I was rulemaking personally following the procedure.

Kip Boyle: And that's a pretty big deal for somebody fresh out of law school. Right?

Jake Bernstein: It was, yes. It was fun. So we're not going to get into detail about how it all works, but what's important is that a final published regulation, more or less has the same force of law as a statute that's been passed by a state legislature or Congress. And I would say that for the most part, our audience shouldn't bother worrying about the legalistic differences between statutory law and agency developed regulations. Just follow them both and talk to your lawyers. There are differences. There are different ways to challenge them.

Agency action can be challenged in a different way than somebody trying to enforce a state law. But let's just keep it simple. Follow the regulations. You might as well think of them as having the force of law and there's a big process before they come out. And that process is supposed to protect us from, I guess ourselves.

Kip Boyle: All right. From the tyranny of rulemaking. All right, so thank you for giving us permission to not unpack those legalistic differences. I appreciate that. It means we actually have a chance of finishing what we really started here. Okay. So California and Colorado, you said that they engaged in a lot of rural making in 2023 with respect to their privacy laws. Okay. Is that a big deal?

Jake Bernstein: It's a huge deal, Kip. So in California, the California Privacy Protection Agency, which by the way we knew it was coming, but it came into being this year... Or sorry, in 2023. And their job is to enforce the California Consumer Privacy Act and to make rules about the CCPA. And so they've already held multiple public meetings, oftentimes the first Friday of the month, and each time they tend to roll out pages and pages and pages of stuff.

A lot of the time it's called draft proposed rules, or you'll see proposed draft rulemaking. And they're a funny thing. They aren't yet the official proposed rules. They're just drafts, but they're highly likely to become officially proposed rules. The public is going to talk about them. So we pay attention to them even though they're not yet rules. In fact, just this year-

Kip Boyle: They're rules in training.

Jake Bernstein: They're rules in progress.The CPPA has published, again, draft proposed rules involving cybersecurity audits, risk assessments, and a whole set of rules about automated decision-making restrictions. All of these were discussed as recently as the CPPA's December 8th, 2023 meeting. Now, we don't have time to dive into details here, but the topics alone I think are fascinating. The titles are fascinating. And the thing about rules, Kip, is that they can sometimes dramatically expand the scope of a regulatory agency's purview. And I think that's what we're going to see here with the CPPA as a good example.

There's nothing clearly stated in the CCPA or its amendment, the CPRA about cybersecurity audits or risk assessments. Not specifically. But that's where the CPPA is going. And I think 2024 is going to be an absolutely wild ride. There's even some aspects of other rules that were... I didn't mention them because they were actually written in 2022. They were supposed to take effect in 2023, but there was a lawsuit filed by the California Chamber of Commerce and they won.

So some of these rules got pushed out to... They won't be effective until March 2024, which is coming right up. And those rules are hypertechnical. They're about something called the, we'll kind of hit on this a bit later, but it's something called the general privacy control and preference signal based opt-out. If that sounds more techie, more security-focused, that's because it is, and the people listening need to pay attention.

Kip Boyle: So this is why I said in the beginning of the podcast, you might think that this is an episode for lawyers and privacy people only. Hopefully you understand why I said that.

Jake Bernstein: Okay. And by the way, the cybersecurity audits that's going to come to you, our audience. Those are going to fall on your laps.

Kip Boyle: Right. And is it also true that if we're going to see a bunch of rulemaking in California, I mean, that's going to really... Whatever those rules are, once they're approved, isn't that going to influence what other states do?

Jake Bernstein: Absolutely. Not only will it influence what other states do with their own rules, it'll just naturally influence everything because California is so big.

Kip Boyle: Right. And they tend to be leaders in these areas. And other people just like, "Okay, we'll just follow them because they've already done the hard lifting and the hard figuring out." But let's talk about Colorado. Right? Because you said that they're also doing a bunch of rulemaking in '23, right?

Jake Bernstein: That's right.

Kip Boyle: Okay. So look, I'm going to put a link in the show notes for that so that we don't have to grind through it here on the episode. But if you live in Colorado or if you're going to be subject to that law, you should probably go check that out, right?

Jake Bernstein: Yeah. And that link you're going to put is... It's a link to another episode of a different podcast that my firm does called Gateway to Privacy. And it is an entire episode only about the Colorado Privacy Act regulations. And the summary is that we basically go through the 50 pages or so of rules that Colorado wrote to augment its law. So have fun with that one.

Kip Boyle: So wait a minute. The other podcast is called The Gateway to Privacy like the K&L Gates way? Like that?

Jake Bernstein: Yeah, I admit that was all me actually. And they approved it, believe it or not.

Kip Boyle: Well done. Actually I think that's kind of clever.

Jake Bernstein: Okay.

Kip Boyle: That's what I thought. I thought it was clever.

Kip Boyle: Well, and I figured it out. You didn't even tell me.

Jake Bernstein: I didn't tell you, no. And so something to remember on this point. Just because your company isn't based in any particular state with one of these laws, it does not at all mean that you and your company aren't going to be subject to these requirements. You've got to ask your in-house attorneys for help if you aren't sure. But if you think about it, we just had a great episode. I'm hoping it's an instant classic about digital trust. And the thing about the ARPANET, which became the internet is that it doesn't care about state borders, oddly enough. So you're doing stuff, you're impacting citizens in every state more likely than not. That's going to ultimately-

Kip Boyle: You read my mind.

Jake Bernstein: Ultimately, that will determine whether you have to a deal with these laws.

Kip Boyle: Yeah. I'm a small business owner. Cyber risk opportunities is not a big company and this makes me nervous, like, "Oh my gosh, how am I possibly going to comply with all these different jurisdictions?" It can cause my head to spin.

Jake Bernstein: And fortunately, Kip, I can tell you right now that you really don't have to worry too much. All of the state laws as written have a threshold of applicability and it's a numbers game. So for California, we've talked about this in the past, but for California, the simplest one is 25 million. If your revenue is less than 25 million, then you don't have to worry about the CCPA.

Kip Boyle: Ah, fascinating. I'm glad you reiterated that.

Jake Bernstein: And then for some reason it's hard to say why, but California is the only state currently that is using a revenue figure. The other states use a different measurement, and that is that on an annual basis you need to process, and that's broad, the personal information of 100,000 citizens for most of the states. Delaware is less because a hundred thousand people is like a sixth of that state's population, but it's still a big number.

So these laws as currently set up are quite different than GDPR. GDPR doesn't care how big you are at all. Instead it just applies. Whereas the state laws, you don't have to be a big business to hit a hundred thousand, particularly if you're advertising online and gathering IP addresses because that's enough. That counts, that counts. So bottom line, ask your in-house attorneys for help if you aren't sure if a law applies to you.

Kip Boyle: Okay. All right. So there's a lot of rulemaking activity. I think that's interesting of course. But let's go back to something that we said at the beginning of the episode. So at the start of 2023, there were five states with major privacy laws. And now you're saying here at the end of 2023, now we're talking about 12 or 13. So we've got a net new, I don't know, seven or eight states with new laws just in 2023. Right? That's a massive expansion. Am I hearing you right?

Jake Bernstein: Kip, you are hearing me right? It is more than double. And you know what? I'm just going to not hide the ball here. We're not going to bury the lead. Here's the quick list for those who don't like waiting. This is just alphabetical order. I could order these many different ways. This is via the alphabet.

Kip Boyle: Okay.

Jake Bernstein: Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, and sort of Washington. And that sort of Washington is why I say 12 or 13.

Kip Boyle: Okay. And I know you're going to want me to put another link in the show notes, which I'm happy to do, which is going to kind of expand on this list.

Jake Bernstein: Yeah. So the IAPP, which is the International Association of Privacy Professionals, put together this great comprehensive privacy law tracking chart. We will put a link in the show notes. It is super valuable. If you haven't clicked to the link, Kip, or anyone else listening, you should do so. It's quite interesting. It's really useful.

Kip Boyle: And we promise it's not a phishing attack.

Jake Bernstein: It is not a phishing attack.

Kip Boyle: Okay. Now so many questions. Let's just start with state of Washington. That's where we live. So right away in that list, since it was the last one and so familiar to me, are you saying we're half regulated? What are you saying here?

Jake Bernstein: What am I saying here? It's a good question. So as you might know, having lived here for quite a while, we have been trying to pass the Washington Privacy Act for five years now, and we haven't done it. And no, we didn't do it. What we did pass, however, in Washington State is something called My Health, My Data Act. And as you might guess, it involves health related consumer data. And get this, it's one of the strongest privacy bills to get passed in 2023 despite it being much more narrowly focused than the others.

It has, which is rare, a private right of action, which that's code for, there will be class action lawsuits, strict consent requirements and other notice provisions that apply to the processing of consumer health information. And I have a really easy way to think about this. This is a HIPAA gap filler law. What do I mean by that?

Kip Boyle: What's the gap?

Jake Bernstein: People have a broadly mistaken concept that HIPAA, which is the Health Insurance Portability and Accountability Act, applies to everything that relates to health. Most people think that PHI stands for private health information. I have news. It does not. One, the acronym actually stands for protected health information. And only covered entities generate PHI. And covered entities is a relatively small group of essentially your healthcare providers. That's pretty obvious. Insurance and health plans. And certain parts of the government that work with Medicare and Medicaid is essentially what HIPAA covers.

What that means though, particularly in this age of smartwatches and AI, AI-based therapy applications, there is a lot of health related data that we put out there that is not regulated under HIPAA. It's not considered protected health information.

Kip Boyle: So it's out of scope for that.

Jake Bernstein: It's out of scope. So a HIPAA gap filler law... By the way, the CCPA is also now a gap filler law, a HIPAA gap filler law that was part of the California Privacy Rights Act amendments. That's what this law is. It will protect the data that is health related but not subject to HIPAA.

Kip Boyle: Wow. Okay. So I'm sensing a full episode.

Jake Bernstein: It probably would be a good idea because have you heard of BIPA Kip? Have we ever talked about BIPA?

Kip Boyle: I don't remember that. It makes me think of spaghetti and Italian restaurants. I don't know why.

Jake Bernstein: Well, kind of. BIPA is the... Although not really at all. The only reason I said that is that BIPA is the Illinois Biometric Information Privacy Act. Chicago is in Illinois. There's lots of pasta places and pizza places. Okay, bad. That was just terrible. We'll move on.

Kip Boyle: We'll, get a BIPA. I don't know.

Jake Bernstein: But the bottom line there is that BIPA is famous for having a private right of action. And there are many, many, many, many class actions that get filed over alleged BIPA violations. People are saying that My Health, My Data is the next BIPA. And that's going to be really interesting because if your business, and I mean in the broadest sense touches on health or medical related issues, you should be aware of My Health, My Data. So

Kip Boyle: Good thing I've got a sneeze button. I'm going to use it again.

Jake Bernstein: I think I need a sneeze button or a cough.

Kip Boyle: There we go. All right. I'm glad I didn't blow anybody's ears out. That was a big one.

Jake Bernstein: I think you just hit it again.

Kip Boyle: There's something else about that list. inaudible sneeze that time. Of those new states, there's a lot of red states in there or am I

Jake Bernstein: Isn't that interesting?

Kip Boyle: ... tripping?

Jake Bernstein: No, you're not. Indeed there are. And I think that's because privacy is one of the few truly bipartisan issues that holds a prominent place in the public consciousness right now. And what's even more interesting or impressive, or I don't know, whatever adjective you want to include here, is that these privacy laws aren't necessarily all that "business friendly" as you might've expected in a different age. But let's get one thing out of the way first. None of these new laws, the seven, now we're not taught, we're done with My Health, My Data, that's the exception.

None of the rest have a private right of action, which means none of them will be immediately useful to class action lawyers. Now I say that, I'm sure someone will prove me wrong because just because a law doesn't have a private right of action doesn't mean a class action lawyer won't file a lawsuit alleging a violation of the law using some other theory.

It was a big policy decision to not include a private right of action. It happens to be the most significant point of disagreement that has kept the Washington Privacy Act from getting through our own legislature. And it's a really big deal because it means that there won't be enforcement by private parties.

Kip Boyle: Fascinating. Okay. No time to unpack that. So I think the takeaway though is that it's really up to the state attorney general to enforce them, right?

Jake Bernstein: It is. That's right.

Kip Boyle: Okay. So what do you think that means for the level of impact that these laws are really going to have?

Jake Bernstein: It's a good question. It's a major source of uncertainty. I mean, I don't mean to delve into Europe, but the GDPR some have said that it's kind of a paper tiger only because it's been in effect now fully since May 25th, 2018. And there's only been about 3 billion euros or so worth of fines under the GDPR, which is less than the single $5 billion civil penalty that Meta paid based off its violation of an FTC order. That was a couple of years ago that that settlement came out.

Kip Boyle: Fascinating. Would we have predicted that five years ago? I don't think so.

Jake Bernstein: I don't think so either. So the issue here is just looking around, the CCPA has been around the longest, right? It's been enforceable since 2020, but the California Attorney General didn't do all that much with it. Now, to be fair, the law took effect and then three months later, the pandemic shut everything down. So I'm going to largely give the California Attorney General's office a free pass here. They were distracted as were we all from something like privacy law enforcement.

I think we have to assume that the laws now will be enforced at least enough to remain a credible risk in the eyes of business people who focus on risk. I think what we should do now with the remainder of our time, is to give a pretty darn quick overview of these laws, which let me tell you is made a lot easier by the fact that they are all very similar.

Kip Boyle: Okay. So a bunch of students copying off of each other's papers then, I guess, huh?

Jake Bernstein: Very much so.

Kip Boyle: Okay. So I was hoping, also wondering if we were going to get to actually looking at these state laws. So let me start. Now we've got a handy chart, right? This is the one you mentioned from the IAPP and it's not private, right? This chart? It's a publicly available thing?

Jake Bernstein: It's publicly available, yup.

Kip Boyle: Okay, that's great. So the first thing that I noticed is that these laws are really about two very broad categories. So there's consumer rights and business obligations. Now, consumer rights, we've talked a lot about that. And that's actually embedded in the name of a lot of these laws. And of course it's what you expect when things are based on GDPR, right? So you've got things like the right to access, the right to correct records, the right to delete records.

There are rights to opt out of certain types of processing, rights to obtain your data in a portable format, rights related to the processing of sensitive personal information and the use of automated decision-making. But of course, what makes this challenging for businesses and people in our audience is that we have to somehow operationalize all of these rights, which is what I think about all the time is how do I operationalize policies and regulations and laws.

So we have to do that otherwise, when a consumer makes a request to exercise one or more of these rights, we're not going to be ready. And that is going to open us up to criticism and possibly sanction, right?

Jake Bernstein: Absolutely. I couldn't have said it better myself. It really is. And the amount of questions out there about this type of stuff is really... Every single one of those rights, even if they sound kind of obvious, there's nuances to them. For example, the right to delete. A lot of my clients come at me, or what I tend to say... At this point, I just bring it up first to preempt the question, but, Kip, a relational database, most information that is stored these days is going to be in some kind of database, right?

Kip Boyle: Sure.

Jake Bernstein: What happens if you just delete a record completely?

Kip Boyle: Well, a couple things, but one thing that does not happen is you don't get a complete deletion. In most cases, you still have backup records and synchronized records in other places, right?

Jake Bernstein: Yup. And depending on the type of database you have, you might've just crashed it because databases aren't necessarily meant to just straight up delete records. So the question arises, well, how can we delete something if deleting it would crash our system? And the simple answer there is, "Well, you overwrite it with zeros and ones or something, some random string," which works. But then of course you have to ask, "Well, why do we have to do that? Do we always have to do that?"

And the answer is, of course not. Because let's say that you're running a system that is anti-fraud, do you really want to delete all the data that fraudsters have put in there that you've detected them with? Probably not.

Kip Boyle: No. Those are the rules.

Jake Bernstein: Those are the rules. You can quickly see how complicated this gets.

Kip Boyle: Yeah.

Jake Bernstein: Now, I will say that as a practical matter, I have not seen most of the exercise of these rights become a major burden, at least under the California law. But that's anecdotal purely. And even as I say it, I can think of exceptions. But here's what does not depend on exceptions. The amount of burden that you're going to face based on these laws depends entirely on the structure of your business.

So if you're a business like CRO that processes just a handful of people's data, then you can basically keep it on manual. You can take requests on a case by case basis as they come in. You can go into your system and you can manually overwrite, delete, export, all that kind of stuff. It's not going to kill you.

Even if you got one request a week and it takes you an hour to do it, that's still 52 hours of work that you're going to have to get done that didn't exist beforehand. And by the way, that might be optimistic. It might be that one of these requests takes two or three hours, now you're starting to actually hurt a little bit. Now you're talking 150 extra hours that somebody is going to have to deal with. But let's say you're a consumer focused business, and let's say that you're processing the data of hundreds, thousands, tens of thousands of people on a daily basis.

Kip Boyle: Right.

Jake Bernstein: Right? If you get even a sliver of a percent of these on a regular basis-

Kip Boyle: Overwhelming.

Jake Bernstein: ... you will quickly be overwhelmed just with the administrative burden that comes from these. Under California, for example. And this is true for most of the 12 states we're talking about, there's a deadline to respond. And if you don't meet the deadline, you're not in compliance with that law. So you need to really think hard about these consumer rights, which of course leads me to the business obligation side of the equation that you mentioned, Kip.

Kip Boyle: Right.

Jake Bernstein: So first, the corollary of giving people these rights is that the business is going to be obligated to respond to them. But what else is in there? Some states require opt-in mechanisms before data can be processed. That's going to be a huge operational headache. All of them have notice and transparency requirements, which largely comes down to publishing a privacy notice.

Kip Boyle: All right. Well, it's deceptively simple sounding. I think you're going to tell me it's not as simple as that.

Jake Bernstein: It's not. And I think you know why actually.

Kip Boyle: Well, there's just the devil is in the details, I guess

Jake Bernstein: It is.

Kip Boyle: There's a lot to do.

Jake Bernstein: There's a lot to do. But it's specifically talking about the identify function of the cybersecurity framework. Kip, how do you protect something if you don't know you have an asset?

Kip Boyle: Oh yeah, absolutely. Right? So you've got to have some sort of an inventory... It's got to be accurate, it's got to be complete, otherwise you can overlook things. And a big part of what we're talking about here is not overlooking things because when you overlook things, it can lead to sanction and so forth. So you don't want that to happen. So yeah, I mean, this is going to get crazy quickly. Transparency requirements means you got to know.

Jake Bernstein: Yes. If you think about the notice and transparency requirement, what does that mean? How do you operationalize notice and transparency requirements?

Kip Boyle: Yeah. Well, so let me ask you this. Have people started figuring this out yet?

Jake Bernstein: Yeah. Many of them have. There's different mechanisms. There's data maps, there's tons of different software options that will categorize your cookies, that will attempt to manually... Or I'm sorry, automatically or perhaps I should say automagically, crawl your own databases and your systems to figure out what data you have.

Kip Boyle: So it's not easy. It's not easy, but there are some tools and some approaches that could be adapted, right?

Jake Bernstein: Absolutely. And so much of this goes back to digital trust. Transparency is a key component of digital trust. And that's really what this is about. So you have all of this, right? All of these challenges. But then you add on obligations to conduct risk assessments and document them. You have this somewhat vague prohibition on discrimination, which itself can be complex to figure out. You might think, "Oh no." But taking out the potential political component to what discrimination means, this is much more complex than that. Well, that's a very complex subject.

Kip Boyle: Okay. I'll take your word for it.

Jake Bernstein: This is talking about automated discrimination, things that you might not even realize. Good example is if you've trained an AI, for example, to scan resumes, you have to be able to show that it isn't discriminating against a protected class, which it may have trained itself to do. Even though you might read that and be like, "Oh, we're good on that because we don't discriminate." Almost every business is going to say, "We don't discriminate. We're equal opportunity employer."

I'm sure that you are, but that does not mean you're done examining your business practices for the type of discrimination that is illegal under the privacy laws. And then on top of all of that, you still have to abide by the purpose limitations on processing that you've already allegedly given people notice about. And I can tell, Kip, just from your own body language and tone that complying with these laws is a lot of effort. And the effort required spans the organization. You have to involve legal, obviously, but also marketing and sales and IT, of course, database management, cybersecurity, leadership. These privacy laws-

Kip Boyle: It's a team sport.

Jake Bernstein: It's just as much a team sport as cybersecurity. That's exactly what I was going to say next is that cybersecurity is an essential component of privacy. So even if you're thinking this whole time, "I'm a cybersecurity professional, these privacy laws are somebody else's problem." Not so. We often have said, Kip, that there is not necessarily... Nowhere really is there a straight-up law that says thou shalt have reasonable cybersecurity. Right?

The closest we get is the FTC's enforcement using its unfairness prong of the FTC Act to hold companies accountable for such bad cybersecurity that it becomes unfair to consumers. These privacy laws though, some even say it explicitly, they do arguably create affirmative requirements to have cybersecurity of some kind. They don't require perfect cybersecurity. I think we've said a number of times that that's impossible, but they absolutely do require good security. And there's also a big focus on certain specific web technologies.

Kip Boyle: So I think that was a hint to me and the audience that you're going to bring up the general privacy control, aren't you?

Jake Bernstein: I am, but only briefly because I don't want to have two 45-minute long episodes in a row.

Kip Boyle: Back to back, yeah.

Jake Bernstein: Back to back. So the GPC is just one way to deal with the recent requirement that you'll find in... It is in the CCPA, but it's also in many of the other state laws and the regulations to use something called... The phrasing varies, but it's about preference signal opting out. And what does that mean? Well, it's a way to say that people need to be able to protect their privacy and exercise their rights without jumping through a ton of hoops. And one of the ways needs to be this technologically powered quick and easy method. And the way to think about it is it's a plugin for a browser. Maybe some day it'll just be a setting in a browser.

It is different from the do not track functionality that many browsers have had for years now. Something that's very funny is if you go and read a bunch of privacy notices, you will quickly find that many, if not most of them say, "We don't actually respect the do-not-track function of your browser." Because it hasn't been a legal requirement. Preference signal based opt-out is a little different than "do not track".

You can Google the general privacy control. You'll find the dot-org website. You can find all the specifications for it, and you can find all the different browser plugins that will make it work. And then you'll even find websites out there that will put a little popup that said, "General privacy control indicated and respected." This is one of those things where it's like, if you're listening to this podcast, you're going to get questions about this stuff.

Kip Boyle: That's true.

Jake Bernstein: And what you need to know is you don't need to be an expert in it. But having heard about it is going to be helpful. I promise you that. So we can discuss the GPC at some point in a later episode. But for now, Kip, please wrap us up before another half dozen states pass more laws.

Kip Boyle: Okay, I will. But if they do, I just like, we'll tackle them as a group as we did this time. I think that makes a lot of sense. Otherwise, that's all we would talk about episode after episode. So let's wrap up this episode of the Cyber Risk Management Podcast. What did we do today? Well, we discussed the incredible fecundity. Jake, really? That's the word you gave me.

Jake Bernstein: Yeah, I did it. I did it. I did it. I'm so sorry. I normally don't interrupt here, but, yes, I really, really hoped that you would read that as I wrote it because I thought it was hilarious.

Kip Boyle: The incredible fecundity. Okay, the word of the day, everybody. Go figure out what that means of comprehensive state privacy laws and regulations. There will soon be 12 states with major privacy laws to comply with and more are going to come. I mean, that's really the other big thing that we said. 2024 looks like it's going to be yet another fascinating year for cybersecurity and privacy, and that's why we'll see you next time.

Jake Bernstein: We'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.