Specops privacy header

In the United States, California has traditionally dominated the privacy conversation. It changes. Now, organizations doing business in Virginia, Colorado, Utah and Connecticut must all learn and comply with new regulations.

Adding a new dimension to the cost of data breaches, the explosion of regulations coming into force in 2023 can inflict real costs on non-compliant businesses. Read on to learn about existing and upcoming legislation and how you can protect your business and your users with simple but effective changes, such as stronger password policies.

2023: The year of data privacy laws

Legislation is slowly changing, but in 2023 almost all five regulations below will come into effect, making it a huge year for state data privacy laws. Start implementing the necessary changes today and avoid problems later.

  • California Privacy Rights Act (CPRA): modification of the California Consumer Privacy Act (CCPA) previously passed in 2018, was passed on January 1, 2023, and was scheduled to go into effect July 1, 2023. In a last minute decisionThe California Superior Court delayed implementation until March 29, 2024 at the earliest. The CCPA is still in full force.
  • Virginia Consumer Data Protection Act (VCDPA): The second state privacy law, passed in March 2021 and effective January 1, 2023.
  • Connecticut Data Privacy Act (CTDPA): Adopted in May 2022, this legislation only recently came into force, on July 1, 2023.
  • Colorado Privacy Act (CPA): Similar to Connecticut, it went into effect on July 1, 2023. But it’s not until January 1, 2024 that the requirement for a universal opt-out mechanism comes into effect.
  • Utah Consumer Privacy Act (UCPA): Skipping the rear, this finally goes into effect on December 31, 2023. While not the last of the state’s privacy laws to be passed, the UCPA’s implementation date is the last of them all.

What does regulation expect from organizations?

All laws focus on protecting consumer information collected and used by organizations. However, understanding the different privacy laws is difficult for businesses in the states above. It’s even harder for multi-state companies.

Each regulation provides the right to access, delete and opt out of data collection and storage. Almost all offer a right to rectify existing information, with the exception of the UCPA. Most laws do not allow opt-out of processing of sensitive data, with definitions of sensitive data varying from state to state.

Fortunately, all regulations generally provide a cure period of at least 30 days to correct errors.

The differences in the regulations are how they apply to different organizations. Most apply to large companies or organizations that deal with large volumes of consumer data. Consult the table below to see which data privacy laws apply to your organization.

California (CCPA and CPRA)

Gross revenue of $25 million or more and process data from at least 100,000 consumers or derive at least 50% of gross revenue from sharing or selling data.

Virginia (VCDPA)

This applies to companies processing data from at least 100,000 consumers or 25,000 consumers and deriving at least 50% of their gross revenue from sales.

Connecticut (CTDPA)

Companies processing the data of at least 25,000 consumers and supplying at least 50% of the gross revenue from the sale of data or 100,000 consumers, excluding purely patent-related transactions.

Colorado (CPA)

Companies that process the data of at least 100,000 consumers or 25,000 consumers and derive revenue or receive a rebate from the sale of personal data.

Utah (UCPA)

These companies with $25 million in annual gross revenue and process data from at least 100,000 consumers or process data from at least 25,000 consumers and derive at least 50% gross revenue from sales.

Consequences of a breach

Beyond reputational damage, every privacy law has a real monetary cost of failure. While not all are the same, penalties per violation range from $5,000 in Connecticut to $20,000 in Colorado. Most states have civil penalties of $7,500, with minor differences.

There are more than a few examples of recent compromises resulting from phishing attempts. Examples include the Activision Breach end of 2022or the Norton LifeLock Compromise in early January, which used an employee’s previously compromised account to log into Norton customer accounts, resulting in data loss.

If your computer systems are hacked due to compromised user credentials and user data is stolen, the penalties can quickly add up, especially for large companies spanning multiple states.

Building a strong defense can mitigate the reputational and real dollar costs of a breach. Most attackers are looking for low-hanging fruit such as easy-to-guess passwords or previously leaked credentials.

Naturally, companies may wonder how they can best protect their customers through compliance, themselves from fines, and their reputation from bad press. A proactive company focuses on protecting its data.

One of the best ways to protect yourself is to have a strong password policy, multi-factor authentication, and avoid compromised passwords.

Password security protects your business and your customers

Compromised passwords can lead to potential infrastructure vulnerabilities and loss of customer data, which may violate various national data protection regulations. Depending on the circumstances, non-compliance means potential liability and high costs under different national data protection laws.

A two-pronged approach to securing your organization’s passwords goes a long way to preventing security breaches.

First, audit the existing passwords used within your organization. Specops Password Auditor is a free download that scans your Active Directory for password vulnerabilities, including over 940 million compromised passwords.

Specops Password Auditor Dashboard

Then secure future password changes and comply with the latest legislation with a tool like Specops password policy with Password protection violated.

Specops Password Policy extends the function of Group Policy, has an easy-to-use interface that helps organizations enforce a stronger password policy, meet compliance standards, and block over 3 billion known compromised passwords.

Specops password policy

By blocking compromised passwords, you can protect your organization from potential data breaches and significant fines under recently passed data privacy legislation.

With data privacy statistics growing, protecting your organization has never been more important.

Sponsored and written by Specops software


Source link