Understanding Data Privacy Regulation in the US and how SOAR can Help

5 Minute Read


Whereas the Global Data Protection Regulation (GDPR) is in effect throughout the European Union, data privacy regulation in the US varies state by state. However, this could change with the Consumer Data Privacy and Security Act (CDPSA) of 2020, currently working its way through legislation. In the meantime, the California Consumer Privacy Act (CCPA) leads the nation in privacy regulation.

The similarities between GDPR and CCPA are the shared objectives around right to access, right to be forgotten, and right to opt-out. CCPA differs in that it requires websites to have a privacy notice. On the other hand, GDPR facilitates the right to correct inaccurate data and requires explicit consent. Both share similar objectives around breach notifications but maintain nuances around timing, reporting authorities, and timing for required notifications to data subjects.

CCPA continues to set the bar domestically, but even this regulation is subject to updates or even a completely revamped framework. This is something we are likely to see in the coming years as the California Privacy Rights Act (CPRA) has made the state’s November 2020 ballot. In addition about 15 or so state and federal laws are currently progressing through the system. Bottom line is change and expansion of data privacy is occurring at an accelerated rate.

What’s more, the US also includes data privacy regulations that are either geared towards a specific industry, such as HIPAA of GLBA, or towards a specific subset of the population as seen in the Children’s Online Privacy Protection Rule (COPPA). Organizations able to navigate these complex webs of data privacy regulations successfully do so as a collaborative effort across GRC, legal, IoT and cybersecurity groups. This collective effort also facilitates a cultural and mindset shift of the business as well.

Data privacy can no longer be an afterthought when roadmapping business operations and technology shifts.

Similar to GDPR, the US is beginning to recognize the inherent challenges around fragmented regulations issued and enforced by individual states. This is where the previously mentioned CDPSA comes into play. It not only looks to address this challenge by centralized, federally enforced regulation, but it also provides thresholds according to three company dynamics. A small company is defined by CDPSA as having fewer than 500 employees, less than $50 million in average gross receipts over 3 years, and no threshold for data records processed.

This is slightly different from GDPR and holds similarities with CCPA around explicitly defined thresholds according to revenue, employee count, and operations of a business. The US aims to strike a balance between cost of compliance and the benefits of protecting consumer data. If history has any part in this course, the US legislation will likely cater to commerce. If we only had a crystal ball to determine if the US legislation would supersede state data protection laws. Also can federal legislation meet and exceed the bar set by CCPA? For now we can still build up our data privacy programs based on the leading best practices.

The Challenge

Most, if not all, organizations large and small are struggling to keep up with these changing regulations across the country and around the world. Keeping up with all of these data privacy regulation changes across the country and around the world is challenging for all organizations.

The effort it takes to establish and maintain data privacy compliance within an organization should not fall on one individual or team but a collective effort across the organization to discuss the challenges and understand the course of action. The keys to getting off the ground are to understand your data throughout its lifecycle, system classification for those environments that interact with the data, what third parties are involved, and documentation. Yes, the good old policies and procedures. Although you may love the thought of policies and procedures, we’ll save that for another day. Just know that without a documented understanding of your data and systems, this is a quick way to raise concern with auditors or governing agencies.

When mapping the data lifecycle, be sure to consider all possible ingress and egress avenues, along with any automated processing. This can be an especially challenging aspect if you contract out marketing or employ email distributions and campaigns. Consider the Right to be Forgotten in this instance and if your organization can fulfill a request from an EU citizen that wants all personal data deleted, including emails. Suddenly the secondary or outsourced business processes, such as automated email campaigns become a little more risky for non-compliance.

The SOAR Solution

As data privacy regulations continue to challenge organizations, there is hope and strategies to align technologies, people and compliance adherence with a security orchestration, automation and response (SOAR) solution. By integrating a SOAR platform into the applicable systems, companies are able to synchronize and use data throughout the security operations center (SOC), IT, compliance and other processes.

SOCs and IT departments already have a lot on their plates. Adding compliance responsibilities could spread their already precious time and attention too thin. This is where automation can help.

SOAR can help any organization leverage its existing people, processes and technology, which is helpful when you are required to add new compliance functions to any team. Since certain elements of compliance require human intervention, like validating a data subject’s identity, a SOAR solution can automatically execute designated workflow processes and notify personnel when a manual task is needed. Even better, the SOAR process eliminates the need for the human to do any extraneous tasks by handling everything other than the manual evaluation and decision. Once the human decision is determined and the appropriate action indicated, the SOAR automation and orchestration kicks in to complete the rest of the process.

Leveraging what we know from the aforementioned compliance resources along with automated workflow, teams can quickly respond to data subject requests while maintaining the organization’s critical security posture. Organizations that leverage the automation of their SOAR solution can avoid placing an undue burden on their SOC and IT teams by building workflows that handle most, if not all of these processes without the need for human actions.

Interested in learning more?

If you’re reading this, your organization is likely overwhelmed with a daily influx of alerts from an evolving threat landscape and is daunted by regulatory and compliance processes and procedures. Swimlane can help! Watch this on-demand webinar, security orchestration, automation and response (SOAR) solution to learn how SOAR can help automate your compliance reporting.


Webinar: Streamlining Incident Response and Reporting Requirements in Compliance

As SOC teams continue to mitigate and adapt to cyberthreats, one thing remains constant—incident response will continue to require documentation and reporting. One such common compliance requirement in the energy industry is North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), which is a set of requirements designed to secure the assets necessary for operating and stabilizing North America’s bulk electric system. In this webinar replay, Bob Swanson, Compliance Research Consultant, and Jay Spann, SOAR Evangelist, discuss how SOAR can streamline and support compliance reporting and audit package creation. Watch now!

Watch Now

Request a Live Demo