Where Digital Transformation and Data Breach Notification Laws Intersect
The U.S. recently hit a milestone when it comes to privacy/security regulations. In March, both Alabama and South Dakota signed new breach notification laws. Alabama’s went into effect on May 1st and South Dakota’s will go into effect on July 1. Now all 50 states, plus Puerto Rico, Guam, the Virgin Islands, and the District of Columbia have some sort of data breach notification law in place.
In addition, according to the National Conference of State Legislatures, another 29 states have or are working on strengthening their existing data breach laws. Each of these laws is a little different, with different requirements and definitions. But there are some similarities between all of them, summarized nicely in an article by Jackson Lewis PC:
Common provisions among the breach notification laws include:
- Notification to affected state residents without unreasonable delay
- Notification to certain agencies including state attorneys general and/or consumer reporting agency under certain circumstances;
- Notification exceptions for good-faith access by an employee, encryption of the data, and determinations of low risk of harm;
- Specific requirements for the content of the notification; and
- Civil penalties enforced by the state’s attorney general.”
On top of all the state regulations, there has also been some rumbling at the national level about enacting a federal notification law. In November 2017, spurred on by the massive Equifax data breach, three Senators introduced legislation for a federal data breach notification law. While this proposal is still in committee, the recent news of Cambridge Analytica’s use of Facebook data once again has legislators talking more regulation around security and data privacy.
And of course, there is HIPAA/Hitech, which shows no signs of going away. While OCR has stated that no big changes in the regulation are likely for 2018, they have indicated recently that HIPAA enforcement is not likely to slow down in 2018.
And then there is the big data privacy regulation across the pond, the European Union’s GDPR (General Data Protection Regulation), which will impact any US company doing business in Europe. All of these regulations impact the protection of data that is sensitive. While encrypting sensitive data is not always required, it is strongly encouraged as a way to protect sensitive data. Encryption can help mitigate the consequences when your data is breached, both from a regulatory and a reputation perspective. And being breached seems like it’s becoming more a matter of when not if. The need to protect sensitive data is not going away.
So, what does data breach notification have to do with digital transformation?
Many organizations have been and still are in the process of digitally transforming business processes or workflows to reduce costs, gain efficiencies and maximize their customer’s experience. Because many of these processes or workflows contain data covered by one or more of these regulations, security and compliance must be a component of the workflow’s transformation.
Let’s use a customer portal for a financial services organization as an example. We’ve all used these. They are a place online where you can go to view your account. Organizations are transforming these by integrating the portals with a customer contact center, allowing the organization to provide a 360-degree relationship with the customer. As a part of this, some of these portals are now starting to offer customers inbound communications where the customer can send messages or even upload files to send to the CSR or account manager. These messages and files can easily and often do contain sensitive and/or personal information that is regulated and needs to be protected.
This is just one example in one industry of digital transformation meeting up with privacy/security regulations. There are many others – patient/provider contact centers or insurance member services centers also come to mind. We’d love to hear about yours.