Recent Regulations that CIOs should know about

Are you breaking the law?

This is a question that gives leadership at any company shivers. Unlike in the pre-Internet era, companies now not only have to comply with laws of their home jurisdictions but also have to take into account jurisdictions where their users reside.

And in the age of cloud where there are no national boundaries this presents several complications.

In this post we will take a look at three regulations around user data which can impact how you do business.

1) The US Cyber Security Information Act-

CISA became a law late last month, and it has turned out to be controversial.

On the face of it, CISA makes sense. It gives a platform for companies to share intelligence about threats with Federal agencies like FBI and NSA so that a better threat response can be formulated.

But the devil is in the details.

The companies who share data with federal agencies like FBI and NSA will be provided immunity from liability for violating user privacy and sharing private information like financial and health records. This law has been criticized by its opponents like Electronic Frontier Foundation and companies like Facebook and Google for enabling surveillance.

The law also makes it possible for US courts to pursue foreign nationals even if the crime was committed outside US territorial jurisdiction. As the Guardian says

But the amended law would make it a crime punishable by US prison time not merely to clone the credit card or steal the Netflix password of an American citizen, but to take unauthorized information from any American company, no matter where it happens.

In other words, if a French national hacks a Spanish national’s MasterCard, she could be subject to 10 years in US prison under laws changed by the bill.

If you are a CIO you now have access to a mechanism for sharing data over threat intelligence. But in the event of strong pushback from privacy groups and tech companies you might risk losing business as privacy conscious clients and users might take their business elsewhere.

2) The EU General Data Protection Regulation

On the flip side the EU has passed the most stringent data privacy regulation ever. Called the General Data Protection Regulation it is applicable to any entity which offers goods or services to residents in the EU (this means that if you offer payment options in Euros or have a website in an European language, or ship to European countries you are liable).

Some of the provisions are:

• If you collect any information from the user you must inform them how you intend to use the information. Unless the user doesn’t explicitly consent you cannot use their data for any purpose.
• Data cannot be stored indefinitely and must be erased after a specific period.
• Users might be told clearly who holds or controls their data, and also be informed about the rules and safeguards put in place to handle the data.
• Users may modify their data any time they want, or withdraw consent to their data being used at any point of time. Upon withdrawal of consent, the data should be destroyed.
• When a business uses a data processor (e.g. cloud service) to collect or store user data the processor must implement all measures necessary to comply with data security, and also maintain complete records of the types of processing activities.
• In the event of a data breach users must be informed within 72 hours.

The EU gives a window of 2 years for companies to comply with the regulation, and specifies hefty fines for non-compliance (2% of annual worldwide sales or 1 million Euros, whichever is higher).

This regulation will have a major impact on businesses that operate in the EU.

According to an Ovum report on data privacy laws:

• Two-thirds of respondents say that their EU business strategy will change.
• Some companies will abandon the European market.
• More than 50% expect to be fined for violation of the law.

With the trend in EU data laws showing an increasingly stringent trend companies will have to get started with compliance if they want to meet the window.

3) FTC guidelines on Big Data and predictive analytics

Big data and associated technologies like predictive analytics let companies know their customers and users more intimately than ever before.

1. This might result in discrimination and economic disparity. Some companies might target vulnerable populations with higher prices and pursue unethical behavior: Gartner says that improper use of Big Data will cause 50% of business ethics violations by 2018.

In a recent report titled Big Data: A tool for Inclusion or Exclusion the FTC warns companies against:

• Violating Fair Credit Reporting Act, the FTC act, and Equal Credit Opportunity Act by starving vulnerable populations of credit or flooding them with harmful loans using algorithmic discrimination.
• Digital redlining by denying a particular community of financial services based on insights derived from data analytics.
• Infringing upon civil rights by refusing to provide vital services.

There is therefore a need for companies to not go overboard with Big Data analytics, and make sure that they are not violating relevant laws.

The impact of upcoming regulations

The regulatory landscape is confusing and fluid, with complications multiplying in the event that you do business internationally. Being forewarned is being forearmed, and the sooner companies start putting internal processes to comply with these regulations the lower will be risk of non-compliance.