The data privacy landscape is continually changing and notoriously difficult to navigate. Organizations who successfully comply with data privacy regulations earn the trust of customers, increasing long-term business prospects. Companies who fail to comply not only risk the trust of their customers, but can face legal penalties, regulatory fines, and significant reputational damage. This paper focuses on prominent data privacy regulations in the United States and globally, including Illinois’ BIPA, California’s CCPA and CPRA, the EU’s GDPR, and Singapore’s PDPA, and how SessionGuardian can help organizations comply with each of the regulations.
SessionGuardian is a privacy-first security solution that protects an organizations’ sensitive data assets. The solution is built on the following pillars:
Although current data privacy laws differ significantly between local and global regions, there is a shared focus on guiding best practices and meeting regulatory compliance requirements. In addition to providing requirements on how organizations address and process data, the social importance of data privacy laws has continued to grow exponentially, with users becoming more vocal regarding their desire for data privacy. Identified in the annual Cisco Data Privacy Report, 36% of individuals surveyed globally who felt they had no ability to protect their data and privacy from an organization stated that they did not trust companies to follow their security policies. Additionally, 79% responded that they were willing to take action to protect their data and privacy (Cisco, 2021).
Ultimate responsibility falls on the organization to ensure their data handling practices are not only in compliance, but satisfactory to users. The impact of breaching the trust of a user base regarding their data privacy is compounded by the potential legal penalties imposed by regulations, and additionally create openings for data to be leaked, sold, or exploited by an attacker. These openings can lead to financial and reputational damage for an organization. The total cost of a data breach continues to rise, with a 19% increase from 2021-2022 to an average of $4.5 million for breaches related to malicious parties misusing a valid user’s credentials and a 16% increase to an average of $4.91 million in data leaks due to phishing (IBM, 2022).
Within the United States, many states have their own defined data privacy laws governing how organizations must store, access, use, process, or otherwise handle a user’s data. Globally, numerous robust regulations guide large-scale data privacy compliance. Prominent guiding bodies included in this analysis are Illinois’ Biometric Information Protection Act (BIPA), the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), and Singapore’s Personal Data Protection Act (PDPA).
BIPA As the first American law targeted directly at biometrics and surrounding data privacy (Hartzog, 2020), the Illinois Biometric Information Protection Act established itself quickly as a law intending to hold organizations responsible for data privacy violations. It is worth noting that while BIPA was created targeting biometric security, the definition of biometrics varies from state to state and country to country. Therefore, it is important to ensure that security tools are in compliance with as many definitions as possible, given that businesses often interact with users over state lines and in other countries. As defined by BIPA, information labeled as biometric and therefore applicable to this regulation include “… any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual” (ILGA, n.d.). Due to this definition, biometric authentication services such as those currently used to authenticate users for physical and remote access into secured systems are held accountable. Under BIPA, applicable organizations must meet baseline security and process requirements, such as requiring organizations to implement and maintain reasonably strong security practices, have a written and available policy for the time of holding and deleting biometric data, requirements on how user data will be stored, used, processed, and collected, and requires written permission allowing the collection and use of user data (Hartzog, 2020; ILGA, n.d.).
These BIPA requirements pose a challenge when attempting to ensure vendors and applications maintain an organization’s compliance, often requiring a security-first mindset when building out applications to ensure widespread compliance. In reviewing one of the most prevalent BIPA-related legal cases, Rosenbach v. Six Flags Entertainment, the theme park was sued by a mother whose child was enrolled in a fingerprint authentication system at the park without written or explicit consent (Hartzog, 2020). While this case was initially not supported by the Illinois Appellate Court, the Illinois Supreme Court provided an opinion supporting Rosenbach, resulting in a decision that Six Flags violated BIPA (Hartzog, 2020; Harvard, 2019). The case upheld the intent by Illinois to ensure that biometric data and similar data privacy concerns were upheld and addressed for user protection. Modern security authentication tools that use biometric solutions must comply with laws such as BIPA if the organization is accountable to the region, providing security at the cost of additional regulatory scrutiny and end-user unease.
While Illinois’ BIPA was the first American biometric privacy-focused law, California’s Consumer Privacy Act (CCPA) has stood out as a model of data privacy that other states and regions consider for implementation. Focused not primarily on biometrics but on overall user data privacy, CCPA was implemented rapidly and under unusual circumstances. In 2018, a real estate developer displeased with the state of data privacy in California managed to have an initiative on the ballot and used this position to pressure California into creating the CCPA by offering to withdraw their initiative if California would create data privacy regulation (Goldman, 2020). The pressure to create data privacy legislation resulting in CCPA reminded users of systems everywhere that should they be displeased with the state of data privacy available to them, they are able to cultivate change.
CCPA empowered users with six data privacy rights:
These regulations continue to protect users with increased data privacy, and organizations that are applicable under the criteria set forth by CCPA are required to comply, which included those that capture, store, process, or transfer user data. While CCPA gained attention for being one of the major movements in the United States towards user data privacy, its other notable component is being regularly compared to GDPR as
a potential steppingstone for the United States to follow similar data privacy regulations nationwide (Barrett, 2019; Kucera, 2021).
Beginning in January 2023, the California Privacy Rights Act (CPRA) will be implemented to strengthen and expand existing and new privacy regulations
(CPRA, 2022). Primarily, the CPRA changes for 2023 increase potential penalties against businesses that are required to adhere to CCPA regulations and violate a compliance requirement while redefining the scope of which companies are required to comply, and providing clarification on additional CCPA aspects (CPRA, 2022). The CPRA is being implemented as California identified that the number of individuals and parties using their CCPA protection rights was higher than anticipated, causing California to add additional requirements to help protect consumers (CPRA, 2022). Although CCPA has been compared to GDPR as an entry point for the United States towards an overall data privacy regulation, it is noted that CPRA “aligns more closely with the GDPR” (CPRA, 2022) by implementing stricter compliance requirements. Additionally, it is worth noting that a major change of CPRA from the initial CCPA requirements is that the protection of data privacy has been extended to employees of an organization. The resulting action for organizations is that any software, application, or internal process used by employees must be CCPA and CPRA-compliant to ensure no data privacy violations with internal employees and customers.
GDPR BIPA and CCPA are two state-held regulations that are helping push data privacy laws forward within the United States. However, in looking at data privacy outside of the US, the European Union’s General Data Protection Regulation (GDPR) stands out as one of the most respected globally.While each organization’s relationship with the GDPR can and will be different, in general if an organization interacts with data of EU citizens or have business offerings in the regions where GDPR applies, the organization can be held accountable to GDPR requirements (GDPR, 2022). Although there are numerous complex aspects to GDPR regulations, there are key takeaways that any organization leveraging technology for data that interfaces the EU should be aware of. GDPR places great emphasis on a
‘privacy-first’ approach, with systems, only collecting what is absolutely needed ensuring data collection minimization, reasonable security to protect user data, gathering proper consent from users, and maintaining a user’s right to privacy (GDPR, 2022). Additionally, GDPR requires organizations to allow users to opt-out of data collection, request copies of their data, request corrections or deletions of their data, and requires organizations to notify users if their data was breached. Compliance with GDPR is critical as the fees and penalties involved in an infraction are severe, with a “max of €20 million or 4% of global revenue
(whichever is higher), plus data subjects have the right to seek compensation for damages” (GDPR, 2022). Based on this, organizations requiring compliance with GDPR must ensure that their systems and applications comply as well in order to not violate regulatory requirements.
PDPA Designed in 2012 and officially implemented in 2014 (Chik, 2013), the PDPA is to Singapore as the GDPR is to the EU. Providing robust protection and privacy to applicable data, the PDPA places great emphasis on avoiding unnecessary data collection of individuals by businesses and requiring consent to share or disclose user data (Chik, 2013). In this, the PDPA is similar to the GDPR requirements of data collection minimization and various consent requirements for data disclosure to third parties and for collection. The PDPA served two major functions for Singapore; it established a person’s right to data privacy and was a major step towards starting a trusting relationship between citizens of Singapore, regulations, and compliant organizations (Wong, 2017).
The wide scope of the PDPA requires most individuals and businesses to comply with its requirements, except for individual use of one’s own data, use of data by an employee for their work, public agencies, and organizations provided exemption (Wong, 2017). Similar to GDPR, PDPA includes many requirements for applicable organizations that cover reasonable and fair requirements for data privacy. These include notifications of data usage and collection, the requirement for the accuracy of data, not retaining data longer than necessary, and a reasonable level of security and effort to protect user data (Wong, 2017).
As seen through the response to BIPA and CCPA, as well as the protection and scope of GDPR and PDPA, users are regularly seeking more options for user privacy at a level capable of forcing change that exists in the form of legal and regulatory requirements. In order to win over users’ trust in the modern age of technology and interconnected data collection between applications for ‘personalized experiences’ and user activity tracking between websites, organizations need to take steps above and beyond simply meeting the bare minimum requirements of data privacy laws. In the context of remote work, data collection on users can be problematic, as remote workers using personal devices can have data they do not consent to be recorded and obtained by an organization. Additionally, using remote biometric authentication tools to allow users access to sensitive systems for remote work can lead to trust issues in which employees or other users of a system may refuse work opportunities over data privacy concerns. As 79% of users surveyed by Cisco (2021) identified they are willing to take action to gain more data privacy, analysis needs to be placed upon current business processes and partners of organizations that supply technological solutions to ensure not only minimum compliance is met, but that trust is built with users. In the modern remote workforce, users are more concerned than ever regarding monitoring tools and biometric data collected by employers for their authentication and work productivity tracking. These concerns can be enough to deter remote workers from working with organizations imposing data privacy infringements as a condition of employment. Trust issues can also manifest in the form of reduced work productivity, increased costs for an organization to monitor and replace workforce turnover and create detractors of a company as distrusting users may recommend others not to associate with the organization.
With this analysis on the current state of data privacy regulation within the United States, the EU’s GDPR, and Singapore’s PDPA, it is clear that as technology use increases in parallel with the amount of data being created and collected, users are demanding more privacy and security. At this current crossroads of organizations wanting remote workforces to be further secured by authentication tools and users wanting their data privacy to increase, few solutions are currently poised to deliver both ends of the solution. For success in this endeavor, solutions must be implemented with a privacy-first mentality and, as GDPR requirements recommend, have data protection by design (GDPR, 2022). SessionGuardian strictly adheres to a privacy-first design approach, focusing on the user’s privacy as an equally important variable in the security equation. To ensure widespread compliance with the leading data privacy regulations such as BIPA and CCPA, including the CPRA enhancements, GDPR, and PDPA, the development focus has always been to design the product suite against the strictest regulations available. Data collection and storage minimization is enforced with our user data, with the only information collected at the end of a secure session being text-based security logs that indicate the major security events reflecting the system operation during the secure session. SessionGuardian’s continuous authentication uses pattern detection facial recognition in compliance with biometric data privacy laws, as the information leveraged from the user is a standard photograph and is built to accept images companies already use, such as security badge pictures and HR system headshots. To consistently deliver a user-first approach, SessionGuardian’s pattern detection facial authentication:
CONCLUSION Data privacy currently poses two primary threats to organizations: 1) damages due to violations or data breaches and 2) damaging the trust of users of the system. As users have shown their desire to take action for change through recent surveys (Cisco, 2021) and by the creation of CCPA (Goldman, 2020), the combined power of groups displeased with data privacy issues is certainly enough to create change. Organizations implementing solutions for remote work authentication in this current technology economy must consider the systems they use or their data processes to ensure they are taking all possible steps to push for data privacy while maintaining their critical business operations. Choosing solutions that support robust security authentication while not overstepping data privacy can be a complex challenge and is alleviated by leveraging solutions that were created with a privacy-first design, resulting in tools compliant from the start due to the intent for data privacy when created.