All eyes are once again on data privacy and security as Equifax was this week ordered to pay up to $700 million in penalties for its mammoth 2017 breach which exposed the records of 147 million people.
Many have noted that Equifax's censure comes not only from federal regulatory bodies such as the Federal Trade Commission and the Consumer Financial Protection Bureau, but also from 50 states that led the proceedings against the credit bureau.
This is reflective of the current state of data privacy regulations in the U.S. With the California Consumer Privacy Act (CCPA) being the most notable of data privacy regulations, CPI talks to channel players outside California to get their take on what the near future holds for data privacy, regulation and the channel.
One thing is pretty clear: MSPs outside California are certainly keen to see further data privacy regulations. Khaled Farhang, founder and CEO at Washington, D.C.-based MSP eGuard Tech Consulting Services, says he's surprised that there aren't already stricter regulations surrounding the data security of clients.
"Right now I think there should be a huge requirement for MSPs to protect themselves, protect the data and the client better. Nobody's really regulating this at all. It's all up to the MSP and you hear more and more about MSPs being breached," he said.
"Because, let's face it, that's an easy way to target 50, 100 or 200 SMBs. So while I don't know what regulation they will put in place, I really hope they put something in place. I think it's better to have some minimum requirement, if nothing else, that all MSPs must adhere to. It's just better for the industry as a whole."
Assuming data privacy regulations do appear at the state level, questions may arise as to how prepared a state is to administer (and police) such strict regulatory requirements. Commentators note that implementing data privacy regulations can be laborious and tortuous, as well as simply expensive. Further, once such regulations have been implemented, policing them is another cost burden that states would have to shoulder.
"This sort of in-depth audit and review process places great financial and administrative burden on the individual governmental entities involved at the state and local level," Shawn Rodriguez, VP of SLED at WWT, told CPI in an interview.
"Ultimately, it is a necessity to commit significant financial resources as well as human capital to such an endeavor in order to implement, administer and enforce these types of legislation at the required level. Those funding needs are either altogether unavailable or are simply not met. This leaves state and local governments open to areas of significant risk," he pointed out.
Furthermore, state legislatures have a "strong track record" of proclaiming the importance of security but not actually doing anything about it, Rodriguez said.
"[They talk] a big game about security and proclaiming it as a priority, then do little to nothing to get the appropriate level of funding to do it," the VP added.
Alongside the financial resource, those legislating data security will need to have the relevant technical expertise to be able to review breaches of the regulation as and when they occur, Joshua Gembala, enhanced security services manager at Lansing, MI-based ASK, points out.
Complaints have to be reviewed and determined to be a breach - which is not always a simple black-and-white conversation, especially if any forthcoming regulation is highly nuanced.
Alongside this, states enforcing regulations would need the legal standing to be able to force the offending organization to comply should a breach be determined to have occurred. "You need attorneys and you need technical resources," Gembala noted.
Commentators also say that any state issuing data privacy regulation or similar will need to be sure they have their own ducks in a row before casting oversight over their constituents.
"I'd be really curious to see how many of these legislatures that run websites have their own [data security] in order before their own laws go into effect," Gembala said.
Rodriguez agrees, adding that any regulation at the state level needs to reflect what the government itself claims as its position on such matters.
"With any consumer legislation like this that has a security or privacy lens to it, I immediately pose the question: does it align with what the government prescribes as their own priorities? If such proposed legislation on the state and local level is contradictory to how the government is holding itself accountable, that can raise questions of inconsistency," he said.
A further question for MSPs outside California is how different states might implement similar data privacy regulations. Will they be administered in the same way? Will regulations have similar compliance requirements? Will penalties be the same or similar? Rodriguez describes this as the biggest challenge after the issue of financial backing, noting that there needs to be "alignment of priorities among state, local and federal entities".
One way for this to be avoided is, of course, a federal regulation that would take precedence over all and any state regulations. Gembala points out that if there were a federal regulation, channel players would have a single piece of legislation that they could work toward, without having to look to each state and see if there is something they have to comply with for the customers they have in that state.
"With a federal regulation everyone would have a target. We wouldn't have to necessarily keep having to defer to these individual state reporting requirements, which vary wildly. The problem is also that the new regulations that some states are proposing, like Hawaii, Minnesota and New York, are incredibly strong and very focused on consumer privacy. And then there are other states, like Illinois, Louisiana and Nevada, that basically just cherry-picked two or three of the items from the other privacy bills," said Gembala.
However, commentators aren't expecting to see federal regulations any time soon. Farhang thinks regulation will evolve at the state level, citing the federal government's slow response to the Equifax breach as a clear lack of desire on the part of the federal government to ramp up its data security policing.
"The federal government didn't really do much about it. They just made [Equifax] comply more and do more testing - the low-hanging fruit changes. But the states stepped in and said ‘OK, we're going to take state-level action since the federal didn't do anything'. I think that opened up the road to the states doing more with those kinds of requirements and compliance than the federal government did," he said.
Another reason we're unlikely to see federal regulation soon is timing, Gembala notes.
"I assume that nothing is probably very likely right now -- I can't imagine they would move on anything before the next election," he said.
MSPs will have to work out how they are going to comply with the various regulations that are starting to come out of the states. And unless they serve customers in their own state only, they will have to manage the compliance requirements of the data privacy regulations coming out of whichever states they have customers in. It may sound simple, but it requires a considerable amount of attention.
"There are effects from all these data privacy laws we're encountering," Gembala told CPI. "We actually have in the last few years become much more heavily reliant on attorneys because of this. If we have a customer that believes they may have had a breach, we're very reliant on attorneys to help us identify what their liabilities would be and what their breach notification requirements would be, because it's different in every state."
Some say performance, others say money but it may be systems and processes that carry the day
CPI breaks down the reseller's financial results by region
Printing boss Enrique Lores will take over as CEO on 1 November
'Security is broken and we are out to fix it' - VMware's Pat Gelsinger on acquiring Carbon Black and Pivotal
VMware CEO defends acquisition as investor suggests Carbon Black is not 'the cream of the crop' in the security market