Data is consistently described as the most valuable asset a company has these days. It makes sense then that regulation exists to protect our data and ensure it is secure. But does it? Sort of. There is no single federal data protection regulation in the US. There are industry-specific data protection regulations, such as HIPAA in the healthcare sector and the Gramm Leach Bliley Act in the financial sector, but an all-encompassing federal data protection law doesn't exist, and it's unknown whether it will any time soon.
This leaves the States to come up with their own regulations, which many have. New York, for example, has had regulations in place since 2017 mandating all regulated entities have a cybersecurity program and cybersecurity governance processes. Massachusetts, meanwhile, has regulations that require any entity that holds, transmits or collects personal information on residents to have a written data security plan.
But it is California that has got the channel, and the wider public, talking with the California Consumer Protection Act (CCPA), due for implementation on January 1, 2020. The new regulation, which is still having amendments discussed in the State Senate, is being compared to the EU's highly comprehensive General Data Protection Regulation (GDPR) as it is the closest the US currently has to the EU's leading data protection regulation.
There are, obviously, differences. For one, the CCPA only applies to businesses that meet one of the following thresholds: Over $25 million in annual revenue; deals with the personal information of more than 50, 000 people; derives 50 percent or more of its annual revenue from selling personal data.
But the similarities are enough that those who are familiar with the GDPR are looking at the CCPA as a "pre-cursor" to a stricter, GDPR-like regulation for California and beyond. As such, MSPs in California are watching the CCPA closely to see how it evolves and what they will finally be faced with come January 1, 2020.
In terms of how much the CCPA is set to impact MSPs in California, at the moment it seems it's far from the top of their list of priorities. This is partly because of the thresholds for having to comply with CCPA, but also because the regulation is largely focused on consumer data. Rob Schenk, partner at San Francisco, CA-based Intivix, told CPI that many of the California-based MSPs he has spoken with are aware of the regulation, but haven't made it a huge focus yet. "That might change soon," he noted.
For Eric Schlissel, CEO at Los Angeles, CA-based MSP GeekTek IT Services, while the regulation hasn't made much of an impact to date, GeekTek is likely to start auditing clients that store customer data using what the firm can glean from the law in its current form, but also the EU's GDPR "as a gut check to ensure we're covering all of our bases".
Of note, however, it's likely that until the CCPA becomes further developed to encompass elements of data security such as data encryption, its impact on MSPs and the channel more broadly will be minimal.
"At the moment, it's too limited," Scott E. Palmquist, CEO at Calabasas, CA-based MSP CST, told CPI in an interview. "When we bring it up [to customers], they basically just say, ‘Well, isn't it just a policy update?' and then ‘Don't we just have to have an email address people can email if they want to be removed?'. And that's pretty much it. Once it gets to a second step about data having to be encrypted, documented and not openly copied from servers to work stations and stuff like that, that's when the opportunity presents itself."
He expects a development such as this to naturally follow the CCPA in California, but added that it's likely "years away".
Still, there is opportunity to be found with the CCPA. In the same way that HIPAA offers opportunity for MSPs to build and offer compliance expertise, so too will the CCPA.
Schlissel points out that clients who store the relevant data and meet the regulatory thresholds for the new law will need to become compliant and then will need to be able to manage (and pass) ongoing spot checks.
"It's the responsibility of a good technology services firm to partner with its clients to stay on top of this and fully above board," he said, adding that the law will likely evolve, offering further opportunity for MSPs.
The broader compliance and security elements of the CCPA will also provide opportunity for Californian MSPs, according to Schenk. He points out that the CCPA is "a good opportunity" for MSPs to get into compliance and security work, which can potentially offer new revenue streams for channel players.
And the conversation goes deeper than that. As AI-related technologies start to divert work away from professionals like lawyers and accountants, these businesses may find potential opportunity in the data privacy compliance sector as it grows, according to Schenk. This brings with it plenty of opportunity for MSPs that can provide not just services for such players, but the option to partner on compliance projects and utilize the cybersecurity skills they have already honed over the last few years, especially given how "tight and expensive" the cybersecurity labor market has become.
As goes California, so goes the nation
As the January 1, 2020 CCPA implementation date looms, Californian commentators agree that the CCPA is just the beginning of data privacy laws that the US will face. Awareness of data privacy has seen a massive spike in recent years, thanks to a seemingly never-ending round of high-profile breaches such as the Equifax breach of March 2018, which saw over 2.5 million customers affected. Given this, it's simply a matter of time before other states, and possibly the federal government, follow in California's footsteps and start working on similar, if not stricter, regulations, commentators say.
"In my humble opinion, as goes California, so goes the nation," Schlissel said.
"How this plays out will be dependent on the outcome of the 2020 election. There are a significant number of candidates who already have consumer protections written into their platforms, and others will follow suit as congressional hearings continue on data management by the biggest players in the space. As awareness builds of this issue, consumer sentiment will evolve and today's loose sharing of private data will be reined in. On what scale and what timeline will greatly depend on who is in office, in addition to constituents raising their voices to their elected officials."
He adds that while bread-and-butter issues like healthcare, interest rates and immigration are what take the headlines, "we may be a few data breaches away from [data privacy and security] coming to the forefront of the national conversation".
Schenk agrees, saying that a GDPR-like law is only a matter of time in the US and is likely to get consolidated federally into a department like the IRS. He expects a law or tax code that could become a new level of federal compliance. However, like Palmquist he says, "This will likely take years to complete".
"As soon as more and more companies start getting compromised with major losses, I'd see pressure placed on the government to do something about it," he added.
And it would be a welcome addition as far as channel players are concerned. Palmquist told CPI that not only is such a law much needed, but also that the US has some catching up to do when it comes to data privacy laws.
"I welcome a regulation like this. Data needs to be protected and you can't rely on the individual companies to make that decision of how it's protected. I think you have to have basic standards to protect it and it's much needed. I actually think we're way behind," he said.
Join us next week when we'll be talking to commentators outside California to get their take on how the CCPA will affect them and the country as a whole.
Some say performance, others say money but it may be systems and processes that carry the day
Microsoft and Accenture entity buys up €12m firm
This week is the deadline for the Channel Innovation Awards. So, why is it worth celebrating innovation in the market today?
NTT Security CEO on the rise of 'bad-guys-as-a-service', Orange's security M&A spree and NTT's integration roadmap
In part one of CPI's Security Summit series, editor Josh Budd sits down with NTT Security's CEO Matt Gyde