What to Know About the Changing Regulatory Landscape of Data Security
CHICAGO — The regulatory landscape of data security is changing and, as a session at the 2018 Conexxus Annual Conference warned, what you don’t know may hurt you.
In the European Union (EU), the General Data Protection Regulation (GDPR) will go into effect May 25. Simon Stocks, chairman of the International Forecourt Standards Forum, explained that while this regulation is going into effect in the EU, it will apply to the personal data of EU residents and citizens who may find themselves stateside and patronizing U.S. convenience store and fuel locations.
Personal data, as defined in the GDPR, is any information relating to an individual, including info about their private, professional or public life. It can be anything from a name to a home address, a photo, an email address, bank details, posts on social media, medical information or a computer IP address, according to Stocks.
In this changing regulatory landscape, fines are increasing. To avoid them, organizations need to create a "defensible position" to be able to prove that efforts are being made, processes are in place, and risk assessments are being done.
At the Conexxus event, Stocks listed eight core principles of data security, as well as one bonus principle. Personal data must be:
Processed fairly and lawfully
Processed for legitimate purposes only
Adequate, relevant and not excessive
Accurate and up-to-date
Kept only as long as necessary
Processed in accordance with the rights of data subjects
Not transferred to a country outside the European economic area without adequate protection.
Bonus: Able to change if told that the data is wrong.
Stocks believes it will be only a matter of time before the GDPR comes to America.
In the meantime, he said retailers must learn whether they are holding data on EU citizens and if there may be direct GDPR implications on their business.
He also reminded retailers that: they should identify why they are holding data and if there is a justifiable reason; they should delete or dispose of data once it is no longer needed (other than for legislative reasons); individuals must opt in to have their data held and communications sent; and a patron has the right to be forgotten.
Data Security on Capitol Hill
Also weighing in on the regulatory landscape at the Conexxus event was Paige Anderson, director of government relations for NACS, the Association for Convenience & Fuel Retailing. Part of Anderson’s role is to protect the convenience store retailer from Capitol Hill, where she has learned Congress is behind the curve when it comes to matters relating to data security and cybersecurity.
On the frontlines, Anderson has observed Congress taking a piecemeal approach rather than a holistic approach to solving problems related to data and cybersecurity. She’s seen the government be slow and reactive, while thinking short term, not long term.
Part of the problem, as Anderson sees it, is that those in Congress are always thinking about their next election. Other problems are turf wars between government agencies, and an administration slow to assign people to take lead on certain issues.
While there are moments of activity on security in Congress, they are generally followed up by more moments of silence, according to Anderson, who said that "one never knows what member is going to want to pick the ball up and do something."
Among the aspects of retail technology that are currently proving of interest to Congress are artificial intelligence (AI) and autonomous vehicles.
To the surprise of many, not even Facebook's recent security scandal has really lit the fire for movement on data security breach prevention within the government. More attention has been paid to how consumers are notified after a data breach.
Anderson explained that part of the reason why movement has been slow on this is because NACS and other retailer communities want to find a solution to the whole issue of security and how the information flows — but Congress has been reluctant to do that.
NACS maintains that there should be two basic elements of regulation:
That the breach entity should be responsible to notify consumers; and
There should be no carveouts; everyone should have skin in the game.
Proposed regulations to date have all had carveouts, including for financial services institutions. If instituted, this would have meant that Equifax wouldn't have been responsible for notifying people of its data breach — and the same for Facebook and Yahoo following their respective data breaches.
On the bright side, the National Institute of Standards and Technology has put together a blueprint regarding cybersecurity. This blueprint, which Anderson said is not receiving the attention it should, offers companies an education on how to think of risk mitigation vs. compliance when it comes to data and cybersecurity. The Federal Reserve is also looking at mobile payments and how systems are made more secure.
Since 2018 is an election year, Anderson believes it is unlikely any action on data and cybersecurity regulation in the U.S. will happen soon. Additionally, she noted that the idea of creating a cybersecurity organization under the Homeland Security Committee has been shut down for the time being by the intelligence community.
So, what will it take for changes to be made?
Consumers, according to Anderson. If the general public becomes outraged enough and lets their members of Congress know, then the ball might get rolling in earnest.
The 2018 Conexxus Annual Conference took place April 30-May 3 at the Loews Chicago O'Hare hotel.