AS OF AUGUST, 12 states had passed comprehensive consumer privacy laws and several others were considering similar legislation. Despite similarities, each law has different requirements, creating challenges for companies operating in multiple states. This is an opportunity for MSPs to help clients stay compliant with regulations. Unlike the Eurozone, where the General Data Privacy Regulation (GDPR) covers 27 countries, the United States lacks a uniform approach to consumer privacy rights. Instead, states such as California, Virginia, Colorado, and Connecticut have enacted their own laws.
Utah’s Consumer Privacy Act (UCPA) goes into effect in December. Next year, laws go into effect in Florida, Montana, and Iowa. Comprehensive consumer privacy laws generally apply to all types of personal data across all industries, giving consumers the right to access, correct, and delete that data.
These laws, say compliance experts, are different from the more-focused, industry-specific laws that SMBs have dealt with in the past. “These many new state laws, with many more looming on the horizon, will impact SMBs in many ways,” says Rebecca Herold, CEO of services provider Privacy & Security Brainiacs. They will require businesses to update their security and privacy policies, perform more extensive logging of personal data, and establish procedures to give individuals access to their own data.
Rebecca Herold
Furthermore, instead of allowing users to opt out of having their data shared, businesses will have to ask them to opt in. With privacy laws in place, organizations can use personal data for their own purposes but not share it without authorization. “SMBs need to understand what laws affect them, post all required notices on their website, and implement cybersecurity tools and services to protect data,” says Mike Semel, CEO of Semel Consulting and a former MSP.
MSP Impact
Usually, anything that affects SMBs also touches MSPs by extension. When it comes to data privacy laws, providers must quickly pull any personal data they are holding about individuals upon request, says Herold.
Regulatory differences between states complicate things, requiring MSPs operating in multiple jurisdictions to meet more than one set of requirements. “I’ve had to do this for many years and it’s not easy,” says Semel.
Help is available through reports and legal analysis papers from privacy law firms, says Herold. She also recommends the Conference of State Legislatures website, which provides news and resources about privacy and security developments. Herold’s own business provides quarterly updates and advice to clients.
She says that helping clients comply with privacy regulations involves privacy management practices such as data governance, documentation of policies and procedures, risk management, and training employees who handle private data. Then there’s the technical side, which involves tools for identity verification, data inventory, and network security controls such as anti-malware, IPS/IDS, logging, data backup, and endpoint security.
Even though the growing tapestry of state privacy laws creates complexity for MSPs, providers that deliver compliance services stand to profit. “I rebranded my MSP business as a compliance specialist and was able to double or triple the profits we made from many customers,” says Semel.
Compliance is an ongoing endeavor because things change quickly, he warns. “You can be healthy today and sick tomorrow. You should be using a specialized governance, risk, and compliance (GRC) platform in addition to your RMM and PSA to help clients manage their multiple compliance requirements” Herold says as more privacy laws go into the books across the country, businesses will turn to MSPs for help. MSPs can sell them compliance services at a fraction of the price of hiring a compliance officer. To offer these packages, MSPs can partner with companies like Herold’s organization, “to ensure they are providing their clients with accurate advice and governance products.”
PEDRO PEREIRA is a New Hampshire-based freelance writer who has covered the IT channel for two decades.
Image: Adobe Firefly