INFORMATION PROTECTION SERVICES
Like most information protection service providers, the association has historically focused its attention on the major data protection regulations - those that have represented a major shift in the requirements and liabilities of customers. Coincidentally, as the list below shows, these major regulatory shifts happened not long after the founding of both NAID and PRISM International. 1995 – European Data Protection Directive 1996 – The Health Insurance Portability and Accountability Act (HIPAA) 1999 – The Financial Services Modernization Act a.k.a. The Gramm-Leach-Bliley Act (GLBA) 1999-2010 – U.S. State-Level Data Destruction Requirements 2000 – Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) 2003-10 – U.S. State-Level Data Breach Notification 2005 – Final Disposal Rule/Fair and Accurate Credit Transaction Act (FACTA) 2009 – Health Information for Technical and Clinical Health Act (HITECH) 2018 – European Data Protection Regulation (GDPR) 2020 – California Consumer Privacy Act (CCPA) It is worth noting, contained in the list above are two references to data protection regulations that took place at the state-level, largely because they swept the nation so quickly, the effect was essentially nationwide. Of course, it was (and is) perfectly appropriate for members and their association to focus on these new laws. They affect the largest number of customers, they usually introduced new and more aggressive requirements, they undoubtedly receive the most attention from the media, and, finally, and most significant in the long run, each new regulation put pressure on the rest of the world to respond. Furthermore, focusing on these major legislations required less resources, while at the same time rendering the most bang for the buck. Wisconsin passed the first state-level data destruction requirement in 1999, after which more than 30 states followed suit. California passed data breach notification in 2003, after which all U.S. states and territories enacted it, as did HIPAA/HITECH, Europe’s GDPR, Canada’s PIPEDA, Australia’s Privacy Act, among others. Most recently, when the GDPR introduced Data Subject Rights the center piece of its new protection, it began what is unfolding as a global trend to do the same (e.g., the California Consumer Privacy Act). 18
_________________________ iG Journal 2020 Issue 1
17
