What Governments Can Do to Strengthen Data Privacy Protections
State and local governments across the U.S. can use this law to assess their data privacy practices and implement measures and systems to prepare for similar legislation. Additionally, these kinds of early laws tend to lead the way for federal laws and mandates.
Governments as well as schools, hospitals and more share personally identifiable information with vendors, contractors and other companies regularly. This requires a clear understanding of what data is passed out, as well as where and how.
Government and these entities will also then be responsible to notify these companies that data privacy is a priority. These organizations should be reaching out to all of their vendors to ensure they are prepared for these changes.
Internally, state and local governments should strengthen their authentication and authorization practices. Just as important as passing legislation to protect citizen data, government should be sure that best practices are applied to citizen data within their organizations.
Governments should have an accurate database of accounts, especially privileged accounts, and regularly audit to ensure that old accounts are removed and the level of access given meets the minimum for government employees to do their work. By limiting privileged accounts and access levels, government organizations can significantly decrease the risk of bad actors accessing data and putting citizen information at risk.
Moving forward, many states may consider their own data privacy and protection acts. When drafting future acts, there are a few considerations they should keep in mind.
Future laws can be strengthened with a clear, strong definition of personal data to cut down potential loopholes and court cases. Representatives should also make their laws opt-in laws, meaning that all consumers would have initial protection and can then choose whether to share that data with individual businesses on a case-by-case basis. Finally, future laws should expand to cover financial institutions, businesses governed by the HIPAA, nonprofit organizations, higher education institutions and state and local governments.
Virginia’s CDPA is an important first step. State and local governments and other organizations not currently covered by privacy requirements should take steps now to ensure reliable data protection and privacy practices are in place and that their citizens’ data is properly handled.