At the Mesa Convention Center Friday, information security analyst Samantha Kitts told a crowded room of CactusCon attendees the nuances and complexities of the various regulations around data privacy in the United States and abroad.
CactusCon, which began in 2012, is the largest annual gathering of hackers and security experts in Arizona. Attendees can see speakers who give talks on new exploits found in software or meet with industry groups who may be looking to hire new employees.
Lawmakers tried to expand the state’s data privacy laws in 2019, but were unsuccessful. House Speaker Rusty Bowers, R-Mesa, attempted to create new rules and regulations on how companies use biometric data, and it is expected similar legislation will be introduced when lawmakers return to work in January.
Bowers sought to ban companies from using biometric data, such as fingerprints or facial recognition, for commercial purposes.
A court ruling in August revived interest in biometric data laws after a ruling by the 9th Circuit Court of Appeals upheld a lawsuit brought against Facebook that was brought on by a recently passed Illinois law aimed at data privacy protection.
Despite all the renewed interest in biometrics, Kitts said that lawmakers should focus their efforts elsewhere if they want to institute real changes in the realm of privacy. In her estimation, it all comes down to issues with one of Arizona’s current data privacy laws.
Lawmakers in 2018 changed state law to define what constitutes a data breach and what a company has to do when a data breach occurs.
“I hate this law, just because it’s really difficult to read,” Kitts said.
The biggest problem with Arizona’s law is that it doesn’t define “personal identifying information” clearly, she said. Additionally, she said if lawmakers really wanted to create protections for biometric data they could create it with this existing statute by defining photographs, fingerprints and other information as personal identifying information.
Doing so would help people like herself and others who are now finding themselves in a tangled thicket of differing laws.
Both California and Colorado recently passed data privacy laws that companies must comply with. Even if a company is in Arizona, if they have users who interface with their service who are in California, the Arizona company will have to comply with that state’s new data privacy laws.
Some of those new restrictions include having multiple ways for consumers to contact a company about its privacy policies, disclosing how data is transmitted to users and mandatory security training for all staff.
Additionally, the European Union also passed a sweeping data privacy and protection measure after all the member states gathered to make a unified policy called the General Data Protection Regulation or GDPR for short. It went into effect in 2018.
Kitts thinks the US could do something similar, and said it may be the best bet to avoid future headaches for consumers and companies alike to avoid a patchwork of regulations.
Kitts’s biggest piece of advice to lawmakers as they head into the new session in January: Listen to professionals and experts – and younger generations.
“Talk to the young people who are not jaded yet,” Kitts said.