Consumer data privacy regulation at the federal level: An opportunity for MSPs?

Published on April 15, 2020

After Jerry Brown signed the California Consumer Privacy Act (CCPA) paperwork in June 2018, shock waves reverberated throughout Silicon Valley. Lobbyists at the Information Technology Industry Council, a Google-backed think tank, quickly went to work drafting proposals for a federal law that would supersede the stringent California bill.

Twelve states subsequently followed California’s lead and passed similar legislation, causing some of the largest tech companies, including Google, Facebook, Apple, Intel, and Microsoft, to clamor for federally-mandated consumer data privacy regulation. Although 15 bills have been proposed in the last year alone, as of September 2019, none have yet to pass. However, it’s only a matter of time before a federal data privacy bill passes. Businesses need to be prepared to make drastic changes to their data gathering and privacy processes, and determine if outside help is needed.

Looking to the future: a law on the horizon
The bills that have been proposed and turned down to-date have common threads running through them, so we can accurately deduce what a future federal data privacy law might look like. Below are the common themes that have appeared in the bills that were proposed but did not pass.

It will give citizens control of their data or the ability to opt out
Consumers want access to and control over their own data. The Data Broker Accountability and Transparency Act was put together in the wake of the Cambridge Analytica uproar, and it directly targeted data brokers – companies that collect consumer data and sell it to third parties. Additionally, this bill would allow US citizens to remove their data from corporate servers.

Another bill, the Consumer Data Protection Act (CDPA) called for the creation of a national “do not track” registry.

It will keep large corporations in check
The American Data Dissemination Act was introduced by Marco Rubio in January 2019 as another opportunity to supplant the current patchwork of state laws. In an effort to keep large, incumbent companies from dominating the space, Rubio’s bill called for the FTC to create exemptions for smaller companies. Creating more opportunity among competition should ultimately benefit consumers.

It will create severe punishments for data breaches
Aside from calling for the creation of a “do not track” registry, the CDPA also proposed data breach fines as high as four percent of offending businesses’ annual revenue, as well as 10 to 20 years of jail time for negligent executives. The bill also proposed hiring 175 more FTC employees to monitor the sale of private data.

The Corporate Executive Accountability Act, issued in April 2019 by Elizabeth Warren, would affect companies with over $1 billion in annual revenue. Like the CDPA, the bill calls for jail time for senior executives; however, the threshold for incarceration is quite high. According to the proposed bill, senior execs are only liable if a data breach is the result of illegal activity, and prosecutors must prove that these executives were negligent.

Companies need to be prepared for consumers to have more control over their data; they should expect more balanced competition, and to be held accountable if consumer data is left unsecured.

An opportunity for managed service providers
If the United States enacts a federal data privacy law, this change will provide an opportunity for managed service providers (MSPs). As we’ve already seen in Europe, many MSPs have taken advantage of the GDPR, opting to position themselves as experts in data privacy compliance. These MSPs essentially offer consultancy services, which can include providing clients with data protection officers (DPOs), technicians, and internal auditors. By encrypting data, patching software, and providing auditor checklists, these MSPs help businesses address their GDPR compliance issues.

When MSPs provide their clients with external DPOs, it helps to prevent business conflicts of interest from arising; for example, if a business were to have a sys admin or someone else doing double duty as a DPO, he or she might not want to change their everyday activities—even if it were required for compliance. Hence, it can be more beneficial for a business to use a DPO provided by an MSP than to use an employee from inside their own organization. However, it’s important to keep in mind that paying an MSP for DPOaaS (data protection officer as a service) doesn’t provide businesses with immunity from data breach fines.

Who is liable?
MSPs can open themselves up to fines, lawsuits, and reputational damage should a breach happen while they’re hosting a client’s data. However, if an MSP is solely providing their client with software or tips, the responsibility then likely lies with that client. Answers to questions around liability continue to be vague, with the industry paying attention to new precedents as they are set.

Ultimately, we are going to see a shift in two directions: 1.) companies using third-party advisors; 2.) companies owning and taking on liability. Companies and advisors will both be highly dependent on technology solutions to provide the necessary transparency and data security to keep up with future federal regulations. In addition, the solutions relied upon will need the right mix of intelligence and automation to course correct individuals and companies in the moment in response to regulatory changes. Picking the right technology vendor that can keep up with the rapid change ahead will be key.

Companies must start determining their technology stack, as well as their strategy for complying with the impending changes that federal regulation poses, including whether or not to utilize an MSP that specializes in data protection. While there will be a certain level of risk for MSPs, there clearly is a lucrative opportunity ahead for those who are willing to fill this gap. The question is whether utilizing MSPs’ services will become companies’ preferred strategy for dealing with the federal regulations that are on the horizon.

Disclosure: This article was originally published in SC Magazine

Leave a comment

Your email address will not be published. Required fields are marked *

four × 4 =


As the world moves away from manual, labor-intensive processes, companies are increasingly relying on artificial intelligence to streamline operations. From forecast engines and conversational assistants to anomaly detection and behavior analysis, AI capabilities have been progressing in leaps and bounds in the last few years.
Digital transformation can be a complex process requiring various stakeholders—leadership, partners, and employees—to be on the same page while ensuring the transformation enhances business value. However, despite its growing popularity, many businesses are still unsure what exactly digital transformation entails. Dive in for our take on everything DX.
As the world of cyberthreats becomes increasingly sophisticated, organizations need to develop a multi-pronged defense strategy that includes various layers of protection spread across networks, hardware, programs, and data. The people, processes, and technology in an organization need to come together in order to create an infallible security program.
A platform for industry experts and thought leaders to share their expertise on how technology is sharing various aspect of their industry.
As we move into an era of information explosion, mounting concerns regarding data privacy have given rise to groundbreaking regulations. Adhering to privacy regulations, such as the GDPR and the CCPA, not only ensures compliance, but can also help an organization develop solid data security policies and prevent breaches.