Privacy and security


Protecting data from loss or breach continues to be high priority as is compliance with recent and emerging privacy and security regulations.  We work with you to identify compliance requirements, identify and protect PII, build dashboards and monitoring tools for compliance, create policies, and ensure data is protected and business obligations are met. 

Our Privacy and Security Services Include:

  • US Federal, state and international privacy and data breach/security compliance requirements including compliance programs for GDPR, CCPA, PIPEDA, HIPAA, and the Brazilian LGPD.
  • Data inventory, mapping and flows.
  • Privacy impact and risk assessments.

  • Security assessments.
  • Guidance on data protection, minimization and de-identification.

  • Breach notification and incident response programs.

  • Vendor risk assessments.
  • Privacy program documentation, policies, and procedures.

  • Compliance dashboards and actionable work plans.
  • Training.

Privacy News


California Consumer Privacy Act

CCPA went into effect 1/1/2020 with an anticipated enforcement date of 6/30/2020.  

Draft Rule Making issued from the AG.  

Washington Privacy Act

Once again Washington fails to pass the Washington Privacy Act.  View a PDF of the bill. 

The legislature did pass Engrossed Substitute SB 6280 that regulates the use of facial recognition.  View a PDF of the bill.

NY S5575B

Signed by the Governor July 25th 2019, effective October 25th 2019.  

Some key points::


  •  Expands the definition of PII overall and includes biometric information. 
  • ·Expands unauthorized access to include access by persons without authorization that have viewed information. 
  • ·Requires a written determination of harm be performed for all incidents and retained for a minimum of 5 years. The AG must be notified within 10 days from determination of no harm if more than 500 NY residents are affected.


Expands and defines requirements for “reasonable security measures” aligning them with the ISO 27001 standards to include: 

  • designation of one or more employees responsible for security program, 
  • staff training, 
  • security assessments of network and system design and data storage,
  • assessment of service providers for privacy and security standards and practices and requires inclusion of privacy and security requirements in contractual agreements with providers. 
  • regular tests of systems and vulnerabilities, 
  • disposal of information within a reasonable time after it has met its business purpose/retention requirement.

Areas to Watch


US State Security / Breach Notification Requirements

Stricter requirements for breach notification and security continue to be passed by US State Legislatures.  Trends in passed and proposed regulations include:

  • An expanded definition of what is considered sensitive data /  PII.
  • Time to report breaches to affected individuals and to State AG's.
  • Increased information required in breach notifications.
  • Required credit monitoring or notification.

Other Areas

  • New York Senate Bill S5642 Privacy Act
  • FTC guidance for security requirements (expected this fall)
  • US federal, state and city proposed legislation on the privacy and security of biometric data and use of facial recognition technology
  • State requirements for broker registration and disclosure of data practices
  • State ISP data protection, sharing/selling, and privacy requirements
  • NIST draft privacy framework (open for comment)
  • Thailand Data Protection Act (goes into effect May 27th 2020)
  • Turkey updates on requirements for data processing and retention from the Data Protection Authority
  • Canada trans-border restrictions and notification requirements on PII
  • China proposed Privacy Protection Act (open for comment until June 28th 2019) 

Contact Us

For information on how Haystack can help you meet your IG / Privacy and compliance needs contact us at:

253 631-1509