Privacy and security


Protecting data from loss or breach continues to be high priority as is compliance with recent and emerging privacy and security regulations.  We work with you to identify compliance requirements, identify and protect PII, build dashboards and monitoring tools for compliance, create policies, and ensure data is protected and business obligations are met. 

Our Privacy and Security Services Include:

  • US Federal, state and international privacy and data breach/security compliance requirements including compliance programs for GDPR, CCPA, PIPEDA, HIPAA, and the Brazilian LGPD.
  • Data inventory, mapping and flows.
  • Privacy impact and risk assessments.

  • Security assessments.
  • Guidance on data protection, minimization and de-identification.

  • Breach notification and incident response programs.

  • Vendor risk assessments.
  • Privacy program documentation, policies, and procedures.

  • Compliance dashboards and actionable work plans.
  • Training.

Privacy News


California Consumer Privacy Act

CCPA goes into effect 1/1/2020 with an anticipated enforcement date of 6/30/2020.  

2019 CCPA amendments signed by the Governor 10/11/2019:

  • AB-1202  Requires data brokers to register with the Attorney General (AG), and additionally requires the AG to create a publicly available registry of data brokers on its website.  Violations are enforced by the AG.
  • AB-25  Exempts data collected and used solely for employment purposes from most CCPA provisions until 1/1/2021 providing it is collected / used only for the following purposes:  as a job applicant, employee of, owner of, director of, officer of, medical staff member of, or contractor of the business; the PI collected is emergency contact information of such individuals, and, the PI is necessary to be retained for the administration of benefits. Notices for data collection to employees are still required to be in place on 1/1/2020.
  • AB-1564  Requires that 2 or more methods are made available to consumers to submit requests for information including a toll free number and prominent posting and form if the company has a website.  An email address may be substituted for a toll free number to those businesses that operate exclusively on-line and have a direct relationship with a consumer.
  • AB-1355 Exempts for one year (1/1/2021) consumer information collected in connection with business-to-business communications and transactions from CCPA provisions. 

Draft Rule Making issued from the AG.  Comments due by December 6th 2019.

Nevada SB 220

Nevada amendment goes into effect 10/1/2019.  Under the new law, covered operators must provide consumers with the right to opt-out of the “sale” of their personal information by website operators. Notice must be provided by a designated email, toll-free phone, or website address to submit opt-out requests for selling information. Operators will have 60 days to respond to “verified requests” to opt-out.

NY S5575B

Signed by the Governor July 25th 2019, effective October 25th 2019.  

Some key points::


  •  Expands the definition of PII overall and includes biometric information. 
  • ·Expands unauthorized access to include access by persons without authorization that have viewed information. 
  • ·Requires a written determination of harm be performed for all incidents and retained for a minimum of 5 years. The AG must be notified within 10 days from determination of no harm if more than 500 NY residents are affected.


Expands and defines requirements for “reasonable security measures” aligning them with the ISO 27001 standards to include: 

  • designation of one or more employees responsible for security program, 
  • staff training, 
  • security assessments of network and system design and data storage,
  • assessment of service providers for privacy and security standards and practices and requires inclusion of privacy and security requirements in contractual agreements with providers. 
  • regular tests of systems and vulnerabilities, 
  • disposal of information within a reasonable time after it has met its business purpose/retention requirement.

Areas to Watch


US State Security / Breach Notification Requirements

Stricter requirements for breach notification and security continue to be passed by US State Legislatures.  Trends in passed and proposed regulations include:

  • An expanded definition of what is considered sensitive data /  PII.
  • Time to report breaches to affected individuals and to State AG's.
  • Increased information required in breach notifications.
  • Required credit monitoring or notification.

Other Areas

  • New York Senate Bill S5642 Privacy Act
  • FTC guidance for security requirements (expected this fall)
  • US federal, state and city proposed legislation on the privacy and security of biometric data and use of facial recognition technology
  • State requirements for broker registration and disclosure of data practices
  • State ISP data protection, sharing/selling, and privacy requirements
  • NIST draft privacy framework (open for comment)
  • Thailand Data Protection Act (goes into effect May 27th 2020)
  • Turkey updates on requirements for data processing and retention from the Data Protection Authority
  • Canada trans-border restrictions and notification requirements on PII
  • China proposed Privacy Protection Act (open for comment until June 28th 2019) 

Contact Us

For information on how Haystack can help you meet your IG / Privacy and compliance needs contact us at:

253 631-1509