Privacy and security


Protecting data from loss or breach continues to be high priority as is compliance with recent and emerging privacy and security regulations.  We work with you to identify compliance requirements, identify and protect PII, build dashboards and monitoring tools for compliance, create policies, and ensure data is protected and business obligations are met. 

Our Privacy and Security Services Include:

  • US Federal, state and international privacy and data breach/security compliance requirements including compliance programs for GDPR, CCPA, PIPEDA, HIPAA, and the Brazilian LGPD.
  • Data inventory, mapping and flows.
  • Privacy impact and risk assessments.

  • Security assessments.
  • Guidance on data protection, minimization and de-identification.

  • Breach notification and incident response programs.

  • Vendor risk assessments.
  • Privacy program documentation, policies, and procedures.

  • Compliance dashboards and actionable work plans.
  • Training.

Privacy News



CCPA goes into effect 1/1/2020 with an anticipated enforcement date of 6/30/2020.  The California AG has announced that guidance for compliance with CCPA requirements will be issued in the fall of 2019.  There are several amendments to CCPA working their way through the CA legislature some of which will impose additional requirements.

Proposed amendments:

  • AB-1202  Would require data brokers to register with the Attorney General (AG), and would additionally require the AG to create a publicly available registry of data brokers on its website.
  • AB-25  Exempts data collected and used solely for employment purposes.
  • AB-1281  Requires clear and conspicuous posting of notices at all entrances if facial recognition is used.
  • AB-873  Removes information that identifies a household from the definition of PII.
  • AB-1564  Requires that 2 or more methods are made available to consumers to submit requests for information including prominent posting and form if the company has a website.
  • AB-981  Exempts insurance institutions and agents that are subject to the Insurance Information and Privacy Act.
  • AB-1035  Requires breach notifications in the most expedient time possible but no more than 45 days.

Nevada SB 220

Nevada amendment goes into effect 10/1/2019.  Under the new law, covered operators must provide consumers with the right to opt-out of the “sale” of their personal information by website operators. Notice must be provided by a designated email, toll-free phone, or website address to submit opt-out requests for selling information. Operators will have 60 days to respond to “verified requests” to opt-out.

NY S5575B

Signed by the Governor July 25th 2019, effective October 25th 2019.  

Some key points::


  •  Expands the definition of PII overall and includes biometric information. 
  • ·Expands unauthorized access to include access by persons without authorization that have viewed information. 
  • ·Requires a written determination of harm be performed for all incidents and retained for a minimum of 5 years. The AG must be notified within 10 days from determination of no harm if more than 500 NY residents are affected.


Expands and defines requirements for “reasonable security measures” aligning them with the ISO 27001 standards to include: 

  • designation of one or more employees responsible for security program, 
  • staff training, 
  • security assessments of network and system design and data storage,
  • assessment of service providers for privacy and security standards and practices and requires inclusion of privacy and security requirements in contractual agreements with providers. 
  • regular tests of systems and vulnerabilities, 
  • disposal of information within a reasonable time after it has met its business purpose/retention requirement.

Areas to Watch


US State Security / Breach Notification Requirements

Stricter requirements for breach notification and security continue to be passed by US State Legislatures.  Trends in passed and proposed regulations include:

  • An expanded definition of what is considered sensitive data /  PII.
  • Time to report breaches to affected individuals and to State AG's.
  • Increased information required in breach notifications.
  • Required credit monitoring or notification.

Other Areas

  • New York Senate Bill S5642 Privacy Act
  • FTC guidance for security requirements (expected this fall)
  • US federal, state and city proposed legislation on the privacy and security of biometric data and use of facial recognition technology
  • State requirements for broker registration and disclosure of data practices
  • State ISP data protection, sharing/selling, and privacy requirements
  • NIST draft privacy framework (open for comment)
  • Thailand Data Protection Act (goes into effect May 27th 2020)
  • Turkey updates on requirements for data processing and retention from the Data Protection Authority
  • Canada trans-border restrictions and notification requirements on PII
  • China proposed Privacy Protection Act (open for comment until June 28th 2019) 

Contact Us

For information on how Haystack can help you meet your IG / Privacy and compliance needs contact us at:

253 631-1509