Ask the MSPmentor: Cyxtera’s Tina Gravel on Privacy Laws, Protecting Personal Data

Sensitive data is everywhere. With attacks becoming more frequent and intricate, and organizations becoming more mobile, the need for advanced data privacy and security solutions has reached – nay – surpassed critical. 

Regulators in France recently cited GDPR in fining Google $57 million, and the U.K.’s Information Commissioner’s Office is seeking a $230 million fine against British Airways and seeking $124 million from Marriott. Facebook is setting aside $3 billion to cover the costs of a privacy investigation launched by U.S. regulators.

Taking into consideration some of the new guidelines, standards and compliance laws, either already in place or soon to be put into effect, what are the implications for organizations, and what you can to protect yourself and your customer’s data?

Cyxtera’s Tina Gravel

Channel Futures and the MSP 501 initiative recently launched a new program, the 501er Community. This community is designed to engage MSPs in a dialogue about best practices stemming from the MSP 501 data, as well as provide networking events and educational opportunities.

As part of this program, we have engaged more than a dozen industry leaders as MSPmentors. These influencers include analysts, channel chiefs and renowned consultants. In this series, we present questions posed in the 501er Community discussion group and ask our Mentors to provide detailed answers.

In this “Ask the MSPmentor” Q&A, we get thought leadership from Tina Gravel, global senior vice predient of channels at IT infrastructure provider Cyxtera.

501er Community: We got called into a prospect who had a ransomware attack take them down a few weeks back. Of course the current provider didn’t have a solid continuity plan in place. After conversation, it came out that the attack had launched through the current providers’ system (likely one of the recent attacks utilizing unsecured RMM platform). This is a small shop, a one-man band. What’s the opinion on some sort of regulation coming down as a result of rampant issues like this forcing some sort of best practices — aka CFR45-type regulation? Likely? Not likely?

Tina Gravel: There are privacy laws in place, such as the California Consumer Protection Act (CCPA) that just went into effect, to protect personal data much like the General Data Protection Regulation (GDPR), which was created to protect the privacy of individuals within the European Union. 

Do these types of laws work? I think they do, to a point. Will legislation encourage firms to be more careful of how they store, transmit and access personal information? Yes, we have seen how CFR 45 Part 164 Subpart D (more commonly known as HIPAA law) has done that for manual processes in hospitals and physician offices. Thankfully, no longer do you hear, “Paging Mr. Jones for his bunion surgery!”  

But, as with any law, the devil is in the details. Will there be whole groups that do not qualify for the regulations? Here are some of the provisions for the California law, per the Proskauer privacy law blog:

The (CCPA) Act will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information. The Act also draws in corporate affiliates of such businesses that share their branding. That means that not-for-profits, small companies, and/or those that do not traffic in large amounts of personal information, and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.

Many firms will not be required to comply. My other concern is that …