Get in the KNOW
on LA Startups & TechX
Between a distinguished career as a U.S. Navy officer and various roles at IT and cybersecurity firms, Glen Day became the Los Angeles County Department of Health Services’ first chief privacy officer in 2002—a role tasked with overseeing HIPAA compliance for over a million medical patients.
At the time, governments and businesses alike were only beginning to understand the importance of privacy in a budding technological world, where data still straddled both analog and digital realms. Two decades later, the evolution of data storage and the cloud have turned companies into data hoarders. As a result, security breaches have become more sophisticated, and privacy compliance—from the European Union’s General Data Protection Regulation rules to California’s “right to be forgotten” law—has only increased.
“When you see companies dealing with these new ransomware attacks, it is a clear indicator that they've lost control of their data,” Day told dot.LA.
In 2018, Day founded NVISIONx, a Santa Monica-based cybersecurity startup that unveiled a $4.6 million seed funding round on Thursday. Boston-based Companyon Ventures led the round and was joined by investors Morgan Stanley Next Level Fund, SixThirty Ventures, Gutbrain Ventures, PBJ Capital and CreativeCo Capital.
NVISIONx founder Glen Day.
NVISIONx “data risk intelligence” platform manages data storage and protection for enterprise clients, with the goal of helping them avoid cybersecurity breaches that could lead to regulatory fines or the loss of intellectual property. The startup has already garnered a handful of major corporate clients—most notably Meta Platforms, the company formerly known as Facebook, as well as San Diego-based fleet management software provider Platform Science.
NVISIONx’s platform examines every piece of data in a company’s repository, and takes stock of what is outdated and what is valuable and needs to be protected. The program then assesses who owns the valuable data, looks at what protocols are in place to protect it, and makes sure those protections are in line with federal, state and international compliance regulations.
Day said he was inspired by his work at accounting giant Ernst and Young. There, he oversaw cybersecurity and intellectual property protections for companies like Nike, Qualcomm and Monster Energy, which would often have large databases filled with consumer information and unpatented intellectual property. Some companies would struggle to sift through large volumes of data to protect individuals’ privacy, which could then open them up to large fines if a security breach was discovered. Others had pieces of intellectual property or research and development data scattered across unprotected data containers, leaving them vulnerable to data leaks.
By getting rid of outdated or unnecessary data, Day said, companies can save millions of dollars on the security engineers and data storage costs often required to babysit large volumes of information. “When you purge the junk, not only does it reduce your compliance scope and reduce your attack surface—it also will save you millions on a recurring basis,” he said
The seed funding will go toward marketing costs, expanding NVISIONx’s technical offerings and integrations, and growing its sales team to garner more clients, Day added.
- Work-From-Home Market Fuels Saviynt Cybersecurity Growth ›
- Los Angeles Information Security News - dot.LA ›
- Santa Barbara Cybersecurity Startups Are Having a Moment - dot.LA ›
The Federal Trade Commission ordered TikTok, Snap, YouTube, Amazon and Twitter, along with four other social media and streaming sites to turn over information about how they collect and use information about users.
The far-reaching probe is aimed at exposing the algorithms and other tools that have fueled the technology companies' growth and helped them penetrate so deeply into the American psyche.
"Policymakers and the public are in the dark about what social media and video streaming services do to capture and sell users' data and attention. It is alarming that we still know so little about companies that know so much about us," three Federal Trade Commissioner said in a joint statement.
Discord, Facebook, Reddit and WhatsApp were also named in the order.
In launching the probe, the three said it "will lift the hood on the social media and video streaming firms." These social media companies, they argue, turned from a force to connect people to one that is monetizing Americans' private lives for their own financial gain.
The orders were issued under a provision of the Federal Trade Commission Act, Section 6(b), that gives the commission authority to conduct wide-ranging studies that don't have "a specific law enforcement purpose."
The companies have 45 days to respond.
Neither TikTok, which is based in Los Angeles and owned by China-based ByteDance, nor Santa Monica-based Snap responded to a request for comment.
The orders come as big tech companies are under increasing scrutiny from policymakers.
The FTC slapped Facebook with an antitrust lawsuit last month that accused the social media giant of gobbling up rivals like Instagram to weaken competition. And in October, the Department of Justice brought a civil case against Google, accusing the tech giant of having an illegal monopoly on search functionality and its associated advertising.
"We have reached a point of maturity or sophistication and usage where it's time for the government to ask questions about what information is being collected and how it's being used," said Karen North, a former official at the White House Office of Science and Technology Policy during the Clinton administration. "Knowing there is so much information that's been collected, the question becomes how is it being used to manipulate people and is there the kind of transparency demanded by regulation of traditional media."
- FTC Probes TikTok, Snap, Amazon and Twitter on User Data ... ›
- TikTok Is Partnering with Ad Behemoth WPP to Offer Creators Potential Advertisers - dot.LA ›
- Meta Reportedly Paid Consulting Firm to Target TikTok - dot.LA ›
- The passage of California's Prop 24 will hit the data-broker industry hard and create a new state regulatory agency.
- The new law adds stringent legal requirements to how businesses collect and share consumer data.
- The new law is similar to Europe's GDPR law, which could give California businesses a leg up in dealing with European citizen's data.
The implications of California's new consumer data privacy law will ripple through the Golden State and potentially the nation, striking a large blow to the estimated $200-billion data broker industry and heralding a new industry that tracks down shared data and enforces its deletion, experts say.
Proposition 24 was overwhelmingly approved by voters Tuesday, just four months after state businesses were legally required to follow new consumer data privacy standards passed by the Legislature in 2018. The new California law, now the nation's strictest consumer data privacy law, adds even more stringent legal requirements to how businesses collect and share consumer data, ups penalties and potential liability, and sets up a new $10-million-per-year state agency to implement and enforce it.
More Compliance, and a New Industry to Track Down Data
"The companies are fatigued," said Jim Koenig, partner and co-chair for Fenwick & West LLP's privacy and cybersecurity practice. "Now there's another ballot initiative they have to prepare for as well [and] it's costing more money, more time and more staff focus."
Koenig said the new changes, especially in the nation's largest economy, create a "de facto baseline" on privacy for businesses nationwide because they "can't easily segregate out California customers from the rest of the customers in your program."
That means some companies may have to pick and choose what to comply with, depending on how much risk they are willing to take on, Koenig said.
In an interview with dot.LA Wednesday, San Francisco real-estate developer Alastair Mactaggart, who sponsored the new law, said he felt compelled because the Legislature could always be swayed by businesses that had already tried to gut massive portions of the 2018 law.
"Had this not passed, CCPA [the 2018 law] would have been unrecognizable in five years, for the worse," Mactaggart said. "Your and my expectations of what privacy [is] will change, the Legislature is in the right place for that. But there should also be something to counteract the trillions of dollars on the other side."
With that in mind, the new law includes a type of one-way ratchet that lets it be amended by a simple majority of the Legislature like any other law, as long as the amendments don't harm consumer privacy. Mactaggart's approach diverged from that of the sponsors of the newly passed gig worker measure Prop. 22. Part of that law requires a 7/8th majority in order to change its provisions.
"With all due respect, that's sort of saying I'm going to take my toys, go home, and my vision of the world is perfect," Mactaggart said. "We need something that moves with the times, and goes with the times."
Mactaggart said the new privacy agency's annual budget of $10 million should enable it to hire roughly 50 people, which is double the size of the state Attorney General's privacy enforcement staff and 25% more staff than what the Federal Trade Commission has for the entire country. The new law also removes a provision granting exclusive enforcement of the consumer privacy law to the state AG's office, enabling not just the new agency but also all 58 county district attorneys and major city attorneys to prosecute businesses in violation, Mactaggart said.
Because the law now holds companies responsible for ensuring that data it has shared with third parties or vendors is properly deleted upon request, experts say a new industry of companies will likely sprout up to help track down where data has gone. That's especially crucial with an estimated 5,000 data brokers worldwide, which can make tracking data down especially difficult.
These data-brokers are largely unregulated and sell people's personal information for billions of dollars a year. They include large companies like the credit bureaus — Experian, Equifax and TransUnion — and other smaller firms that aggregate personal information from both public and private sources to sell to other companies for advertising, employment, financial and research purposes.
"A dedicated privacy authority is a game changer," said Gabriela Zanfir-Fortuna, senior counsel for global privacy at The Future of Privacy Forum, a Washington, D.C.-based think tank. "This is something that exists in most of all of the other countries that have comprehensive privacy laws and this is something that currently doesn't exist in the U.S. [There's] the FTC but the FTC has a very broad mandate, in antitrust, consumer protection and then it's also privacy focused."
A Leg Up for California Businesses on International Data?
Experts say the new law is very, very close to the European privacy standard known as GDPR, or the General Data Protection Regulation touted by privacy experts as a gold standard. And that matters because it gives California a potential leg up in being deemed as adequate under EU law to deal with European citizen data flows.
"California businesses are going to enjoy a tremendous advantage over businesses in other states, because the European regulators are going to be more permissive to businesses in a state with a rights-based framework and an agency to enforce it," said Chris Hoofnagle, faculty director of the Berkeley Center for Law & Technology.
Mactaggart believes that this advantage will lead businesses to want to locate servers in California and, ultimately, spur other U.S. states to move toward their own privacy law adoptions. He said he's had initial conversations with European experts who told him California's new law should pass muster in allowing state companies to deal with European data.
Of course, the U.S. and European Union would first need to work out concerns over the U.S. national security apparatus that came to light after the Edward Snowden revelations. In July, the European Court of Justice invalidated a U.S.-EU agreement on trans-Altantic data flows over concerns about how the U.S national security apparatus deals with European citizen data, and what independent oversight and recourse citizens have. That has left U.S. and E.U. businesses in a sort of legal limbo.
ACLU Opposition And American Appetite For Privacy
Prop. 24 was notable in that many of the organizations that opposed it like the ACLU, did so because they wanted it to be even stronger.
Jacob Snow, a technology and civil liberties attorney for the ACLU of Northern California, said in a statement Wednesday the new law has "deep flaws" but "sends a clear message from California voters to the California legislature that they expect and demand action to protect their privacy and safeguard their fundamental privacy rights."
Snow said in a statement that it's time for the California Legislature to build on the new law to prohibit companies from charging more for privacy and impose substantial consequences on businesses that break its rules.
All the experts said it was likely that the new California law would put some fire under lawmakers in D.C. to take enacting a new privacy law more seriously.
On Tuesday, Michigan voters overwhelmingly approved — by nearly 89% — a state constitutional amendment that requires a search warrant to access any electronic communications, significantly upping the legal standard necessary to "probable cause." Meanwhile, Washington state lawmakers have again tabled discussion on a new Privacy Act for the third consecutive session, Zanfir-Fortuna said.
"There seems to be this appetite for more data privacy for Americans, especially when they are asked directly to vote on it," Zanfir-Fortuna said.
Many of the details of how California's Prop. 24 will work have yet to be determined. The new privacy agency will be stood up next year and the law won't go into effect until 2023. For many companies, the early rush to abide by the 2018 rule known as CCPA, was frustrated by continual changes as it was finalized.
"There will be a wait-and-see [period]. Companies are going to want to know where to land the plane before they take off on their compliance efforts," Koenig said.
Mactaggart had one message for weary businesses: "If you've taken steps to comply with CCPA it's not like you have to throw it all out, that work is all necessary to comply with CPRA. Now you just need to do more."
How does Prop. 24 impact your business? Are you worried? Excited? Hit me up. My DMs are open on Twitter @latams. You can also email me at tami(at)dot.la, or ask for my contact on Signal, for more secure and private communications.
- Two California Ballot Measures Could Have Outsized Impact On ... ›
- California Passes Nation's Most Stringent Consumer Data Privacy Law ›