Credit card numbers, medical records and bank account details — these types of personal information are routinely compromised, so much so that news of data breaches isn’t new anymore. They occur at nearly every type of organization, from email providers and major retailers to banks and government agencies.
The magnitude of these breaches leaves organizations accountable for more than simply improving data protections. The public and regulators expect full disclosure, and they expect it soon after an enterprise becomes aware of an incident. Three new privacy rules will put their ability to do so to the test:
- The European Union (EU) General Data Protection Regulation (GDPR): Authorities must be alerted within 72 hours of a breach and, unless the data was sufficiently protected, organizations must inform individuals.
- China cybersecurity law: Both users and the authorities must be notified promptly of data breaches or loss of personal data.
- New York state cybersecurity law: Authorities must also be notified within 72 hours of any data breach, but New York specifies those that impact a regulatory government agency or have a reasonable likelihood of materially harming the organization.
“ In addition to faster notifications, the new laws require organizations to provide data breach response plans”
Keeping up with the ever-shifting landscape of data privacy regulation is always a challenge, but in 2018, this promises to be especially difficult. This is compounded by the fact that few organizations have measures in place to comply with all three new regulations. To get ready, they should focus their efforts on the three areas below.
In addition to faster notifications, the new laws require organizations to provide data breach response plans. The EU and China mandate that notifications include details on steps taken to address the compromised information. New York state law, which is specific to the financial services industry, requires organizations to have a written response plan from the outset.
- Test data breach response plans. It’s important to do so at least once a year. It’s the only way to know if they work. Conduct large-scale drills that include all key participants, as well as smaller, quarterly tests with just the top privacy executive and the chief information security officer. The latter will speed up reaction times.
- Know the answer to critical questions. Who are the backup personnel should point people be unavailable? Are there adequate resources? Also key is knowing whether or not the means to execute the response plan exist and are fully functional, such as printing notifications or staffing a hotline.
Learn more: Legal and Compliance Leaders Role in Data Protection
Managing third-party risk is a significant challenge for organizations. The risk is spread throughout an enterprise; the average organization works with 5,000 different vendors. That makes it exceedingly difficult to ascertain ownership of data. Vendors were responsible for nearly half of the data breaches in 2015, therefore, organizations must be able to identify and understand potential vulnerabilities.
- Foster interdepartmental collaboration. Collaboration provides a clearer, more holistic view of an organization’s vendors, which pose the greatest risk and their organizational purpose. For example, those in procurement should work with their peers in privacy to create a matrix that identifies high-risk suppliers.
- Embed privacy risk into the vetting process. Include smaller vendors, which are sometimes overlooked. They can be high risk, as they spend less time and money on cybersecurity and employee training. Legal and compliance may also need to update vendor contracts and make sure new ones reflect the requirements of the new privacy laws.
Governance is a crucial component of all three new regulations. Each requires organizations to appoint a person or team of people who will be held accountable for the change in rules.
- Data protection officer (DPO). Under the GDPR, certain organizations must, in most cases, hire or appoint a DPO. The EU strongly recommends that all organizations appoint either a DPO or chief privacy officer, even if they are not required to do so. The role ensures that information across the enterprise is collected, used and disposed of properly.
- Chief information security officer (CISO). New York mandates that firms under its rule appoint a CISO. China has a similar mandate, as it requires organizations to set up “specialized security management bodies and persons responsible for security management.”