It’s a tough and unforgiving world out there. In this era of compliance, with regulations like Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX) and Payment Card Industry Data Security Standard (PCI/DSS), companies and organizations need to be careful about how they acquire, store and share or release data, especially as it pertains to identity, financial or medical activities and results. This requires extraordinary attention to the means and mechanisms used to collect such data, but also to the ways in which such data might be stolen, lost or damaged.
In legal terms, due diligence entails taking reasonable steps to satisfy a legal or regulatory requirement, especially in buying or selling items of value. Clearly confidential, proprietary, private or sensitive data falls under the heading of items of value. That means that the law and regulations require those who hold, or are responsible for, such information to take reasonable steps to protect and preserve data. They must also take any of a number of mandated steps to ensure that such data remains safe from unwanted or unauthorized access or disclosure, as well as damage or loss.
Where Risk Management Comes Into Play
Risk management is a formal business discipline that relies on the forecasting and evaluation of financial risks, along with identification and (where economically feasible or warranted) implementation of procedures to avoid or minimize their impact.
For data privacy and protection, this means formulating a picture of the kinds of losses that could occur if data were to be stolen, lost or damaged, including applicable fines and penalties, as well as out-and-out financial losses, opportunity, remediation and other costs associated with repairing the breach and making all affected parties whole in its wake.
From a risk management perspective, the penalties that can result from unwanted or unauthorized disclosure of personal information – up to 20,000 Euros per person affected, according to GDPR – make it imperative to perform due diligence in protecting such data. At such cost, incurring lesser costs to put the most stringent and effective controls and protections in place make absolute financial sense.
Likewise, the risks from losses of such potential magnitude (a medium-sized company with 100,000 European customers could be liable for up to 20 billion Euros in GDPR-related penalties if that entire customer base were to become available to unauthorized third parties) also argue that companies should obtain data protection insurance as well.
Interestingly enough, the conditions that attach to obtaining data protection insurance also require holders to perform due diligence to make sure that their data is properly acquired, housed, transmitted and shared under tightly controlled conditions. Such insurance invariably includes regular security audits, penetration testing (including both technical and social engineering attacks) and ongoing remediation and repair commitments.
The incentives to practice due diligence and perform risk management to ensure data privacy and protection have always been there. But with the introduction of GDPR on May 25, 2018, the stakes have definitely gone up. Prudent companies would do well to review their current security practices, processes and procedures, and to redouble their efforts to make sure they comply with all applicable laws and regulations. Anything less is just asking for trouble and losses!
What Can (and Should) Organizations and Security Professionals Do?
The first step to staving off potential risks and exposures always starts with an assessment of the current situation. And, in fact, there are plenty of GDPR assessment checklists and tools available. A recent CSO Magazine article lists no less than 14, in fact.
Once security or privacy professionals get a handle on their current status vis-à-vis GDPR and other compliance regimes, it’s time to start the entry process into the regulatory life cycle:
- Prioritization and planning
- Implementation of a response
- Integration of related tools, technologies, audits, processes and procedures to integrate compliance into normal operations
The first steps toward achieving compliance are usually big ones and may require substantial time and effort. But after that, it’s just a matter of sticking to a regular routine to maintain compliance, meet reporting requirements and keep up with changes to governing regulations and day-to-day tools and operations.
Get the skills needed to protect your organization with the CompTIA Cybersecurity Career Pathway.
