Navigating the Legal and Regulatory Landscape

As companies around the world adapt to comply with the EU’s General Data Protection Regulation (GDPR), legislators in the United States are under pressure from constituents to pass even more consumer privacy protection. That pressure increases with every major data privacy breach and has reached a point where the heads of major social media organizations were recently called to testify before the Senate Select Committee on Intelligence.

As of March 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted breach notification laws — and recently, . Congress recently passed the Cloud Act, which allows governments to pursue the data of U.S. companies stored and serviced outside of the United States. And in the past year, five federal breach bills have been proposed (so far unsuccessfully) in the U.S. Senate.

The states have made it clear that they are serious. We’re seeing litigation and class actions against companies for failure to comply with privacy regimes — particularly where a breach has not been disclosed timely or a has been called into question. Uber, for example, recently agreed to pay $148 million to settle lawsuits brought by attorneys general in 50 states and the District of Columbia stemming from a 2016 breach and an executive decision to pay $100,000 “ransom” to hackers instead of reporting it to regulators and consumers in a timely manner, as required by law.

Government lawsuits and regulatory actions are often doubly harmful to the bottom line as costly fines and settlements can cause stock prices to fall, sparking a second round of lawsuits as shareholders seek redress.

The path to compliance isn’t always clear, and that adds to the confusion. For example, it can be difficult to harmonize security regulations, such as a mandate to purge consumer records on request, with legal precedent requiring records retention. That’s likely to get worse before it gets better, as new breaches prompt regulatory actions that will lead to additional guidance that hasn’t been written yet.

With so many regulatory variables yet to be solved for when it comes to data security and privacy, we recommend a strategy that balances security practices against data protection requirements. That means asking the right questions now, adopting the right privacy and security frameworks and taking proactive measures to align data privacy and security risks with risk appetite so that the organization will be ready for any surprises.

Board members should prepare by asking:

  • What should we protect?
  • Why should we protect it?
  • How does it fit into our architecture?

They should also ask: Why are we collecting this data? How long do we keep it? And why are we keeping it?

Companies must make sure they understand the laws — how they apply to them and their systems. In this, the company attorneys are natural allies. Whenever possible, requirements should be implemented in ways that improve, rather than complicate processes. There should be a reasonable strategy with appropriate controls to prioritize and address legal obligations, and a program or team tasked with staying abreast of new and emerging regulations. Finally, organizations should identify the data security risks that are outside of their acceptable risk range and add controls as needed.

Data security and privacy compliance is a top concern for most companies, and will remain so for the foreseeable future. Our Technology practice released a series of webinars to discuss recent developments in that space, starting with a focus on the evolving legal and regulatory landscape. You can register to listen to the webinar replay, and follow future discussions by subscribing to this blog.

Diana Candela

Associate Director
Technology Consulting – Security and Privacy

Jeffrey Sanchez

Managing Director
Security and Privacy

Joel Wuesthoff

Managing Director
Legal Consulting

Subscribe to Topics

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Load More