As part of Data Privacy Week, IANS Faculty offer tips and insights focused on data integrity to ensure that policies are in place that manage, control and protect both personal and organizational data. In this feature, Rebecca Herold discusses common privacy and new data protection legislative challenges and provides best practices to make the compliance process much more efficient and effective.
Q&A with IANS Faculty member, Rebecca Herold
Rebecca Herold is Founder, Owner, and CEO of Rebecca Herold, LLC aka The Privacy Professor®, an information security, privacy, IT, and compliance services firm. She also co-founded Privacy Security Brainiacs, a SaaS platform, early 2020 with her oldest son, Noah. Rebecca also serves as a Distinguished Ponemon Institute Fellow and as an Advisory Board Member for multiple technology businesses and startups. Additionally, Rebecca serves as an expert witness for diverse cases, is an advisor on multiple high school and college/university curriculum and program boards and hosts a VoiceAmerica radio show called “Data Security & Privacy with the Privacy Professor.” For the past few decades, organizations have been struggling with how to better protect personal and sensitive data, while trying to comply with the growing number of legal requirements for using and managing it. New security and privacy laws and regulations continue to be added across the globe, in addition to revamping old ones, making the task all the more difficult.
What’s the current state of most orgs’ data protection programs and how are the new privacy laws affecting them?
Rebecca: Most organizations are lagging behind in meeting all the compliance requirements of new legislation. US and organizations in other countries in non-regulated industries often aren’t aware of all their other compliance obligations created throughout the past decade, such as those for the US states and territories, that are applicable to all types of organizations handling their residents’ personal data.
For organizations that are B2B businesses, most of the small-to-medium-sized organizations simply don’t know, or hundreds of them have told me that they don’t believe, that they need to follow the data protection legal requirements of their clients who are entrusting them with access to personal data. For example, throughout twenty years of helping a wide range of hundreds of healthcare covered entities (CEs) and many more of their business associates (BAs), a majority of the BAs have told me at first meetings they don’t have to comply with HIPAA. A significant portion of others tell me they don’t have to comply with any part of HIPAA except for the technical requirements. It is similar within other regulated and non-regulated industries. This is slowly improving, but often not until after one of their clients cancels their contract because of their non-compliance or following a breach within the contracted organization.
For organizations in regulated industries, particularly financial and healthcare, the larger organizations have been trying to keep up with all the new regulations while also complying with the long-standing regulations. Most of them struggle to find the experienced staff that they have told me they would like to hire (to drastically reduce position training and be able to “hit the ground running”) to fulfill all the requirements, after synthesizing all the requirements down to the most stringent necessary across all their legal obligations.
The small-to-medium size businesses also struggle. I still find many who indicate that they are doing some of the requirements and think that will be enough to show effort if they ever get audited. However, beyond that being an incorrect belief, it also leaves them vulnerable to mistakes, insider threats, and outside threats that will exploit their business ecosystem’s vulnerabilities, and at great risk of security incidents and privacy breaches.
Why should organizations work now to build best practices for data protection?
Rebecca: Establishing best practices around data protection has multiple benefits for organizations. Some of the most valuable include:
- Not only will organizations be supporting a wide range of compliance requirements, but they will also be mitigating the risks within their environment.
- As a result of mitigating their risks, they will be preventing privacy breaches and security incidents.
- Any clients, customers, regulators or auditors will consider these actions to be good security and privacy due diligence practices.
- These practices can be used to support better cybersecurity insurance rates from a wide range of insurers.
- Such practices strengthen support for any lawsuits that the organization has for accusations that the organization was guilty of not following expected security and privacy standard practices.
- These actions, particularly education activities and awareness tools, will improve personnel behavior by increasing understanding of all the personnel involved in performing actions to implement and support the core practices. This ultimately helps to prevent mistakes that cause security incidents and privacy breaches, along with increasing awareness of security or privacy problems that need to be investigated.
- The practices also, through documentation, established responsibilities, and education increase the capacity for holding personnel accountable for their actions.
How IANS Faculty Expertise Benefits You
Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed security decisions that protect your business.
Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted partner to provide the best decision support for your security team.
Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.