This is the first in a series of three blog posts by Katabat’s Chief Information Security Officer, Arthur Haigh, examining the international data security regulatory environment. To read the other posts in this series, click here and here.
Do the words “data breach” make you flinch? Not unusual, these days. If you’re having nightmares about breaches, though, you might not just be one of the millions of victims of America’s most recent high-profile cybercrime. You might, like me, be CISO or CSO at a business with a reputation built around successfully protecting customers’ data.
When you oversee information security at a business, the success or failure of your initiatives depends on a complex, multi-layered approach. Every decision made by any one of your employees and vendors can be critical, from security guards neglecting to report a malfunctioning camera at a data center to a manager falling for a phishing scam.
But it’s much bigger than that. Factors outside your company—decisions made by government agencies and even supranational organizations like the European Union—have immense impact on data privacy and security outcomes. The United States has been reluctant to implement national regulations on data privacy and security outside of specific sectors (like HIPAA in medicine). In the wake of the latest high profile breach that compromised the personally identifiable information (PII) of an estimated 143 million people in North America, though, lawmakers are undoubtedly going to consider the examples of Australia and the EU, which is in the process of rolling out the 2016 General Data Protection Regulation (GDPR). Like the earlier EU data protection rules, which date back to 1995, the GDPR gives the force of law to central practices of data privacy: store only necessary data, keep it secure, and destroy it when it does not need to be stored any more. Businesses can incur stiff fines for poor security practices. Customers also gain more rights over their data privacy.
The law of unintended consequences suggests that even well-planned regulations can have harmful side effects. For example, the letter of the law can mandate obsolete practices, or a maze of regulations can burden small businesses that don’t have robust compliance teams. If the United States moves in a similar regulatory direction as Europe and Australia, though, that could be a positive for organizations with a worldwide presence, since the regulatory hurdles would be more similar across markets.
Many businesses have dealt with regulation by outsourcing some data protection and compliance functions to companies with a track record of data security excellence. At Katabat, we provide software-as-a-service (SaaS) solutions that help companies gain and maintain greater control of their data assets. It’s much easier to develop intelligent security strategies when you know exactly what data you have to protect, from the moment it is generated to the end of the record retention lifecycle. We pride ourselves on our impeccable record of protecting our clients’ data, and our PCI DSS 3.2 Level 1 certification speaks to that. It’s a never-ending process to keep ahead of the curve on regulatory compliance and threat prevention. In my next posts, I’ll outline what I think the data protection conversation in America could gain from looking to Europe and Australia.
Reach out to me at email@example.com for more information about how Katabat can help your enterprise enhance its compliance.