[BreachExchange] Data Privacy Has Become a Bigger Blip on the CCO Radar

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 6 19:13:47 EST 2018


Data privacy laws have evolved dramatically, with an increase in
enforcement of updated regional and US state-specific laws. The financial
and reputational impact of data privacy now feels very new to many legal,
IT and compliance teams. Understanding of the nuances of these privacy laws
is increasingly complicated. Adopt a strategy through which you view your
data across all geographic locations where you do business, store data or
utilize vendors.

Developing and monitoring data management practices is key to any privacy
compliance program. Know how and where you are storing data, whether it is
moving across borders, and if data localization regulations apply. Consider
how your privacy practices will be replicated and managed in all countries.
The protection systems you are building will not always be sufficient
across all jurisdictions and can actually increase data vulnerability.


Data breaches aren’t just a US phenomenon. Although we have been seeing
breaches at a higher volume and scale in the US, this is a global concern.
The key is to plan, prepare and then plan some more.

What You Need to Know:

» Policy & Procedure Resilience: Know how your policies and procedures will
perform in a data breach. Are they comprehensive enough to combat the
complexity of modern attacks and human errors? Test your policies and
employee knowledge.

» Cross-Jurisdictional Breach: Breaches that affect a variety of data sets
and/or regions make prevention and containment exceptionally difficult.
Understand where your data is, regardless of location, and the unique
regulations that apply so you can respond quickly.

» Crisis Communications Plan: In the event of compromised data, you should
inform your employees, the public, and shareholders in a thoughtful and
accurate way. Data privacy is about building trust, so having an effective
crisis communication plan will help your organization be responsive and
transparent in an effort to preserve the trust of your people.


Vendors can often be a serious concern for data privacy, with potential
loss or vulnerability of your organization's data. Companies of all sizes
are being targeted by cyber attacks as a way to infiltrate connected third
parties and work their way up the supply chain.

What You Need to Know:

» Vendor Privacy: Ensuring privacy is part of every vendor agreement. Embed
privacy protocols into vendor management programs instead of developing and
implementing a separate privacy program altogether.

» Audit & Notification Rights: With vendors, you don’t always know when a
risk arises so the opportunity for prevention and containment is reduced.
Require vendors to notify you of any breach, or suspected risk, associated
with the data they have or access. Retain the right to audit the data
practices of each vendor to ensure they meet your privacy standards.

» Indemnification: Your vendor agreements should ensure that your third
party indemnifies you appropriately for losses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180206/b0230478/attachment.html>

More information about the BreachExchange mailing list