Security compliance protects assets, builds trust
Data security is more important than ever, and, especially in light of recent high-profile breaches, companies need to take data security compliance seriously.
March 24, 2014 at 08:00 PM
13 minute read
Think about the last time you flew. Chances are, you didn't give a lot of thought to the engine of the plane. Yet, if that engine had malfunctioned, if something had gone wrong, then you certainly would have known about it. The engine is the hidden core of the plane, and it requires constant maintenance, updates and oversight. When you step foot on that giant steel tube, you put your trust in the airline and the pilot. If something goes wrong, you'll likely be in serious trouble.
Everything that is true about an airplane engine is true about data security, at least according to Scott Taylor, vice president and chief privacy officer at Hewlett-Packard. He fully understands that data security is more important than ever, and, especially in light of recent high-profile breaches, companies need to take data security compliance seriously.
Guarding the castle
One reason for the increased importance of data security is the nature of our connected world. With the advent of the “Internet of things,” more and more devices are connected to networks and infrastructure, which allows for more potential points of entry for hackers. Taylor imagines a castle. “If the castle has one door, you have one thing to protect,” he explains. “If it has 50 doors, you have multiplied the potential for vulnerability, especially when those gates are guarded by different people.”
In addition to the growing number of access points that hackers can exploit, there is also an increasing number of unscrupulous individuals, ready to take advantage of vulnerabilities.
“This is a growing concern for all companies,” says Chris Salsberry, senior director at Huron Consulting. “Due to a more global presence in business sectors, companies deal with competitors and corporate threats, new actors, aggressive actors and nation states trying to steal proprietary data.” This has resulted in a rise in global incidents of cyber-related threats. And in response to those threats, companies need to take action.
A series of recent, high profile data breaches has certainly shaken the confidence of consumers, and when consumers get concerned, the government tends to step in. Highly publicized breaches have led to regulation in California, which now requires that companies provide notifications when there has been a data breach. This, according to Taylor, led to major improvements across sectors.
Here and abroad
Unfortunately, while the California laws might be strong, there are no clear, consistent federal regulations to govern data security across sectors. While 48 states have data breach laws, and many of these laws have followed California's lead, the federal laws that exist are primarily sectoral, such as those that regulate the healthcare or payment card industries.
There have been attempts to create a federal omnibus law in the past, such as in 2007 with Barton and Stearns and 2011 with Kerry and McCain, but neither effort proved fruitful. Of course, large companies have more than just the United States to worry about. Now, with global communications, cloud computing and data storage, international businesses must gauge their data security compliance programs against frameworks from around the world.
Take Europe, for instance. While the continent may seem unified, Taylor explains that this is not necessarily the case. “Germany is different from France and Spain and Italy, etc. Each law is anchored to a directive, but there are individual interpretations,” he says.
Europe is similar to the United States in many ways, where there are many different standards to navigate. There are also a number of other international standards, with Latin American countries tending to emulate European standards and Asian countries creating new standards all the time.
While the variety of standards may be daunting, Salsberry points out that there are a few simple tips that businesses can keep in mind to at least ensure that they are on the right path, starting with considering the international companies that they do business with.
“What is the overall relationship with that entity? Look at it from a cyber intelligence perspective,” he recommends. “Take the regional perspective from around the globe, combine it with an understanding of the profile of that company, its cyber posture, the infrastructure of the company.” Ensuring that the company is using proper protocols and cyber chains will give you peace of mind that you are not giving guardianship of one of your castle doors to the wrong soldiers.
Dealing with the inevitable
As companies become more dependent on cloud and distributed environments, they are opening doors to vulnerability, and therefore the challenges of data security will only increase. This will lead to jurisdictional questions, cautions Taylor, as assigning responsibility for data that rests in the cloud is not always as clear-cut as it seems.
And, while the U.S. struggles with its patchwork of state and sectoral regulations, it's likely that companies are dealing with a matter of “when” rather than “if.” In that case, Taylor cautions general counsel to be prepared. This includes thinking through all aspects of a data breach, up to and including crisis planning and processes. He recommends getting the chief privacy officer involved, because, even though security and privacy are not the same thing, “Without security, you cannot protect privacy. Privacy is about the collection and appropriate use of data, while security is about ensuring the right people have access and the wrong people don't.”
In addition to the CPO and GC, Salsberry recommends the cybersecurity team include open lines of communication to the chief information officer and the chief financial officer as well.
“You need a comprehensive plan that includes a process to deal with the breach, a process to make sure there is a constant need for improvement in that plan, one that is driven by all the players involved at different levels. Corporate buy-in is key in making that happen.”
The future
Without a doubt, breaches will continue, either due to unfortunate incidents like smart hackers or innocent accidents or due to insufficient controls. However, Taylor has seen the California regulation lead to improvements, with fines, actions levied by regulators and incentives for better control.
Taylor also sees the role that social responsibility will play in data security, as nations start to realize their laws are lagging and that accountability is called for. He sees more companies leveraging CPOs, as privacy will no longer be considered a part-time duty. With the challenges posed by Big Data combined with an increased focus on governance, companies need to develop comprehensive programs whether or not there are tight federal regulations. Taylor suspects such programs will be rooted in social responsibility initiatives.
While there are more and more gates to each castle, perhaps the solution is not to hire more guards, but rather to empower the residents of the castle to work together to protect it from attacks. Then, when data security breaches are handled at the edges, the core of the castle—its secret engine—can continue working as planned, keeping customer trust as secure as its data.
Think about the last time you flew. Chances are, you didn't give a lot of thought to the engine of the plane. Yet, if that engine had malfunctioned, if something had gone wrong, then you certainly would have known about it. The engine is the hidden core of the plane, and it requires constant maintenance, updates and oversight. When you step foot on that giant steel tube, you put your trust in the airline and the pilot. If something goes wrong, you'll likely be in serious trouble.
Everything that is true about an airplane engine is true about data security, at least according to Scott Taylor, vice president and chief privacy officer at
Guarding the castle
One reason for the increased importance of data security is the nature of our connected world. With the advent of the “Internet of things,” more and more devices are connected to networks and infrastructure, which allows for more potential points of entry for hackers. Taylor imagines a castle. “If the castle has one door, you have one thing to protect,” he explains. “If it has 50 doors, you have multiplied the potential for vulnerability, especially when those gates are guarded by different people.”
In addition to the growing number of access points that hackers can exploit, there is also an increasing number of unscrupulous individuals, ready to take advantage of vulnerabilities.
“This is a growing concern for all companies,” says Chris Salsberry, senior director at Huron Consulting. “Due to a more global presence in business sectors, companies deal with competitors and corporate threats, new actors, aggressive actors and nation states trying to steal proprietary data.” This has resulted in a rise in global incidents of cyber-related threats. And in response to those threats, companies need to take action.
A series of recent, high profile data breaches has certainly shaken the confidence of consumers, and when consumers get concerned, the government tends to step in. Highly publicized breaches have led to regulation in California, which now requires that companies provide notifications when there has been a data breach. This, according to Taylor, led to major improvements across sectors.
Here and abroad
Unfortunately, while the California laws might be strong, there are no clear, consistent federal regulations to govern data security across sectors. While 48 states have data breach laws, and many of these laws have followed California's lead, the federal laws that exist are primarily sectoral, such as those that regulate the healthcare or payment card industries.
There have been attempts to create a federal omnibus law in the past, such as in 2007 with Barton and Stearns and 2011 with Kerry and McCain, but neither effort proved fruitful. Of course, large companies have more than just the United States to worry about. Now, with global communications, cloud computing and data storage, international businesses must gauge their data security compliance programs against frameworks from around the world.
Take Europe, for instance. While the continent may seem unified, Taylor explains that this is not necessarily the case. “Germany is different from France and Spain and Italy, etc. Each law is anchored to a directive, but there are individual interpretations,” he says.
Europe is similar to the United States in many ways, where there are many different standards to navigate. There are also a number of other international standards, with Latin American countries tending to emulate European standards and Asian countries creating new standards all the time.
While the variety of standards may be daunting, Salsberry points out that there are a few simple tips that businesses can keep in mind to at least ensure that they are on the right path, starting with considering the international companies that they do business with.
“What is the overall relationship with that entity? Look at it from a cyber intelligence perspective,” he recommends. “Take the regional perspective from around the globe, combine it with an understanding of the profile of that company, its cyber posture, the infrastructure of the company.” Ensuring that the company is using proper protocols and cyber chains will give you peace of mind that you are not giving guardianship of one of your castle doors to the wrong soldiers.
Dealing with the inevitable
As companies become more dependent on cloud and distributed environments, they are opening doors to vulnerability, and therefore the challenges of data security will only increase. This will lead to jurisdictional questions, cautions Taylor, as assigning responsibility for data that rests in the cloud is not always as clear-cut as it seems.
And, while the U.S. struggles with its patchwork of state and sectoral regulations, it's likely that companies are dealing with a matter of “when” rather than “if.” In that case, Taylor cautions general counsel to be prepared. This includes thinking through all aspects of a data breach, up to and including crisis planning and processes. He recommends getting the chief privacy officer involved, because, even though security and privacy are not the same thing, “Without security, you cannot protect privacy. Privacy is about the collection and appropriate use of data, while security is about ensuring the right people have access and the wrong people don't.”
In addition to the CPO and GC, Salsberry recommends the cybersecurity team include open lines of communication to the chief information officer and the chief financial officer as well.
“You need a comprehensive plan that includes a process to deal with the breach, a process to make sure there is a constant need for improvement in that plan, one that is driven by all the players involved at different levels. Corporate buy-in is key in making that happen.”
The future
Without a doubt, breaches will continue, either due to unfortunate incidents like smart hackers or innocent accidents or due to insufficient controls. However, Taylor has seen the California regulation lead to improvements, with fines, actions levied by regulators and incentives for better control.
Taylor also sees the role that social responsibility will play in data security, as nations start to realize their laws are lagging and that accountability is called for. He sees more companies leveraging CPOs, as privacy will no longer be considered a part-time duty. With the challenges posed by Big Data combined with an increased focus on governance, companies need to develop comprehensive programs whether or not there are tight federal regulations. Taylor suspects such programs will be rooted in social responsibility initiatives.
While there are more and more gates to each castle, perhaps the solution is not to hire more guards, but rather to empower the residents of the castle to work together to protect it from attacks. Then, when data security breaches are handled at the edges, the core of the castle—its secret engine—can continue working as planned, keeping customer trust as secure as its data.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
GOP Now Holds FTC Gavel, but Dems Signal They'll Be a Rowdy Minority
6 minute read
Longtime Purdue GC Accused of Drunken Driving Hires Big-Name Defense Attorney
3 minute readTrending Stories
- 1Public Notices/Calendars
- 2Wednesday Newspaper
- 3Decision of the Day: Qui Tam Relators Do Not Plausibly Claim Firm Avoided Tax Obligations Through Visa Applications, Circuit Finds
- 4Judicial Ethics Opinion 24-116
- 5Big Law Firms Sheppard Mullin, Morgan Lewis and Baker Botts Add Partners in Houston
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
