Security compliance protects assets, builds trust
Data security is more important than ever, and, especially in light of recent high-profile breaches, companies need to take data security compliance seriously.
March 24, 2014 at 08:00 PM
13 minute read
Think about the last time you flew. Chances are, you didn't give a lot of thought to the engine of the plane. Yet, if that engine had malfunctioned, if something had gone wrong, then you certainly would have known about it. The engine is the hidden core of the plane, and it requires constant maintenance, updates and oversight. When you step foot on that giant steel tube, you put your trust in the airline and the pilot. If something goes wrong, you'll likely be in serious trouble.
Everything that is true about an airplane engine is true about data security, at least according to Scott Taylor, vice president and chief privacy officer at Hewlett-Packard. He fully understands that data security is more important than ever, and, especially in light of recent high-profile breaches, companies need to take data security compliance seriously.
Guarding the castle
One reason for the increased importance of data security is the nature of our connected world. With the advent of the “Internet of things,” more and more devices are connected to networks and infrastructure, which allows for more potential points of entry for hackers. Taylor imagines a castle. “If the castle has one door, you have one thing to protect,” he explains. “If it has 50 doors, you have multiplied the potential for vulnerability, especially when those gates are guarded by different people.”
In addition to the growing number of access points that hackers can exploit, there is also an increasing number of unscrupulous individuals, ready to take advantage of vulnerabilities.
“This is a growing concern for all companies,” says Chris Salsberry, senior director at Huron Consulting. “Due to a more global presence in business sectors, companies deal with competitors and corporate threats, new actors, aggressive actors and nation states trying to steal proprietary data.” This has resulted in a rise in global incidents of cyber-related threats. And in response to those threats, companies need to take action.
A series of recent, high profile data breaches has certainly shaken the confidence of consumers, and when consumers get concerned, the government tends to step in. Highly publicized breaches have led to regulation in California, which now requires that companies provide notifications when there has been a data breach. This, according to Taylor, led to major improvements across sectors.
Here and abroad
Unfortunately, while the California laws might be strong, there are no clear, consistent federal regulations to govern data security across sectors. While 48 states have data breach laws, and many of these laws have followed California's lead, the federal laws that exist are primarily sectoral, such as those that regulate the healthcare or payment card industries.
There have been attempts to create a federal omnibus law in the past, such as in 2007 with Barton and Stearns and 2011 with Kerry and McCain, but neither effort proved fruitful. Of course, large companies have more than just the United States to worry about. Now, with global communications, cloud computing and data storage, international businesses must gauge their data security compliance programs against frameworks from around the world.
Take Europe, for instance. While the continent may seem unified, Taylor explains that this is not necessarily the case. “Germany is different from France and Spain and Italy, etc. Each law is anchored to a directive, but there are individual interpretations,” he says.
Europe is similar to the United States in many ways, where there are many different standards to navigate. There are also a number of other international standards, with Latin American countries tending to emulate European standards and Asian countries creating new standards all the time.
While the variety of standards may be daunting, Salsberry points out that there are a few simple tips that businesses can keep in mind to at least ensure that they are on the right path, starting with considering the international companies that they do business with.
“What is the overall relationship with that entity? Look at it from a cyber intelligence perspective,” he recommends. “Take the regional perspective from around the globe, combine it with an understanding of the profile of that company, its cyber posture, the infrastructure of the company.” Ensuring that the company is using proper protocols and cyber chains will give you peace of mind that you are not giving guardianship of one of your castle doors to the wrong soldiers.
Dealing with the inevitable
As companies become more dependent on cloud and distributed environments, they are opening doors to vulnerability, and therefore the challenges of data security will only increase. This will lead to jurisdictional questions, cautions Taylor, as assigning responsibility for data that rests in the cloud is not always as clear-cut as it seems.
And, while the U.S. struggles with its patchwork of state and sectoral regulations, it's likely that companies are dealing with a matter of “when” rather than “if.” In that case, Taylor cautions general counsel to be prepared. This includes thinking through all aspects of a data breach, up to and including crisis planning and processes. He recommends getting the chief privacy officer involved, because, even though security and privacy are not the same thing, “Without security, you cannot protect privacy. Privacy is about the collection and appropriate use of data, while security is about ensuring the right people have access and the wrong people don't.”
In addition to the CPO and GC, Salsberry recommends the cybersecurity team include open lines of communication to the chief information officer and the chief financial officer as well.
“You need a comprehensive plan that includes a process to deal with the breach, a process to make sure there is a constant need for improvement in that plan, one that is driven by all the players involved at different levels. Corporate buy-in is key in making that happen.”
The future
Without a doubt, breaches will continue, either due to unfortunate incidents like smart hackers or innocent accidents or due to insufficient controls. However, Taylor has seen the California regulation lead to improvements, with fines, actions levied by regulators and incentives for better control.
Taylor also sees the role that social responsibility will play in data security, as nations start to realize their laws are lagging and that accountability is called for. He sees more companies leveraging CPOs, as privacy will no longer be considered a part-time duty. With the challenges posed by Big Data combined with an increased focus on governance, companies need to develop comprehensive programs whether or not there are tight federal regulations. Taylor suspects such programs will be rooted in social responsibility initiatives.
While there are more and more gates to each castle, perhaps the solution is not to hire more guards, but rather to empower the residents of the castle to work together to protect it from attacks. Then, when data security breaches are handled at the edges, the core of the castle—its secret engine—can continue working as planned, keeping customer trust as secure as its data.
Think about the last time you flew. Chances are, you didn't give a lot of thought to the engine of the plane. Yet, if that engine had malfunctioned, if something had gone wrong, then you certainly would have known about it. The engine is the hidden core of the plane, and it requires constant maintenance, updates and oversight. When you step foot on that giant steel tube, you put your trust in the airline and the pilot. If something goes wrong, you'll likely be in serious trouble.
Everything that is true about an airplane engine is true about data security, at least according to Scott Taylor, vice president and chief privacy officer at
Guarding the castle
One reason for the increased importance of data security is the nature of our connected world. With the advent of the “Internet of things,” more and more devices are connected to networks and infrastructure, which allows for more potential points of entry for hackers. Taylor imagines a castle. “If the castle has one door, you have one thing to protect,” he explains. “If it has 50 doors, you have multiplied the potential for vulnerability, especially when those gates are guarded by different people.”
In addition to the growing number of access points that hackers can exploit, there is also an increasing number of unscrupulous individuals, ready to take advantage of vulnerabilities.
“This is a growing concern for all companies,” says Chris Salsberry, senior director at Huron Consulting. “Due to a more global presence in business sectors, companies deal with competitors and corporate threats, new actors, aggressive actors and nation states trying to steal proprietary data.” This has resulted in a rise in global incidents of cyber-related threats. And in response to those threats, companies need to take action.
A series of recent, high profile data breaches has certainly shaken the confidence of consumers, and when consumers get concerned, the government tends to step in. Highly publicized breaches have led to regulation in California, which now requires that companies provide notifications when there has been a data breach. This, according to Taylor, led to major improvements across sectors.
Here and abroad
Unfortunately, while the California laws might be strong, there are no clear, consistent federal regulations to govern data security across sectors. While 48 states have data breach laws, and many of these laws have followed California's lead, the federal laws that exist are primarily sectoral, such as those that regulate the healthcare or payment card industries.
There have been attempts to create a federal omnibus law in the past, such as in 2007 with Barton and Stearns and 2011 with Kerry and McCain, but neither effort proved fruitful. Of course, large companies have more than just the United States to worry about. Now, with global communications, cloud computing and data storage, international businesses must gauge their data security compliance programs against frameworks from around the world.
Take Europe, for instance. While the continent may seem unified, Taylor explains that this is not necessarily the case. “Germany is different from France and Spain and Italy, etc. Each law is anchored to a directive, but there are individual interpretations,” he says.
Europe is similar to the United States in many ways, where there are many different standards to navigate. There are also a number of other international standards, with Latin American countries tending to emulate European standards and Asian countries creating new standards all the time.
While the variety of standards may be daunting, Salsberry points out that there are a few simple tips that businesses can keep in mind to at least ensure that they are on the right path, starting with considering the international companies that they do business with.
“What is the overall relationship with that entity? Look at it from a cyber intelligence perspective,” he recommends. “Take the regional perspective from around the globe, combine it with an understanding of the profile of that company, its cyber posture, the infrastructure of the company.” Ensuring that the company is using proper protocols and cyber chains will give you peace of mind that you are not giving guardianship of one of your castle doors to the wrong soldiers.
Dealing with the inevitable
As companies become more dependent on cloud and distributed environments, they are opening doors to vulnerability, and therefore the challenges of data security will only increase. This will lead to jurisdictional questions, cautions Taylor, as assigning responsibility for data that rests in the cloud is not always as clear-cut as it seems.
And, while the U.S. struggles with its patchwork of state and sectoral regulations, it's likely that companies are dealing with a matter of “when” rather than “if.” In that case, Taylor cautions general counsel to be prepared. This includes thinking through all aspects of a data breach, up to and including crisis planning and processes. He recommends getting the chief privacy officer involved, because, even though security and privacy are not the same thing, “Without security, you cannot protect privacy. Privacy is about the collection and appropriate use of data, while security is about ensuring the right people have access and the wrong people don't.”
In addition to the CPO and GC, Salsberry recommends the cybersecurity team include open lines of communication to the chief information officer and the chief financial officer as well.
“You need a comprehensive plan that includes a process to deal with the breach, a process to make sure there is a constant need for improvement in that plan, one that is driven by all the players involved at different levels. Corporate buy-in is key in making that happen.”
The future
Without a doubt, breaches will continue, either due to unfortunate incidents like smart hackers or innocent accidents or due to insufficient controls. However, Taylor has seen the California regulation lead to improvements, with fines, actions levied by regulators and incentives for better control.
Taylor also sees the role that social responsibility will play in data security, as nations start to realize their laws are lagging and that accountability is called for. He sees more companies leveraging CPOs, as privacy will no longer be considered a part-time duty. With the challenges posed by Big Data combined with an increased focus on governance, companies need to develop comprehensive programs whether or not there are tight federal regulations. Taylor suspects such programs will be rooted in social responsibility initiatives.
While there are more and more gates to each castle, perhaps the solution is not to hire more guards, but rather to empower the residents of the castle to work together to protect it from attacks. Then, when data security breaches are handled at the edges, the core of the castle—its secret engine—can continue working as planned, keeping customer trust as secure as its data.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Recent Layoff/Callback Litigation Underscores Perils Employers Face From Every Direction
5 minute read
Old Laws, New Tricks: Lawyers Using Patchwork of Creative Legal Theories to Target New Tech
In-House Gurus Say Inattention to Human Side of Tech Adoption Can Derail Best-Laid Plans
5 minute read
Nike Promotes Legal Chief to Marketing Chief as New CEO Launches Turnaround
Trending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4Greenberg Traurig Initiates String of Suits Following JPMorgan Chase's 'Infinite Money Glitch'
- 5Data-Driven Legal Strategies
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
