Cybersecurity and Data Privacy
June 20, 2023
Navigating today’s increasingly privacy-conscious environment can be challenging for organizations. If you’re an international corporation doing business in Europe, you must comply with the General Data Protection Regulation (GDPR). In the absence of a national US privacy law, organizations must comply with a plethora of state laws, led by the California Consumer Privacy Act (CCPA).
Maria D’Avanzo, Chief Compliance Officer at Traliant, lawyer and former Chief Ethics and Compliance Officer, recently sat down with Tom Fox to discuss privacy challenges in the US and beyond on the FCPA Compliance Report podcast and steps organizations can take to protect personal and sensitive data. Here are excerpts from that conversation.
Maria: You must assess what laws apply to your organization, given your geography, the type of data you collect, how it’s used and whom you share it with. You need to determine which privacy laws are applicable, which is the most restrictive and then create a privacy program that rises to that level. Seven states have enacted privacy laws, including California, Colorado. Connecticut, Indiana, Iowa, Utah and Virginia. There are some similarities in those laws, but enough differences to make it a compliance challenge.
Companies should also focus on data mapping to know where their data is. They should be purging data they no longer need for legitimate business purposes to eliminate the risk of misuse or a leak of sensitive information that could harm customers or employees. Additionally, they should ensure employees, as well as vendors they do business with, understand and are following the company’s privacy program and policies.
Tom: Cybersecurity breaches are ubiquitous. What do Department of Justice regulators and the Securities and Exchange Commission say about reporting incidents when consumer or employee data has been compromised?
Maria: Typically, there is a disclosure requirement for incidents when there is a risk of significant harm to a data subject. If circumstances don’t rise to that level from a legal perspective, you may not have to disclose it. But you should consider what might happen if customers find out from another source that a leak occurred, and how that might negatively affect your relationship with them, your reputation and your brand. Disclosing to customers or employees what happened, what the company is doing about it, the impact and remediation efforts may be the preferred thing to do.
Tom: Should organizations have an internal response plan if a data incident occurs?
Maria: Yes. Most companies will already have a crisis management plan, but cybersecurity incidents are so different that they need to also formulate an incident response plan with input from a company’s Chief Operating, Chief Privacy and Chief Information Security officers.
Companies should also have a response committee that includes General Counsel and marketing team leaders to help manage the message. If the severity of the incident requires a company to communicate externally, your Chief Compliance Officer and outside counsel should be part of the committee, and you’ll certainly want to notify your CEO and determine whether you’re going to notify board members or audit committee.
Focusing on prevention should be at the top of any data privacy program. Cybersecurity incidents are happening around world, and it may only be a matter of time until you’re facing one. Ongoing data privacy and security training for employees is essential to safeguarding your company and the personal data of consumers and employees. Training raises workforce awareness of how to identify and avoid phishing and other cybersecurity threats, and how to report breaches if they occur.
Free Traliant Data Privacy Webinar, June 22 at 2 pm ET
Join Maria D’Avanzo for a free webinar entitled, “Creating a Privacy Program: Steps Legal, Compliance & HR Pros Can Take to Effectively Manage Consumer & Employee Information on Thursday. June 22 at 2 pm ET, 11 am PT. Learn valuable tips for creating a culture of privacy and insights on strengthening internal procedures and policies for the types of personal data companies collect, the purposes for which it is used and the legal and regulatory frameworks that apply.
- Data use and analytics
- Consumer data
- Employee data
- Stakeholder sentiment
- Legal drivers – GDPR/Us privacy laws
- Penalties for non-compliance
- Impact of artificial intelligence on privacy
The webinar also addresses how to create a privacy culture:
- Why the “standard” approach doesn’t work
- Steps to take before building a program
- Fundamental elements of a privacy program
- Preventing, detecting and reporting data incidents