On August 24, 2022, California’s attorney general announced a settlement of $1.2 million with Sephora, as a result of California Consumer Privacy Act (CCPA) violations. Search the Internet for the term “Facebook privacy lawsuits” and see how many results are returned. Not only are the number of results surprising, but the amount of money required to settle fines and lawsuits is also astonishing. Of course, it wouldn’t be fair to leave out the General Data Protection Regulation (GDPR), which as of October 2022 has levied 1280 fines for a total of €2,077,447,541.
While the data may not be surprising to some, the trends cannot be ignored. The number of privacy-related fines, settlements and violations continues to rise, as well as the number of national and global privacy laws and regulations that companies are required to comply with. The trends clearly demonstrate that while not a new concept, privacy continues to gain traction.
Understanding data privacy laws
As privacy continues to garner increased attention both domestically and globally, it’s important that enterprise security leaders maintain awareness of the ever-changing privacy landscape. What that effort looks like and how much time and attention need to be devoted to privacy depends largely on the size of the company, the products and services it offers, as well as where the company engages in business.
Obtaining a comprehensive understanding of all applicable privacy laws is a daunting endeavor. The list of the country or state-specific requirements continues to grow. More likely than not, most companies will need to comply with multiple privacy laws and regulations.
Although GDPR is considered by many to be the gold standard for data privacy regulation, GDPR is not the only international privacy regulation that companies may need to be aware of. The Brazilian General Data Protection Law (LGPD) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are two other examples of international privacy laws.
And while the United States does not have a single comprehensive federal privacy law, multiple U.S. states have established their own. According to the International Association of Privacy Professionals (IAPP), in 2022, 29 states considered privacy bills versus just two in 1998. The patchwork of U.S. state privacy laws continues to grow.
Enterprise data privacy best practices
It probably goes without saying, but enterprise security leaders need to ensure they have a clear understanding of their company’s privacy strategy. A company cannot achieve privacy without security, and security cannot comply with applicable privacy laws and regulations unless they have a clear understanding of what is required and expected. Security and privacy cannot operate under a siloed approach.
Enterprise security leaders within larger companies or corporations may have the benefit of relying on their in-house legal/privacy function to interpret the vast amounts of legal jargon contained in the ever-increasing number of privacy laws and regulations. Smaller companies, however, may need to rely on outside counsel with privacy expertise to ensure their enterprise security strategy meets the requirements outlined in the privacy laws and regulations they may be subject to.
Ongoing collaboration between security and privacy functions is critical. Enterprise security leaders need to ensure they maintain a current understanding of their company’s privacy risk landscape. While annual collaboration meetings between security and privacy teams may have been sufficient in the past, monthly or quarterly check-ins are more appropriate given today’s ever-changing privacy risk landscape.
As noted previously, the size of a company, the types of services offered as well as the number of geographic locations where services are offered should be considered when determining how often interaction between a company’s security function and privacy function should occur.
In addition to working with privacy leaders to ensure proper safeguards are in place to prevent incidents and protect personal and sensitive data, enterprise security leaders should also ensure a company’s privacy function is fully integrated into their security incident response process.
Data privacy should be included in the review of incident response plans, policies and procedures to ensure response activities sufficiently align with and meet requirements outlined in applicable privacy laws and regulations. During the handling of an incident, the security function should ensure the privacy team is made aware of the incident and is regularly updated to ensure reporting requirements are met and legal ramifications are considered.
Incident response and handling exercises that include the privacy function should also be performed annually. Exercises involving simulated incidents can be very useful for preparing staff for incident handling and ensuring both the security and privacy functions are aligned and effective communication channels have been established. A well-exercised response function should be established before a real-world incident is encountered.
Enterprise security leaders also need to ensure security activities and controls are designed to meet the security requirements outlined in all applicable privacy laws and regulations are formally inventoried and assessed. With the rise in regulation and legislation, it’s important to reconcile control activities back to the plethora of privacy requirements to ensure all bases are covered. The performance of periodic assessments to determine the design and operating effectiveness of security controls is also critical to ensuring a company’s security strategy meets the company’s privacy needs.
In conclusion, today’s enterprise security leader needs to ensure they have a comprehensive understanding of the ever-changing privacy risk landscape and continually assess their security posture to ensure all applicable privacy laws and regulation have been considered. A company’s legal/privacy function should help to elevate the burden and both security and privacy teams should ensure regular and ongoing collaboration is maintained to ensure regulation is understood; corresponding controls are designed and implemented appropriately; and assessments and exercises are performed to validate the effectiveness of the strategy.