Meeting Compliance Requirements of Data Privacy Regulations Is Becoming a Growing Concern for the Legal Community (In A Good Way)
CSPi has been hosting and attending so many great cyber-security events recently. For example, we recently partnered with Cisco to lead three successful security seminars, exhibited at SecureWorld Boston, and co-hosted a great security happy hour event with Netanium.
We are also holding a new webinar with Fortinet focused on “Tackling Data Privacy Regulations Head On” by using auto-breach identification and notification. Register now.
As we meet people, one interesting trend has emerged. Data privacy compliance, as well as overall security compliance, has now caught the full attention of in-house counsel, legal departments, and lawyers, to the point where they now represent a sizable portion of attendees at many conferences.
Until now, security conferences, seminars, and events are usually dominated by folks with “InfoSec,” “DevOps,” (both trying to achieve enterprise-wide security or the even more elusive Secure DevOps), “IT,” or “network security” in their job titles.
But in recent events, the numbers of lawyers and other legally-minded employees have surged. In fact, we often spend a lot of time after the event talking with them about specific legal or security compliance concerns, preparing for GDPR, and the best ways to protect their company in the event of a data breach by:
- Securing their most critical data
- Quickly identifying and verifying breaches
- Mitigating the damage (and financial impact), including complying with data privacy regulations and thus avoiding compliance fines all together.
More questions than answers
Yet at the same time, it makes perfect sense. Even with GDRP drawing closer, many companies don’t have the information they need and there is a lot of confusion about:
- What is required for full compliance,
- Which companies are required to adhere to the GDPR regulations, and even,
- How much is at risk if they’re found to be in noncompliance.
At first, many attendees simply thought that GDPR would not apply to them, only because their company doesn’t have an actual presence or conduct any business in any countries within the European Union.
However, this is not the case, and attendees have been shocked to hear that if a U.S. company, who only has EU citizen data on their servers, is breached and doesn’t comply with the stringent 72-hour notification requirement, it could be assessed with fines amounting to 4% of revenue or 20 million Euros (whichever is higher.) In addition, EU citizens can file class-action lawsuits against the U.S. organization, requiring it to have to defend itself in up to 26 different European countries.
Additionally, many U.S. states have already rolled out their own versions (29 thus far, with more coming) of these security compliance regulations and policies. Yet the details often conflict or are complex. For example, Florida has a 30-day notification requirement, and if that is not met a fine of $10K a day will be assessed until the exact details are put forth.
Set against this backdrop, maybe I should not have been surprised that so many legal employees have been gathering as much security and compliance information as possible, even though they may not be the typical security show attendee.
If you need more information on GDPR and what you can do to make sure you’re in compliance with its regulations, watch our on-demand webinar, “Are You Prepared for Global Data Privacy?” today.
To learn more about security compliance, contact us below or check out our security products resources for more information.