Another day of enlightening and informative talks occurred on Day 2 of the CISO Exchange East 2019 conference. Today’s agenda included a panel discussing how security leaders can navigate the regulations and requirements associated with data privacy.
Critical Cyber Leadership Priorities And Issues From 2020 To 2025
The day started off with a peer-to-peer session of CISOs and security leaders discussing pain points and priorities faced today in their organization. While we are unable to share the details of that discussion, the dialogue mirrors the key findings from our mid-year 2019 market report on CISO challenges, priorities, and cyber dollar allocations heading into 2020. If you have not had a chance to read the report or listen to enterprise CISOs discuss the importance of the report’s findings on the webinar broadcast, please follow these links.
See Related: Webinar - 6 Key Findings From The Cyber Security Hub’s Mid-Year 2019 CISO Priorities Market Report
Embracing the Privacy Imperative – Navigating Regulations and Requirements
There is a global movement afoot to establish data privacy legislation. The launch of GDPR in the European Union (EU) during 2018 is the largest example to date. California’s CCPA law will be enforced starting in 2020. Several states and multiple federal bills are also under consideration. It is highly unlikely that any two of the proposals contain compatible language. Security leaders at CISO Exchange East in Washington D.C. noted that the situation will likely get worse before it gets better.
Organizations React Differently To GDPR And Impending Data Privacy Legislation
For retailer JCPenney, GDPR was an opportunity to assess the risk for the business. Ultimately, JCPenney made the decision to halt international sales when GDPR was enacted. With all the moving parts of state and federal privacy legislation, the company is focusing on the intent of the regulation - getting a better grip of the data, tracing it, and delete it where necessary rather than attempting to be perfect or getting hung up on the details that might change.
From a federal government perspective, there are existing regulations to comply with that are significantly different than the states’ efforts. National Highway Traffic Safety Administration CISO Michele Thomas said that Executive Orders and Congressional laws are the agency’s domain. NHTSA works with other agencies about recalls, safety, and data on cars. The agency is a big consumer of data, which can make it difficult to follow all the different rules and regulations related to business, personal, and private data.
See Related: California’s New Data Privacy Law Rivals EU’s GDPR
Reconciling Data Retention Vs. The Right To Be Forgotten
Moderator Nnake Nweke, the Chief Risk Officer for the United States Agency for Global Media asked the panelists how their organizations reconcile the need for data retention vs. the right to be forgotten. A lot of attention has been given to privacy law compliance, yet there are several clauses where data necessary for customer complaints or legal regulation requires the organization to retain it even if the customer has opted out. Panelists noted that there are 6 clauses that provision for data types to be excluded. However, companies must focus on the issues of importance to their business and the customers rather than the gray areas.
The federal government, on the other hand, has specific regulations for agency data retention. For example, an agency memo signed digitally with a smart card must be retained for more than 20 years. Retention is a challenge because the capability to store and recall the information has to be planned for. It is plausible that the methods for data storage will change before data that is retained starting today expires under current regulations.
The experience of these CISOs suggests that PII has to change with time. Data has an associated cost – updating notices, encrypting it, tracing it, and deleting it. This is the new definition of the price of doing business. Going forward and as the enterprise business model dictates, decisions will be made to not keep the data because of this associated cost.
Moderator Nweke chimed in when an audience member asked what should be expected from Congress if there is little understanding of the security and privacy issues. He noted that all 50 states have privacy laws today and that there are several bills in development, but they cover different subject matter. Once the desired outcomes of federal legislation are understood, the US is likely to follow the model of a state rather than what Europe has done with GDPR.
If you're interested in joining the next event, request an invitation to the CISO Exchange.