In today’s digital era, privacy is more important than ever before. Because information can be replicated, exfiltrated or deleted in a matter of seconds, consumers and organizations need to implement steps to prevent, detect, respond to and remediate data breaches.
These steps are becoming increasingly complicated as more and more states enact their own unique data privacy regulation. As a result, organizations must have the proper compliance and risk practices in place to ensure adherence to new and changing legislation, leaving many questioning how they can keep up. Luckily, there is a simple solution to this problem, centered on one idea: adopting a risk-first approach to privacy. A risk-first approach enables organizations to identify and protect against the highest organizational risk while reducing threats to the organization and remaining compliant with changing regulations.
Even though the volume of new and changing regulations coupled with more sophisticated threat actors can be intimidating, there is a lot that can be predicted about the future of privacy, compliance and taking a risk-first approach simply by looking at the past.
From Then to Now
Although data privacy seems like a modern problem, US privacy legislation dates back to the US Constitution. According to the Fourth Amendment, US citizens have the right to secure themselves and their property from unreasonable searches and seizures.1 Since then, various court cases have upheld privacy, giving citizens more protections—especially as technology has increased. Privacy rights have been established through the Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the National Do Not Call Register and, importantly, the E-Government Act. This act, passed by US Congress in 2002, was set to modernize government IT resources and improve access to government services online. And with it, the fundamental pillars of privacy evident in past legislation were formalized into clear guidelines.2 These guidelines consist of:
- Appointing a designated individual—A data privacy officer maintains compliance and secures data.
- Conducting privacy impact assessment—A privacy impact assessment (PIA) evaluates organizational processes for accessing, processing, storing and transmitting personally identifiable information (PII).
- Creating formal privacy management processes—This can include mechanisms to prevent, detect and correct data breaches and should consider administrative, technical and physical controls, such as documented policies, data encryption and badge access systems.
Since these pillars of privacy were established, not much has changed. Even as different state lawmakers enact unique privacy laws and regulations to protect their constituents and prevent bad actors from stealing personal information, these pillars remain foundational to how organizations approach privacy and security.
The Steps Ahead
Not only is it essential for security professionals to keep state and federal regulations in mind and follow them to ensure proper compliance, but it is also important that they keep updating their organizations’ standards for privacy, security and risk mitigation. To do so, organizations should focus on four steps to maintain privacy: reducing risk, finding the greatest impact, automating core processes and enabling scalability to remain seamlessly compliant.
Step 1: Reducing Risk
Often, organizations are so focused on the state’s unique and specific language in their privacy requirements that they do not recognize that these laws are not entirely dissimilar. This can sometimes cause security executives to miss key ways to reduce risk. For example, organizations can use software to cross-reference privacy frameworks and create a common control. This then enables organizations to reuse evidence from control assessments to demonstrate risk reduction while complying with multiple frameworks.
Step 2: Finding the Greatest Impact
Although the pillars of privacy are more than 20 years old, organizations should still reference them when identifying risk. Thinking about risk in the context of these pillars enables organizations to ask themselves a key question: What is the risk associated with not maintaining an appointed data privacy officer, conducting privacy impact assessments or implementing sufficient safeguards to protect data? Taking this risk-first approach enables organizations to identify existing control gaps and create solutions that will have the greatest impact on risk reduction.
Even though organizations are changing alongside privacy rules and regulations, the core principles of privacy remain the same.
Step 3: Automating Core Processes
By automatically collecting evidence from outside systems, such as hosting providers, HR information systems and software development tools, organizations can remove the manual process of collecting this information, simultaneously increasing the accuracy and frequency of the assessments and maintaining compliance. Automation also enables these processes to quickly scale, letting organizations consistently stay up to date on changes to risk or regulations.
Step 4: Creating a Scalable Program
With the pillars of privacy as the core of each state’s updated laws, automation enables these changes to be securely implemented long into the future. Because any updates can be quickly implemented, risk reduction programs can be rapidly built out across the entire organization. With an easily scalable privacy program, organizations can better communicate the risk and outcomes of the remediation efforts, maintaining compliance and mitigating risk along the way.
Conclusion
Even though organizations are changing alongside privacy rules and regulations, the core principles of privacy remain the same. By understanding privacy’s past, organizations can become better equipped for the privacy needs of the future. Taking a risk-first approach to data and privacy is imperative to an organization’s overall security and compliance. Through a scalable and automated risk management program, organizations can stay on top of whatever may come their way.
Endnotes
1 US Constitution Annotated, “Fourth Amendment”
2 Bolten, J. B.; “OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,” US Office of Management and Budget, 26 September 2003
Meghan Maneval
Is the vice president of product strategy and evangelism at RiskOptics. After more than 15 years managing security, audit, and governance, risk and compliance (GRC) programs in highly regulated industries, Maneval joined RiskOptics in 2022 to help drive product innovation and empower the GRC community to achieve their objectives. She is a passionate security and risk evangelist; a champion of diversity, inclusion and belonging; and a home-renovation enthusiast specializing in process improvement and program iteration. Meghan enjoys giving back to the security and risk community through blogs, whitepapers, webinars, conference presentations and podcasts.
