Cyber and Privacy Regulation Convergence: Tips to Pave a Path Forward

With individual models for analysis, consumer thresholds, and overlapping jurisdictional applications, the key to managing compliance with emerging Cyber regulation may lie within the Privacy playbook.

We’ve prepared this industry trend report to encourage conversation around converging regulations and how organizations can start paving the path forward.

Read the industry trend report to learn more about the convergence and the following four topics.

1. The State of Cyber Notification Rules

Cyber regulation is maturing quicker than privacy laws have over the past three decades. Emerging notification obligations will have a significant impact on organizational compliance. 

Given how quickly cyber regulation is moving, organizations that leverage privacy lessons will be well-prepared for the developing convergence between cyber incident and privacy incident reporting frameworks.

Here’s what experts in the field are saying about Cyber notification and risk of harm: 

“Oftentimes it comes down to if you notify the consumer, can you help them? Is there something that they should know about? Or if you tell them, they could maybe protect themselves, or maybe take action to better themselves. Is it important that they have that information? And if the answer to that is yes, you’re going to want to notify.

There are different types of things that might happen that you might already be in the practice of notifying consumers and regulators. What’s important is that you identify those processes and then bring them together with that compliance requirement. So, you’re documenting it and you are establishing it as your playbook to be compliant with these new laws.” – Chief Privacy Officer, Fortune 5oo Financial Services Company

2. The Difference Between “Risk of Harm” and Materiality 

Materiality is to Cyber regulation what “Risk of Harm” analysis is to Privacy, meaning it’s very complicated and nuanced on a state-by-state level. Access the report to explore scenarios for which applies when.

3. Changes in Organizational Design and Reporting

When we look at organizational response and the convergence of cyber and privacy, the key piece, regardless of organizational structure, is that you have a team working seamlessly together in order to best protect the interests of the organization and your customers. 

Organizational Design

Businesses are reconsidering where Privacy sits within the organization. Some argue that the Privacy leader needs to be close to the data in an Enterprise Data Office, others feel Privacy should work directly with Compliance.

What we do know is that it’s starting to shift.

“What we found at the time, and I think it’s still true now, that the vast majority sit in either Compliance or Risk Management. However, there’s the beginning of a little bit of a shift.” – Chief Privacy Officer, Fortune 500 Financial Services Company

Incident Reporting 

To prepare your organization for what lies ahead, it’s best to set a course for improvement today using real-time reporting.

“We are beginning to see some really good technology out in the field that can help organizations of every size take all of the reporting incidents and have that information come together in a dashboard to make sure that anyone who’s a key stakeholder is able to access it in a very timely manner. I think having that capability is critical.” – Chief Privacy Officer, Fortune 500 Retail Pharmacy

4. How to Start Preparing Your Organization for Cyber and Privacy Regulatory Convergence

We believe holistic privacy incident management is the best way to mitigate risk, build trust, and accelerate efficiency. Those that have a repeatable and defensible process in place for risk assessing privacy and cyber incidents will be ready for future notification obligations.

Download the industry trend report to learn how your organization can begin paving the path forward.