Last week I hit the road, finding myself in discussions around the state of privacy in a couple of contexts. At the Annual HCCA Compliance Institute in Boston, I found myself deep in discussions with privacy professionals who are in the thick of sorting through regulatory complexities and bear the weight of their organization’s pursuit of privacy excellence. In another setting, I was able to sit down with students at the University of Maine School of Law to tackle the very practical approaches to privacy, taking what is discussed in the classroom and discussing tangible ways privacy best practices can be operationalized in the field.
These conversations with privacy professionals across the spectrum of experience are invigorating, and represent two distinct and crucial voices in privacy. There’s the old guard of privacy, who have been thick in the trenches of understanding emerging regulations and making sense of changing privacy requirements - who else remembers when HHS issued the Final Rule? Then there are the new voices, coming of age in a time when privacy programs are more established and foundations have been laid for incremental process improvements. Together, these voices in privacy have ample resource, energy, and knowledge to make a mark in how we all remain good stewards of information.
Here are some of the news articles and research that we’re talking about at RADAR this week:
- If you need something to keep you up at night, this report from Carlton Fields Class Action Survey might just be it. Included in the findings, based on interviews with general counsel at Fortune 1000 companies in the U.S., is this heart-palpitating headline: the next wave of class action lawsuits will result from massive data breaches.
- Does it seem like data breaches have been in the news more frequently recently? This week we saw the admission of Facebook that Oculus headsets have been leaking messages hidden inside “tens of thousands” of motion controllers. Over 20,000 patients of an Ohio health recovery services network have been notified of a data breach caused by a three month-long network breach. And the Department of Digital, Culture, Media and Sport (DCMS), the UK government department responsible for implementing GDPR, may have a breach in violation of the regulation.
- This week, North Carolina state representatives introduced a bill overhauling the state’s Identity Theft Protection Act. If passed, this bill would increase the stringency of breach notification requirements in the state, including among other changes a shortened 30-day breach notification timeline and expanded definition of personal information (both these changes align with regulatory trends we’ve identified in changing U.S. state regulations)
- There has been a call for privacy professionals to take the annual IAPP TrustArc survey detailing how privacy tools are acquired and deployed. This is one of my favorite research publications from last year, which gave us insights into who has budget for privacy programs - for example, in Incident Response, 69% of respondents said privacy had input into the decision-making, even more so than the IT team, despite only 28 % of privacy teams actually having budget authority. If you have ten minutes and are interested in helping organizations better understand the evolving needs of privacy teams, take the survey!
If you’d like to share what privacy and data breach news is currently on your radar, we would love to hear from you at firstname.lastname@example.org.