It’s been a busy week, as always, for privacy professionals around the globe. Below are a few topics the RADAR team is following in the news and discussing around the watercooler.
Globally, regulators are cracking down on privacy regulations: Singapore’s data privacy watchdog recently announced a new expedited decision process to accelerate investigation - and enforcement actions - against some companies that breach the Singapore Personal Data Protection Act.
For those preparing for the CCPA: A recent report from Comparitech revealed that California has suffered more data breaches and personal records exposed than any other state in the U.S. over the past decade. This same report reveals that, in the last decade, it could be estimated that data breaches have resulted in damages of more than $1.6 trillion.
Changing U.S. State data breach notification laws: Last Friday, Texas Governor Greg Abbott signed into law new privacy legislation that enhances data breach notification requirements in the state. Among the changes are a number the RADAR regulatory team has identified as trends across US privacy law legislation, including specified notification timeline, required notification to the state Attorney General, and specificity in notification letter content.
A real life example of the consequences of poorly managed data breach: having to file Chapter 11 as the costs associated with data breach were “beyond the ability of the debtor to bear.”
Data breaches impact people from all walks of life: recently this includes 645,000 recipients of a state welfare and children services programs and residents of nearly 60 senior living communities. With data breaches becoming more ubiquitous, are consumers starting to get notification fatigue?
Finally, I’ll end with a quote from a keynote presentation at the 2019 Infosecurity Europe conference this month. Steve Wright, GDPR & CISO Advisor at the Bank of England nailed it on the head when it comes to the core of incident response best practices:
"My approach to this has been to build what I call a defensible position. So almost take the assumption that you've been breached, and it doesn't matter what regulation you fall under, you're going to be asked to justify some of the decisions that were made, that led up to that, and the only way you can do that is by looking at your risk assessment, and understanding where your data is, what you're doing with the data. Then you're going to build up a really defensible position for when the proverbial hits the fan ... to be able to defend yourself."
If you’d like to share what privacy and data breach news is currently on your radar, we would love to hear from you at firstname.lastname@example.org.