RADAR Blog

In my career, I’ve led development teams creating both software as a service (SaaS) and installable on-premise solutions, so I am familiar with debates about the realities and myths of SaaS vs. on-premise. Whenever this debate resurfaces, I address the concerns raised as I would any operational initiative: by asking questions and challenging assumptions.

Measuring the efficacy of your privacy program is one way to ensure you have a baseline for improvement, as well as a means to test and prove that your continuous efforts to improve security and privacy at your organization are having their intended impacts. Establishing benchmarking metrics is also important to lend continuity to a process that can sometimes resemble a fire drill. In the midst of an unauthorized disclosure of protected, private data, your team will be moving fast and engaged in a flurry of activity in order to properly document and risk assess an incident to determine regulatory and contractual notification obligations, if any, in order to meet notification deadlines and prove compliance.

Privacy and security teams are often painted as adversaries in compliance. While it's true that privacy, security, and risk professionals often come from different backgrounds and interests, they are united in their shared pursuit of compliance and events like the IAPP Privacy. Security. Risk. 2017 illustrate the way these fields are converging. 

Privacy professionals across the globe all have the same date circled in their day planners in May of 2018. The EU General Data Protection Regulation (GDPR) enforcement deadline is fast approaching, and the risk of noncompliance are very real: failure to meet the 72 hour notification timeline could result in fines up to €20M or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Many questions about complying with the GDPR yet remain, including how to best approach the regulation, interpret the law, then plan, implement and manage a strong compliance program.

If anyone ever doubted the importance of data security incident response, the Equifax breach should put those doubts to rest. On top of the widespread concern about a breach affecting 143 million consumer records, there are all the hard questions about why it took Equifax more than six weeks to make the breach public. Since the announcement, the Senate Finance Committee, the Justice Department, the Federal Trade Commission, the Securities and Exchange Commission, and multiple state attorneys general have launched investigations into the breach; over 50 class action suits have been filed; three executives, including CEO Richard Smith, have been retired; the stock value has dropped over 30%; and many experts predict the breach will result in new regulatory reporting standards for the financial industry.

Performing a multi-factor risk assessment to determine whether an incident involving PII and/or PHI requires notification to regulatory bodies isn’t just a good practice for privacy programs–it’s a requirement for documenting and demonstrating compliance with data breach laws. Due to the misconception that any incident involving sensitive, regulated data is automatically a notifiable breach, it is critical that every incident undergo a compliant multi-factor risk assessment to establish your burden of proof – particularly when deciding not to notify because you were able to properly mitigate the risk as permitted by law.

The clock is ticking - the deadline to comply with the General Data Protection Regulation (GDPR) is now less than a year away, and having an incident response plan in place and ready to implement should be a primary item on your preparation checklist. With notification timelines of 72 hours, and fines that could reach 4% of global annual revenue, the risk of noncompliance is significant.

This article by Mahmood Sher-Jan is the third in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program.

Around the office we operate under a concept we call “RADAR Time.” It’s a phenomenon marked by how quickly time seems to pass because we as a team are driven to produce so much in an accelerated timeframe to help ease a significant pain point for our customers. Our reward is the appreciation and love we get in return.   

This article by Skip Newberry, President of the Technology Association of Oregon, was originally published in the Portland Business Journal. 

Surprising some with its quick journey from filing to enrollment then approval by the governor – less than 30 days – a new State Insurance Department General Omnibus Bill goes into effect in Arkansas on August 1, 2017.

This article By Alex Wall, CIPP/E, CIPP/US, CIPM, was originally published in the IAPP Privacy Tracker.

PORTLAND, Ore., — June 28, 2017 – To address the rise of security and privacy incidents and associated organizational risks, penalties, and legal costs, the international  law firm of Davis Wright Tremaine and SaaS solution provider RADAR, Inc. have formed a strategic alliance. Using and recommending RADAR’s purpose-built incident response software to clients will allow Davis Wright Tremaine to significantly reduce the cost of routine legal services while providing high-value strategic data breach response services.  

This article by Mahmood Sher-Jan is the second in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program.

Effective July 1, 2017, the state of Virginia will require employers and payroll service providers to notify the attorney general without unreasonable delay if certain employee payroll data is compromised. Specifically, notification is required after an employer or payroll service provider discovers or is notified of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer if the incident: