RadarFirst Blog

The buzz around the California Consumer Privacy Act (CCPA) is a lot, well, buzzier these days, and for good reason. The January 1, 2020, effective date is little more than a month away, and security and privacy teams want guidance on CCPA compliance requirements. Rather than spend your valuable time reviewing just what those requirements are—which most of us are all too familiar with by now—it might be helpful to look at best practices for overall compliance. After all, the CCPA isn’t the only regulatory challenge organizations face. 

Last week during the regional Health Care Compliance Association (HCCA) conference in Nashville, I was lucky enough to host a gathering of executives from privacy and compliance for a private executive dinner with Adam Greene, an influential thought leader in privacy and partner with Davis Wright Tremaine. Adam moderated a robust discussion that explored HIPAA and OCR enforcement trends, the growing divide between state consumer protection laws and Federal regulations, and speculation on what the future holds for healthcare companies in an increasingly fractured consumer protection landscape.

After much fanfare, the EU's General Data Protection Regulation (GDPR) went into effect in May of 2018. In May 2019, the European Data Protection Board (EDPB) issued its 1-year assessment of the GDPR. In the first year, over 89,000 data breaches had been logged by EEA Supervisory Authorities. 

How is it already November? Halloween is behind us, and thank goodness for that! Privacy professionals have more than enough to scare and trick us in our professional lives already–did you read my colleague Dorothy’s recent post about the rise in heart attacks following a ransomware data breach? 

If you’ve ever participated in an organized sport, you’re likely well aware of the importance of context when it comes to evaluating your performance as a player. Say, for example, I play soccer every weekend (which I do). Let’s imagine I’m arguably the best defender on my team - or even across all the recreational players involved (it’s fun to pretend). I might start feeling pretty good about myself, and how I perform on the pitch. Now imagine I’m suddenly pulled into an MLS game, playing against professionals in the field. I might be a good player on a limited bench - on weekends, playing against other amateur enthusiasts, but in a larger scale I cannot rank or make the cut.

Privacy and security incidents involving sensitive personal data are as individual as fingerprints. An incident involving misplaced paper records is vastly different from a large-scale cyber-attack affecting millions of people. Yet the organization with the paper incident and the organization with the cyber-attack are both subject to a complex web of global data breach notification laws—which could include GPDR, a mixture of U.S. federal / state regulations, and even unique demands under CCPA .

Chinese philosopher Sun Tzu once said, “Know thy enemy.” When it comes to managing risk, CISOs must know what threatens the privacy and security of their organization’s sensitive data. That means having the ability to identify and measure all the risks lurking throughout the enterprise—no easy feat.

Around the RADAR offices, we talk a lot about the work of privacy professionals and how we can continue to bring greater value to our customers. Part of these discussions include quantifying the cost of poor incident response, and the risk presented to organizations when a data breach is mishandled. 

For many of us, the new school year marks the end of summer. Back to routines and brand new notebooks and pencils. For privacy professionals, the end of summer is still business as usual since privacy incidents and data breaches don’t take a summer vacation. The work of safeguarding privacy is never really complete.

If you’re a privacy professional, Portland in August is the place to be. Earlier this month, our team had the pleasure of hosting privacy and legal professionals from domestic and global companies obligated to consumer data protection obligations at our 2nd annual RADAR User Summit.

Last week we held our annual RADAR User Summit. This event brings together a group of innovative, forward-thinking privacy professionals for three days of interactive workshops, best practice sharing, and general community building. 

Those of us in the Northern Hemisphere are well into our summer routines at this point - backyard barbeques, longer days, and warmer (or much too warm!) weather is being enjoyed by all. That’s the ideal, at least. Just as they say there’s no rest for the wicked, there is also no rest for those charged with protecting our personal data (PHI, PII, and beyond) data. It’s a 24/7 job, and it’s not going away anytime soon.

CISOs face pressure on all sides. From their tenuous position in the company org chart, they’re tasked with managing external and internal risk to their company’s sensitive data. And when a privacy or security incident does strike, often they’re the ones who take the blame. 

Legal practitioners know firsthand the challenges in remaining compliant with data breach notification laws. Beyond the high-profile phishing, formjacking, and ransomware attacks, the everyday incident – a lost laptop, a misdirected letter – typically makes up the bulk of a privacy professional’s caseload. That’s not to say the work itself is routine or everyday. Consider:

If you’re in the States, you may have spent a long holiday weekend celebrating the 4th of July with neighborhood BBQs and summer night skies lit up with fireworks. Rolling into the office Monday morning after a holiday weekend can be a hustle – catching up on what you’ve missed, getting back into the work mindset, and reading through a pile of emails in your inbox.