Live from the New York Regional Conference – You can have Security without Privacy, but you can’t have Privacy without Security

30bdf28By Stephanie Gallagher, JD

Speaker: Janet Himmelrich
Head, Client Compliance Services
CoE, BT Global Services

It’s a full house at today’s SCCE Regional Compliance & Ethics Conference in New York. People have arrived from near and far to attend the one-day meeting to learn, network, and earn their continuing education credits. The day was packed with practical and insightful information about the hottest compliance and ethics topics.

Among the hot topics presented today was a session about privacy and security presented by Janet Himmelrich. The session discussed the differences between privacy and security and provided a deep dive into privacy and security basics.

On the privacy side, one of the points that was driven home is the necessity of adequate procedures across industries. One of the most important things for an organization to have in place are privacy notices for customers. Establishing these effective notices requires training, written procedures, notification processes, management oversight, and communication. The communication element cannot be overstated. The Chief Privacy Officer should establish a privacy plan, which will lay out parameters the company will utilize when dealing with conflicting or overlapping regulations. Outlining a definition of the data that needs to be protected is also a key component. Definitions of “need to know” concepts for the types of data within the organization’s possession should also be established, as well as audit readiness.

After some discussion on the basics of security, the session moved on to discuss security and privacy safeguards. This entails the policies, processes, and tools required to maintain the privacy and confidentiality promised to the customer (in other words, you had better be using the data for the purpose that was stated when the data was collected).

To me, one of the most powerful and interesting parts of the presentation was when we dove into some cyber-security statistics, which really emphasized the importance of cyber-security from a monetary perspective. On average, the cost per stolen record adds up to about $214 in Regulatory fines and expenses for the affected organization. This doesn’t even include potential legal fees and lawsuits that might ensue.

[bctt tweet=”On average, the cost per stolen document adds up to $214 in regulatory fines and expenses @SCCE #cybersecurity” via=”no”]

So, what motivates cyber-criminals? The answer, not surprisingly, is financial gain a vast majority of the time. According to the FBI, credit cards will sell between 50 cents and $1 each, but health data, including name, DOB, policy numbers, etc. will sell for around $60 – $70 per record. This can add up to huge financial opportunities for criminals.

As the session wound down, we discussed how the risks to our organizations have shifted over the last few years. Some of the “old” risks that organizations were exposed to included identity theft, loss of business, and the possibility of regulatory fines. The mitigation strategies generally employed in those situations included reporting the breach according to regulatory requirements, setting up free credit monitoring, and establishing a good PR campaign.

Some of the “new” risks that our organizations are facing go far beyond the past precedent with emerging risks including breach victims bringing and winning lawsuits against organizations for causes of action such as negligence, and demands for ransom as we have seen with the Sony breach. Mitigation strategies for these situations are much more difficult as the potential targets have expanded and the players are much more sophisticated.

With all of this knowledge in mind, what are some ways that you can prepare your compliance team to take effective action against these risks? Janet Himmelreich’s five key takeaways include:

  1. Establish and make known a reporting structure for the organization. Make sure that everyone is aware who the privacy/security professionals are, and how they can be engaged.
  2. Be mindful of the competition. Take a look at competitors in terms of their privacy and security and examine whether they have ever been fined, had a settlement agreement, and the specifics of the circumstances surrounding the events. The FTC website can be a good jumping off point.
  3. Determine if the organization has privacy and security breach insurance. If so, then a comprehensive risk impact assessment has probably already been done. If not, then assessing the likelihood and impact of a breach is definitely something to investigate.
  4. Security is frequently part of the IT Department. Make sure your group has a good working relationship with the Security Officer and determine the amount of emphasis placed on privacy and security.
  5. Determine if your company’s strategic plan includes privacy laws, regulations and proposed laws and regulations as a key driver.