Extend Resources was privileged to host a Cybersecurity Panel Discussion at the IG3 West conference in Newport Beach, California. It featured distinguished panelists and a lively discussion on the topic, “ISO 27701: Leveraging the New Data Privacy Standard for a Competitive Advantage.”
While the big breaches make headlines, it is well known that a cyber-event is an existential threat to small and medium-sized enterprises (SMEs). According to Inc. Magazine, 60 percent of SMEs fold within six months of a cyber-attack. With SMEs becoming an increasing target for hackers – due to their perceived vulnerabilities – data privacy and cybersecurity are top of mind for every organization.
While it is challenging to summarize the breadth and depth of the discussion, it seemed there were five main takeaways.
First, there is a difference between compliance frameworks, standards, and laws. All three clearly define the policies, procedures, and processes your organization follows in terms of data privacy, information security, and a host of other areas. The difference boils down to three areas: certification, accountability, and penalties.
- Frameworks are guidelines for operational behavior. Compliance frameworks are adopted voluntarily and do not involve the use of third-party audits or certification. Organizations hold themselves accountable to a framework and typically analyze performance sporadically, such as after an adverse event. NIST and COBIT are examples of information security frameworks.
- Standards are set by a body, such as the International Organization for Standardization (ISO), to create specifications for products, services, and systems designed to ensure quality, safety, and efficiency. Also adopted voluntarily, organizations can become certified in a standard to demonstrate the quality of their program. Certification requires the development of an operational management system along with ongoing audits by a third-party registrar. ISO 27001 and 27701 are examples of information security and data privacy standards, respectively.
- Laws are sets of regulations that place specific requirements on covered entities and organizations. Compliance with these requirements is mandatory, and organizations must report on performance regularly. Fines and penalties can be levied on organizations that fail to meet compliance requirements. The General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA) are examples of data privacy laws.
Second, verifiable standards, such as the new ISO27701 data privacy standard, help companies in a variety of ways with vendors, customers, insurers, and regulators. The strict requirements of global companies are quickly “trickling down” to vendors and others wanting to do business with this group. Customers are increasingly looking for verifiable proof of a commitment to security and privacy, and insurers are incenting their customers with premium discounts to adopt a robust, auditable program. Most importantly, companies adopting and maintaining such programs can see regulatory fines reduced significantly.
Third, what constitutes personally identifiable information (PII) is expanding. The lesson is that even though you may have data that is not currently considered PII, that information may be regarded as PII in the future. In the case discussed by the panel, data related to a person’s vehicle is not generally considered PII, but when combined with public information, such as state vehicle registration information, could personally identify an individual. The consensus? The boundary on what is considered PII will expand as cases and questions expand.
Fourth, while a bit of a sidebar, no topic elicited more passion than the spectrum of one’s “expectation of privacy.” Opinions ranged from “Putin already knows more about me than my Mom” to “I should be able to go off the grid at any time.” What became clear is this: Your customers’ opinions will also run the gamut, but ensuring the privacy of your most concerned customers is the clear goal.
Finally, the panel’s clear message was, “Start now.” Implementing an information and cybersecurity program may seem daunting, but the challenge increases as your company grows. And much like eating the proverbial elephant, tackling the problem “one bite at a time” will make things easier. On this, the panel made a few recommendations:
- Understand which standard or framework is right for you. There are many – ISO, NIST, HIPAA, SOC – and some apply to multiple compliance challenges. So, identify the target.
- Involve professionals early. Lawyers, infosec professionals, and others can help answer your questions and establish the right path for you. And they are much less expensive before an incident/breach than after.
- Use an information security management platform. There are software platforms to fit your needs and budgets. Adopting an information security management system (ISMS) brings an abundance of benefits: Rapid gap analysis, speed to compliance, reduced management complexity, and streamlined reporting, all of which increase your understanding, reduce the resources needed, and minimize the risk of breaches.
Thank you to my fellow panelists:
Stephen Alford, CIO & CISO, Worldwide Environmental Inc.
Antonella Commiato, CISO, Extend Resources
Renata Hoddinott, Partner, Freeman Mathis & Gary
Brooke Oppenheimer, Attorney, Axinn, Veltrop & Harkrider LLP
Shashi Tripathi, CTO, ImpediMed, Ltd.
EXTEND can help guide compliance teams in creating, deploying, and continuously improving sound compliance programs for a variety of compliance standards and regulatory requirements. We offer technology that enables organizations to develop an effective Privacy Information Management System (PIMS) and demonstrate compliance with privacy laws to customers and stakeholders.
Contact Steve Henn at shenn@extendresources or 203-803-2127 for more information.