In the past two years, both the Department of Labor and the Transportation Security Administration have enacted new guidance and standards for entities operating within their jurisdictions. Compliance within new guidance keeps organizations from significant liabilities in the event of cyber breaches that impact peoples’ financial and physical safety. Here are summaries of the latest regulatory rules and guidance from DOL and TSA.
As the European Union heads toward the implement of the General Data Protection Regulation (GDPR) on May 25, companies of all sizes are preparing to comply with one of the broadest mandates in the history of digital regulation. Many companies will find that there are still items on their to-do list even as the EU’s deadline passes. Following we will provide relevant and helpful news articles and our own insights as your company races to comply.
Are you Ready?
According to a 2018 report by Forrester, only 30 percent of companies reported being in “full compliance” with the regulations in Q1. Forrester additionally observed that several companies haven’t made GDPR a priority if they’re not based in the EU. But since GDPR has a significant effect outside EU borders, Forrester says, “the percentage of companies not affected by GDPR is small.”
The First Step: Data Mapping
Corporate Counsel discusses the first step of compliance: an extensive data-mapping effort of existing customer information. The publication calls it “an exhaustive study of the data it keeps, where the information is stored, why it is kept, how it flows and how it is processed and used.” In the article’s conclusion, experts note that many companies may be well-behind the GDPR deadline, but that enlisting outside help now will mitigate future exposure.
GDPR and eDiscovery and PII
GDPR presents challenges specifically to e-discovery and the legaltech sector, as explored by data privacy expert Debbie Reynolds at the Westlaw Journal. While GDPR is unlikely to fully stop the trend toward e-discovery federation – the aggregation, retention, and re-use of data in e-discovery matters – it will add additional steps and processes to the e-discovery workflow.
One key practice: the psuedoynmization of personally identifiable information (PII), which will “require new technological features…in e-discovery software tools.” Reynolds points out that US-based companies accustomed to a certain standard for PII will need to look into the EU’s stricter standard, which considers how metadata and aggregate data can help identify an individual.
Look to Evolver’s Legal Technology Team
Evolver already fully complies with GDPR and the handling of data for all of our client matters. Evolver helps with data mapping, identifying key areas that contain relevant information, and can prepare training materials to assure data is secure and handled appropriately. We can also help build workflows on how data should be collected, processed, logged, and destroyed when required.
The Evolver Legal team can help you educate your team on how to recognize and address a DSAR under the GDPR along with setting up a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures as outlined in Article 32 section 1-d.
GDPR and Cyber
On the cybersecurity front, as Evolver has recently discussed, the EU is not the only regulatory body leaning on companies to perform a top-to-bottom risk assessment when it comes to user data. The SEC has told public companies that disclosure of cyber risk will be a more tangible method of deciding whether fines or penalties are warranted in the event of a data breach that has material impact on investors. Notably, the SEC fined Altaba, formerly Yahoo!, $35 million for their failure to quickly and properly disclose a breach of Yahoo Mail user data. Combine these kind of fees with GDPR penalties that could result from contact with European Union citizens and companies have intensified motivation to properly assess their exposure to cyber risk.
Infosecurity Magazine provides a guide on changes to the cybersecurity market. Among key observations is the idea that security risks “should be assessed and reported.” The magazine writes,
“Data leakage can occur at any stage in the supply chain, so it’s important to perform routine checks on all aspects of this framework including website traffic, social media interaction, email threads, and other forms of online engagement. This will identify the areas which are most vulnerable to a security breach, so the right measures can be taken to reduce the likelihood of a data penetration.
A thorough risk assessment also evaluates how efficiently the network access software is functioning to mitigate the spread of viruses, malware and other outside factors that contribute to lost or stolen data. The more informed you are of the risks, the better equipped you’ll be to avoid them.”
Evolver’s Cyber Team Can Help
Evolver’s team of FAIR-certified analysts provide a cyber risk quantification service for clients looking to translate cyber risk into dollar figures and come up with mitigation strategies and appropriate security upgrades. Learn more about cyber risk quantification here. We also can help with risk assessments, threat management/intelligence, and social media monitoring.
GDPR After the Deadline
Even after the GDPR deadline comes and goes, we expect related headlines as companies continue to catch up and when the first major penalties are proposed. The immediate future of data privacy and disclosure will be full of rapid changes for organizations of all stripes. As daunting as these changes can be, a proactive strategy will help today’s business leaders emerge with improved capabilities of navigating a connected world.