CNN: Hey Corporate America, Get Ready for Cybersecurity Regulation in the US
June 11, 2018
Robert Herjavec is the founder and CEO of Herjavec Group, which provides cybersecurity services to protect global enterprises from online attacks and threats. He's also an investor on ABC's "Shark Tank." The opinions expressed belong to him.
Corporate America should get ready. Cybersecurity regulations will soon be coming to the United States -- and that's actually a good thing.
A new data privacy law, known as the General Data Protection Regulation, took effect in the European Union on May 25 and impacts businesses worldwide. The law gives EU consumers more control over how their personal data is collected and used online.
I firmly believe that the US will pass similar regulations over the next two years. You might disagree -- my company's senior vice president did. So I bet him on it.
But the writing is on the wall. Facebook's Cambridge Analytica data controversy is forcing politicians on both sides of the Atlantic to take a hard look at data security laws. Over the past six months, US-based companies from retailers to tech giants have reported major data breaches.
GDPR aims to hold businesses accountable by requiring any company that holds or uses data on people inside the EU to notify regulators of a major data breach within 72 hours of its discovery.
I know what you're thinking: I'm a US-based organization -- this doesn't apply to me. Wrong.
Perhaps your company has an office in the EU and shares internal data, or you permit online purchases from customers there. Maybe you have a client based in the EU. Whatever the case, you need to be compliant.
Companies must also allow consumers to easily opt in and out of data collection. If they don't, European regulators can fine them up to 4% of their annual global sales or €20 million ($23.5 million) -- whichever is greater.
The message here is clear: Give the consumer control over their data and be transparent about any events that put the data in danger. If you don't, you'll be penalized where it hurts -- your bottom line. As a CEO, these regulations have my attention.
Data regulation, like GDPR, is a reminder to Corporate America that we need to be better.
Facebook CEO Mark Zuckerberg's testimony before Congress was an eye opener. We should view GDPR as best in class and realize that only the pain of penalty will really open Corporate America's eyes to the importance of proactive data privacy and transparent security practices.
But we also have businesses to run.
No executive wakes up and says, "I can't wait to spend millions on security today." But it's no longer optional. In the same vein, it's also no longer an option to be an executive that hides behind the "IT problem" when it comes to cybersecurity. We know better. We have an opportunity to set a new standard for data security.
So, what can you do as a business leader to get ahead of the regulation curve? Start with making a bet with your senior vice president that further regulation is coming. You'll be glad you did.
Then review your GDPR readiness as it stands today. Are you fully compliant already? Can you demonstrate that you're working towards compliance? Have you engaged legal and cybersecurity-specific service providers to support in your efforts?
To answer these questions, begin by covering the basics. Perform a network security assessment and hire someone to perform a Privacy Program and GDPR readiness assessment. These assessments offer a current state review of your data protections, practices and controls. You should expect an assessment report and action plan with recommendations on how you can address any gaps.
Next, make sure you've reviewed your team's security framework strategy and incident response plan. These plans allow you to identify clear policies and procedures to follow for all elements of data handling, information security and remediation.
Push your team to conduct regular assessments and reporting reviews -- and stick to it.
Understand the tools that will matter to your organization's compliance. For example, how are encryption tools leveraged in your environment? How are you limiting access controls to ensure confidentiality and authenticity of digital data?
Do you have 24x7 visibility and anomalous event detection, which detects any activity outside of what's deemed normal in your environment? Consider investing in a Security Information and Event Management (SIEM) system and third-party managed services support in order to streamline data logging, correlation and security intelligence gathering.
Regulation isn't about striving for perfection in security. That doesn't exist. It's about continuous improvement, working towards compliance, improving detection and enhancing containment to keep our businesses up and running.
Compliance in security isn't sexy -- it's not the latest emerging threat being dashed across headlines. But it is time we wake up and pay attention. GDPR policy is real. It will impact US businesses. And inevitably, it will set a standard for the world to follow in terms of data privacy, security and transparency.
Originally posted on cnn.com