Recently, Paul Perry, practice leader for Warren Averett’s Risk and Controls division, participated in the Birmingham Business Journal’s Table of Experts on Data Privacy. Click here to view the full supplement from the BBJ. You can view Paul’s answers below:
What are some of the top things small businesses should know about data privacy?
Paul Perry: No matter how much of the IT function is outsourced, the responsibility of data privacy will always be with the small business as it relates to its employees and customers. A business should do its due diligence in selecting the right vendors. While following – or adopting – nationally recognized standards and methodologies such as COBIT, NIST, etc., is important, it can get overwhelming and costly. Selecting the controls that are most relevant to the data that is held, and making sure network and application security is addressed, is more important. Security awareness training, strong passwords, constant monitoring of traffic and frequent backups are a few quick controls any organization can implement to improve data privacy practices.
Alabama recently passed a data breach notification act. What implications does that new law have for businesses?
Perry: The law requires a number of safety measures for companies to implement to help protect the organization from – or respond appropriately to – a breach. These include periodically updated risk assessments, implemented technology controls, governance over information security, periodic review of technology controls protecting data and open communication between boards, management and IT. Failure to adhere to or properly notify individuals about a breach could have steep monetary penalties. All organizations, to different degrees, will experience a breach event, and how you respond to that vent is just as important as how you protect the information and data you hold.
What is GDPR (General Data Protection Regulation) and how can it affect businesses?
Perry: GDPR gives the ultimate control of personal information to EU citizens. It establishes a very strict set of standards that companies that work with or interact with EU citizens must adhere to when collecting data on users, clients, customers and employees. It also provides a means for consumers to be forgotten by having their data that is no longer being used for business purposes removed if they request. These standards will affect all companies in the U.S. that have a website that collects, stores or uses data through cookies that could potentially be seen or visited by a consumer in the EU. Companies in the U.S. need to be paying attention to the California Consumer Privacy Act of 2018, which was approved by the State Assembly and Senate. This law, which goes into effect in 2020, is the closest regulation in the U.S. to GDPR, and it could quickly spread to other states. Most regulations are established to protect the consumers and users within that respective state or country, no matter where the business that the consumers are using is domiciled.
What are some of the potential pitfalls for not complying with GDPR?
Perry: Among the pitfalls of any data protection law or regulation is a fine for noncompliance or failure to communicate a breach in a timely and appropriate manner. Noncompliance can also cause reputational damage, especially if the offense is repeated in the future or is in the news. GDPR is a landmark for U.S. businesses because the power and control over data is being given back to citizens and consumers, which requires greater costs and preparation time for businesses than in the past.
How can companies make sure they are in compliance, not only with GDPR, but also other data privacy laws?
Perry: All data privacy laws – like the ones throughout the 50 states – and regulations – like GDPR – have two common compliance themes: security measures and breach notification requirements. Protecting data and responding to events or breaches are both important goals for an organization. Many who set industry standards believe that a tenet of doing business in cyberspace is that companies should be able to demonstrate that the ability to respond to an event in a timely and appropriate way) is just as important as working to protect the data in the first place. Security measures usually require some standard IT controls, such as established data protection governance, updated risk assessments, IT controls and effectiveness, and communication between IT and management/boards of directors to be in place. These measures and requirements can vary from state to state or internationally.
What types of companies or partners can help businesses address data privacy?
Perry: Organizations that specialize in the review and assessment of current practices compared to industry regulations and standards – IT consulting firms, CPA firms, etc. – can be beneficial partners for organizations. These assessments can help organizations identify on a regular basis their current gaps and risks, and how to remediate those issues with leading best practices. Collaborating with credentialed individuals who are knowledgeable concerning information systems and security can provide up-to-date guidance and best practices to an organization.
How expensive can a data breach be for businesses or employers?
Perry: The cost of a data breach or event will be both monetary and reputational. The monetary cost will always be larger than initially expected, and could include the cost for protecting the data, informing individuals of the breach, providing assistance and monitoring to those affected, and fines, should a company not have security measures in place or not report the event in a timely manner. Reports are showing an increase in total costs for cybersecurity, with more than $6 trillion by 2020 being spent to protect and respond to events. Once an event occurs, the reputational cost to an organization can be damaging if proper controls were not in place or if proper procedures were not set up to respond to the incident. Responsibility for protection and response – no matter the effected party – is vital for businesses. You can outsource processes to others, but you can never outsource the responsibility.
How can a company defend against a data breach? How important is cybersecurity?
Perry: Businesses should have a proactive and up-to-date IT environment, including governance and strategy, management of vendors and changes to the system, solid system and application controls, and data and incident management controls. These controls can follow those set forth by standard setters such as AICPA with SOC 2® Criteria, ISACA with COBIT5 Methodology, or NIST Standards). Protecting the data and responding to breaches should have solid controls and practices in place. Employee awareness of security and technology should be regularly prioritized to make sure everyone is up to date with latest trends, threats and protection methods
What should businesses do when a data breach occurs? How can they reduce their liability and potential costs?
Perry: If a breach occurs, getting legal assistance and advice is a priority. These professionals can assist with the stages of discovery, response and remediation for the business. Cyber liability insurance is a growing trend for businesses, but caution should be used when establishing or maintaining a policy to make sure the security measures required by the policy are in place to help with as much protection of the data as possible. Having a solid, proactive IT environment with specific IT controls can also help mitigate any liability or threat to the business.
What are some proactive steps companies can take to reduce the threat of data breaches or violations of data privacy laws?
Perry: Along with solid information technology controls around a framework, employee awareness of threats and remediation efforts can go a long way in protecting both the organization and the employee. Constant security awareness training that is tracked and updated for new threats is a great deterrent to security breaches and potential cybersecurity events. In a recent Verizon survey on data breaches, 70 percent of all breaches and events occur from human error in dealing with common technology avenues, including emails, internet browsing and social media. Human interaction is a weak link when it comes to security issues, and constant training on these issues helps raise awareness when dealing with data protection.
To speak to Paul Perry regarding your company’s data privacy, click here or call 205-769-3251.