SECURITY

3 Regulatory Compliance Trends That Are Accelerating in 2020

A growing attack surface and the exponential rise of data has opened the floodgates for breaches, leading to increased scrutiny by regulatory agencies. It’s not surprising that in recent years, regulators have had to double down with compliance mandates that are more stringent and punitive than ever before.

The European Union’s General Data Protection Regulation (GDPR), for example, set a new precedent for data privacy by tightening controls and protecting a consumer’s “right to be forgotten,” while imposing fines of more than $20 million — or up to 4% of annual worldwide turnover — for violations.

So, what’s next on the horizon for compliance? Here are a few trends to watch.

1. States Make Data Protection a Priority

With GDPR as the new gold standard, many U.S. states are upping their game around consumer data privacy. The new California Consumer Privacy Act (CCPA), effective January 2020, empowers Californians with the right to opt out of having their data sold to third parties, and the right to request disclosure and/or deletion of data already collected. Maine and Nevada, have also passed significant data privacy laws. Massachusetts recently considered a comprehensive data privacy bill that would have created new litigation categories against businesses that collect personal information from residents. Data privacy legislation is also a major focus for New York, Texas and Washington — and will increasingly be a top priority for other states.

2. Governments Try to Standardize IoT and Critical Infrastructure

Governments are also paying more attention to standardizing security defenses across the Internet of Things (IoT), including industrial manufacturing and critical infrastructure. The European Union’s NIS directive first laid the groundwork in 2016 by establishing protocols around incident response and implementing risk-based security measures for critical infrastructure and digital service providers (DSP) in industries such as energy, transportation, healthcare and water supply, among others.

Since then, California’s IoT Security Law, which went into effect in January, became the first in the U.S. requiring all connected devices to incorporate “reasonable security” measures. The U.S. also proposed a bill, the Internet of Things Cybersecurity Improvement Act, which would require the National Institute of Standards and Technology (NIST) to create mandatory security regulations for all IoT devices used by any government agency. This legislation also applies to consumer devices that include everything from Smart TVs and cameras, to virtual assistants such as Siri, Alexa, Cortana and Google Assistant, among others. The uptick of new and proposed IoT security legislation impacts both industrial and consumer markets, and likely signals further scrutiny around connected devices in the near future.   

3. Organizations Reimagine Security to Meet Compliance Demands

More than half of organizations currently rank data privacy as one of the top three policies affecting their business, according to a recent PwC survey. So to meet growing compliance demands, many will be restructuring — and rethinking — their entire approach to security, while also shelling out almost $10 billion for privacy and security solutions and infrastructure in the process. Companies are also shifting toward a “privacy by design” model, establishing an information security management system with policies following compliance frameworks. This includes using technologies to track evolving privacy laws and automating compliance tasks to create predictable, repeatable processes that can keep auditors satisfied and minimize unwanted surprises.

As part of their ongoing digital transformation, organizations will have to factor in rapidly changing compliance rules — and will have to pivot quickly as new iterations of these laws emerge. Looking ahead, that means industries and organizations will need to reimagine new, automated and integrated approaches to compliance to ensure that their customer data — and reputation — is protected. 

To learn more about the compliance landscape, check out “A Short Primer on GDPR Essentials.” 

Oliver Friedrichs
Posted by

Oliver Friedrichs

With a record in building four successful enterprise security companies over the past two decades, Friedrichs most recently served as the Founder and CEO of Phantom. Prior to Phantom, Friedrichs founded Immunet, acquired by Sourcefire in 2010 and a key component to Cisco's acquisition of Sourcefire in 2013; now thriving as Cisco's Advanced Malware Protection (AMP). Friedrichs co-founded SecurityFocus (Bugtraq) and led DeepSight, the world's first Internet early warning system, acquired by Symantec in 2002. He also co-founded Secure Networks and led Ballista (CyberCop), one of the industry’s first vulnerability management solutions, acquired by McAfee in 1998. Friedrichs architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and recipient of 19 patents.

TAGS

3 Regulatory Compliance Trends That Are Accelerating in 2020

Show All Tags
Show Less Tags

Join the Discussion