A growing attack surface and the exponential rise of data has opened the floodgates for breaches, leading to increased scrutiny by regulatory agencies. It’s not surprising that in recent years, regulators have had to double down with compliance mandates that are more stringent and punitive than ever before.
The European Union’s General Data Protection Regulation (GDPR), for example, set a new precedent for data privacy by tightening controls and protecting a consumer’s “right to be forgotten,” while imposing fines of more than $20 million — or up to 4% of annual worldwide turnover — for violations.
So, what’s next on the horizon for compliance? Here are a few trends to watch.
1. States Make Data Protection a Priority
With GDPR as the new gold standard, many U.S. states are upping their game around consumer data privacy. The new California Consumer Privacy Act (CCPA), effective January 2020, empowers Californians with the right to opt out of having their data sold to third parties, and the right to request disclosure and/or deletion of data already collected. Maine and Nevada, have also passed significant data privacy laws. Massachusetts recently considered a comprehensive data privacy bill that would have created new litigation categories against businesses that collect personal information from residents. Data privacy legislation is also a major focus for New York, Texas and Washington — and will increasingly be a top priority for other states.
2. Governments Try to Standardize IoT and Critical Infrastructure
Governments are also paying more attention to standardizing security defenses across the Internet of Things (IoT), including industrial manufacturing and critical infrastructure. The European Union’s NIS directive first laid the groundwork in 2016 by establishing protocols around incident response and implementing risk-based security measures for critical infrastructure and digital service providers (DSP) in industries such as energy, transportation, healthcare and water supply, among others.
Since then, California’s IoT Security Law, which went into effect in January, became the first in the U.S. requiring all connected devices to incorporate “reasonable security” measures. The U.S. also proposed a bill, the Internet of Things Cybersecurity Improvement Act, which would require the National Institute of Standards and Technology (NIST) to create mandatory security regulations for all IoT devices used by any government agency. This legislation also applies to consumer devices that include everything from Smart TVs and cameras, to virtual assistants such as Siri, Alexa, Cortana and Google Assistant, among others. The uptick of new and proposed IoT security legislation impacts both industrial and consumer markets, and likely signals further scrutiny around connected devices in the near future.
3. Organizations Reimagine Security to Meet Compliance Demands
More than half of organizations currently rank data privacy as one of the top three policies affecting their business, according to a recent PwC survey. So to meet growing compliance demands, many will be restructuring — and rethinking — their entire approach to security, while also shelling out almost $10 billion for privacy and security solutions and infrastructure in the process. Companies are also shifting toward a “privacy by design” model, establishing an information security management system with policies following compliance frameworks. This includes using technologies to track evolving privacy laws and automating compliance tasks to create predictable, repeatable processes that can keep auditors satisfied and minimize unwanted surprises.
As part of their ongoing digital transformation, organizations will have to factor in rapidly changing compliance rules — and will have to pivot quickly as new iterations of these laws emerge. Looking ahead, that means industries and organizations will need to reimagine new, automated and integrated approaches to compliance to ensure that their customer data — and reputation — is protected.
To learn more about the compliance landscape, check out “A Short Primer on GDPR Essentials.”