5 Ways For Healthcare Providers To Build A Fortress Against Cyber Threats

December 28th, 2019 Alex Zlatin Leave a comment

The healthcare industry has yet to find a cure for cyberattacks. Housing personal health data, all kinds of providers are vulnerable targets of hackers and patient care can be put at great risk.

News of breaches in healthcare computer systems is a regular occurrence. Over 100,000 medical records were recently leaked as a result of a data breach at a Montana hospital. And research this year showed an upsurge in malware attacks on healthcare providers. Phishing messages, a means of malware delivery via email, have been found to come in the form of alerts from the US Centers for Disease Control and Prevention (CDC).

As cyberattacks become more sophisticated and widespread, the need for adequately securing computer networks at hospitals and all medical facilities has never been greater, says Alex Zlatin, CEO of Maxim Software Systems (alexzlatin.com).

“The costs of cyberattacks for healthcare providers can be enormous,” Zlatin says, “but how hackers can literally stop facilities from functioning and keep patients from getting care and medication should get everyone’s attention. “It’s all about prevention, and for many providers, being secure as possible will involve a retooling and re-thinking of how they approach cybersecurity from the human and technological standpoints.”

Zlatin provides five tips for healthcare providers to better protect against cybersecurity threats:

-Educate employees about phishing attacks. Many breaches start with human error. Employees make the mistake of responding to an email, link or website designed by hackers to access private information. “Email is a popular phishing technique,” Zlatin says. “The best ways to prevent them from doing damage are to educate your employees on what suspicious emails look like and to use strong email spam filters. Also, your software should automatically scan any links or attachments. This prevents new or unrecognizable URLs from sneaking past company safeguards.”

-Beware of ransomware. Ransomware has been a big menace to the healthcare industry, holding data for ransom, paralyzing facilities and putting patients at risk. Zlatin says the first step in dealing with ransomware is backing up your system, ideally with a cloud backup to protect data. “Failure to do backup can cause irreparable damage,” he says. “And while hackers continually find ways to infiltrate, your security software should contain the most updated anti-malware and anti-ransomware protection. When a ransomware attack occurs, the first thing employees should do is contact their IT team — not try to resolve it themselves.”

-Have a top-down security program. There can be a disconnect and gaps in cyber security procedures when a medical facility’s security staff and IT team don’t overlap. “Including cybersecurity duties at a managerial level, perhaps even as an executive position, can ensure that correct initiatives are created, launched, and enforced, and that funding for security initiatives is available,” Zlatin says. “This also helps enforce regular risk assessment, which should be part of any healthcare provider’s cybersecurity threat program.”

-Make sure vendors have protection. The Healthcare Industry Cybersecurity Task Force, which was established by the U.S. Department of Health and Human Services and the Department of Homeland Security, warned providers about areas of security vulnerability in the supply chain. “Vendors should take the proper steps to detect threats,” Zlatin says. “They include all healthcare business partners, such as insurance companies and infrastructure providers, all of whom should have good security records and be able to protect medical information. It’s especially important for organizations that outsource IT personnel from third-party vendors.”

-Update passwords often. “Using the same passwords for most platforms is a big mistake,” Zlatin says. “It increases vulnerabilities. If a criminal discovers one password used for several accounts, it leads to a disastrous theft of data. So, have employees generate new passwords periodically and not get stuck on convenience.”

“Too often, many healthcare facilities aren’t vigilant enough about defending their medical records security,” Zlatin says. “Healthcare providers face a constant threat that requires constant vigilance because they and their patients have too much to lose.”

________________________________________________________________

Alex Zlatin, author of the book Responsible Dental Ownership (alexzlatin.com), had more than 10 years of management experience before he accepted the position of CEO of dental practice management company Maxim Software Systems. He earned his MBA at Edinburgh Business School and a B.Sc. in Technology Management at HIT in Israel.

His company helps struggling dental professionals take control of their practices and reach the next level of success with responsible leadership strategies.

Archives, Global Trade Daily, Special Reports

A Cybersecurity and Artificial Intelligence Forecast for 2020

December 23rd, 2019 Saumitra Das, CTO, Blue Hexagon Leave a comment

As a cybersecurity and artificial intelligence innovator, we are often asked about our predictions for the year to come. AI, in all its flavors, is a hot technology and it is being applied in many fascinating and powerful ways. Our focus, of course, is on using deep learning to advance the standards in malware detection (and we see a lot of good happening in that regard) so we bring a unique perspective to these two areas.

And not to brag, but when the question came up last year we provided a modest forecast that turned out to be fairly accurate. Here’s a quick recap:

-We said that AI would be a key component to the delivery and management of 5G wireless services, which is in-line with what the industry is now saying about its roll-out.

-Our bet was behind the emergence of AI-as-a-Service. It’s comforting to know that Microsoft CEO Satya Nadella agrees, and sees a $77 billion market by 2025, according to Motley Fool.

-Last year we predicted the emergence of more sophisticated learning techniques, advancing the capabilities and efficacy of machine learning and deep learning algorithms, and that has been happening.

-We’ll even take credit for our prediction that AI in all its forms would see greater commercialization and consumerization, even though that one was probably self-evident in hindsight. Development and improvement in products like smart assistants, smartphones, autonomous vehicles, medical devices and more will continue apace now that AI is mainstream.

So what can we expect for 2020? We’re going to keep our forecast in the realm of cybersecurity and AI this year, looking at both the threat landscape and the emergence of innovative defenses. Here are five trends we see developing in the new year.

Cybercrime will focus on ransomware and cryptojacking

The focus of the global hacker community will shift to emphasize ransomware and cryptojacking. Ransomware has proven to be a lucrative source of income for hackers, and as associated malware and delivery techniques become more effective, that is only going to embolden them. Most hackers launch attacks from locations beyond the reach of U.S. authorities, and they collect payments in the form of cryptocurrency to minimize the risk factor of their illicit endeavors. And as cryptocurrency becomes more mainstream, we foresee a sharp increase in attacks intended to hijack computing resources to power the computations necessary to “mine” coins. What we’re seeing in Blue Hexagon Labs research is that cryptojacking attacks appear to have an inverse relationship to ransomware attacks. This is likely driven by hacker motivations; as the value of cryptocurrency increases, it may be more lucrative (and easier) to focus on cryptojacking than ransomware.

Malware-as-a-Service becomes increasingly sophisticated

Criminal hackers are innovators and entrepreneurial (even if they are evil, self-centered, and destructive innovators and entrepreneurs). As such, they are keen on minimizing cost and risk, and one way they are doing that is by productizing their tools and skills. As a result, Malware-as-a-Service hacking groups are now selling kits and automated services on dark web marketplaces. In March of this year, we wrote about Gandcrab ransomware-as-a-service. We will see these services increase in sophistication in the coming year–for example, the ability to select customizations such as the type of obfuscation or evasion techniques, and the way the malware is delivered. This will make it easier for anyone to get in on the malware game, creating a force multiplier effect that will increase the number of threats enterprises will face in the years to come.

First malware using AI-Models to evade sandboxes will be born in 2020

Malware developers already use a variety of techniques to evade sandboxes. A recent article explained that “Cerber ransomware runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors.”

In 2020, we believe that new malware–using AI-models to evade sandboxes–will be born. This has already been investigated in academia. Instead of using rules to determine whether the “features” and “processes” indicate the sample is in a sandbox, malware authors will instead use AI, effectively creating malware that can more accurately analyze its environment to determine if it is running in a sandbox, making it more effective at evasion. As a result of these malware author innovations and existing limitations, the sandbox will become ineffective as a means to detect unknown malware. Correspondingly, cybersecurity defenders’ adoption of AI-powered malware defenses will increase.

The rollout of 5G networks will bring new attack vectors

The infrastructure needed to roll out and manage new 5G networks requires a more complex, software-defined architecture than older communication networks. This new architecture means services will operate within a more complex environment with a broader attack surface that requires more security diligence on the part of the service providers. In addition, the advent of 5G networks will enable more endpoint devices that will require security at the network edge. Hackers, in particular, nation-state threat actors, will work hard to find and exploit weaknesses in this architecture to intercept traffic, disrupt services, and deliver payloads to endpoints and networks.

Privacy regulations drive more spending in cybersecurity

The European Union’s General Data Protection Regulation (GDPR) has inspired a number of privacy regulations, including the new California Consumer Privacy Act (CCPA). In the CCPA, California has created a combined privacy and breach disclosure law that goes into effect on January 1, 2020. The office of the California attorney general recommends NIST (800-53 or CSF) or ISO 27001 as their standards for implementation, and uses CIS Controls for security program guidance. That means an emphasis on malware detection and prevention, and with data breach violations reaching hundreds of millions of dollars in the EU and U.S., we predict CCPA and the recent history of enforcement will drive a significant increase in cybersecurity spending.

Even though the overall theme of these predictions suggests increasing threats and risks to the enterprise, we do see cause for optimism. Our experience with the application of deep learning to meet the challenges of threat detection and prevention give us hope that, as our efforts and those of other innovators continue and build momentum, we are confident that 2020 will be regarded as the year our industry finally turned the tide against hackers.

Archives, Global Trade Daily

Hackers Covet Your Identity; 5 Ways To Thwart Their Efforts To Steal It

December 21st, 2019 Chris Hoose Leave a comment

Each day people take a virtual trip through the internet to do their banking, make hotel reservations, shop for a new car, or engage in a myriad of other activities important to them.

It’s so routine that it’s easy to forget that you need to be just as careful about protecting yourself on those virtual journeys as you would on an actual one.

“Hackers are creative about dreaming up new ideas for stealing your identity, so it’s important that you stay vigilant even if you already have taken action to guard yourself and your data,” says Chris Hoose (www.choosenetworks.com), an IT consultant who works with small businesses.

Hoose says a few steps you can take to protect your identity include:

Use a password manager. One problem with passwords is that people often use simple ones that are easy to remember, but also easy to hack. A password manager provides an encrypted database where you can store unique, long, complex passwords for each of your online accounts, and access them when you need them. “With a password manager, you can have better passwords that are harder to hack, and you don’t have to memorize them,” Hoose says.

Do your online activities with a VPN. Worried that your online browsing will lead identity thieves right back to you? One solution, Hoose says, is a virtual private network (VPN), which lends you a temporary IP address and hides your true IP address from every website or email you connect with. “It also prevents the sites you visit from learning your physical location,” he says. “You just need to remember to connect to it when you want to use it.” A VPN usually costs about $40 to $50 a year, he says.

Be wary on social media. Most people check in on social media routinely to catch up on family news, connect with college buddies, or perhaps to share photos of a new puppy. Unfortunately, cyber thieves lurk in the background. “They know that social media platforms are an excellent source for personal information and information about your contacts, which makes identity theft that much easier for them,” Hoose says. To stay safe on social media, he suggests you check to see if you have already been compromised; avoid password reuse; update your security settings regularly; and limit your connections because the more you have, the more potential for a fraudulent or compromised account to send you a malicious link.

Keep tabs on your credit report. One way to make sure no one has taken on debt in your name, and damaged your credit in the process, is to request a full credit report from any of the three major agencies: Equifax, TransUnion and Experian. You can get a free copy from any of them through the site www.annualcreditreport.com. Also, it might be time to get off the mailing list for all those credit offers you receive that say you are pre-approved. “Those offers are a gold mine for identity thieves,” Hoose says. You can opt out of pre-approved credit offers by visiting www.OptOutPrescreen.com.

Be sure to install anti-virus/malware software. Your first and best line of defense against identity theft on your computer remains anti-virus software and anti-malware software, Hoose says. When choosing one, he suggests making use of the trial period most companies offer. “That way you can try them out and decide which one works best for you,” he says.

“The more people try to foil identity thieves, the more sophisticated those thieves seem to get in their methods,” Hoose says. “But by being watchful and attentive, you can stay safe and enjoy your time online.”

________________________________________________________

Chris Hoose (www.choosenetworks.com) is the president of Choose Networks, an IT consulting firm for small businesses. Hoose started the company in 2001 to give large-scale solutions and support to businesses that can’t afford their own in-house IT department. He earned a Master of Information Systems Management from Friends University.

Archives, Global Trade Daily, Software, Special Reports

Winter 2019 U.S.- China Cybersecurity Update

November 15th, 2019 Joe Whitley, Alan Enslen, Julius Bodie and Frank Xue Leave a comment

It is difficult to accurately speculate on the progress of U.S.-China trade negotiations, as media reports on the status of key policy proposals seemingly differ each day depending on the transparency and messaging agenda of the sources involved. However, what has been certain during the winter of 2019 is that major updates to U.S. and Chinese cybersecurity regulations are in the process of being implemented, and these developments stand to set key precedents for the intersection of applicable foreign investment and cybersecurity regulations in the U.S. and China.

Building on our previous two articles regarding U.S. economic espionage concerns and updated U.S. foreign investment restrictions, this article will provide an overview of notable cybersecurity legislative and investigative developments that will likely dictate the near future of critical facets of U.S.-China relations in the 21st century, including (1) the implementation of China’s revised cybersecurity legislation known as the Multi-Level Protection Scheme (“MLPS 2.0”); (2) the Committee on Foreign Investment in the United States (“CFIUS”) reported investigation into the popular social media app TikTok; and (3) the race to implement 5G infrastructure and ongoing speculation regarding Huawei’s licensing status.

1. Implementation of China’s Multi-Level Protection Scheme (MLPS 2.0)

In 2017, China implemented comprehensive cybersecurity legislation commonly referred to as China’s Cybersecurity Law (“CCL”) in efforts to consolidate authority over and standardize regulation of the internet and cyberspace. The CCL includes strict prohibitions on how companies, particularly U.S. and other foreign companies, can store data and interact online. For example, the CCL requires that network operators in China cooperate with and provide support to government agencies in support of safeguarding national security, and additional provisions have been passed in recent years under the CCL that provide broad authorizations for law enforcement agencies to inspect and monitor internet service providers and computer network data centers. Foreign companies and human rights organizations have criticized the CCL as regressive legislation that fosters state censorship and surveillance and lacks sufficient privacy protections.

Article 21 of the CCL codified China’s requirements for network operators to implement a cybersecurity “multi-level protection system” that includes mandates to implement and adopt certain technical measures and security protocols to monitor and record network activity. Article 37 imposes certain data localization requirements and requires “critical information infrastructure” operators to store personal information and important data gathered or produced within the mainland territory of China.

On December 1, 2019, MLPS 2.0 will take effect, and will impact how U.S. companies and other foreign companies can do business online and store electronic data in China. A draft of the new regulations was first released in June 2018, and the revised MLPS 2.0 incorporates three information security technology standards that in effect will broaden the Chinese government’s authority, particularly that of the Ministry of Public Security, to proactively supervise, manage, and enforce cybersecurity regulations and restrictions on companies operating in China.

The expanded monitoring and enforcement authorities that MLPS 2.0 provides the Chinese government has provoked increasing privacy concerns for foreign firms, particularly those handling sensitive data. The regulations provide stringent mandates on how foreign companies must secure their networks, utilize local sever systems, and cooperate with government authorities. As the new law enters into effect on December 1, 2019, it will be critical for U.S. companies operating in China to understand how the new laws will impact their operations. Companies that store and utilize sensitive personal data, U.S.-regulated technology or technological data, or proprietary intellectual property and trade secrets will have to ensure compliance with both U.S. and Chinese regulations governing privacy, export controls, and cybersecurity regulations.

2. CFIUS Takes on TikTok

We previously provided an overview of the updated CFIUS regulations concerning foreign investment restrictions scheduled to take effect in the U.S. in February 2020. However, that does not mean that CFIUS, the inter-agency committee tasked with the authority to review, modify and reject certain types of foreign investment that could adversely impact U.S. national security, is dormant in terms of its current investigations. In fact, on November 1, 2019, Reuters reported that CFIUS has launched a national security review of the popular social media and video-streaming app TikTok, related to the acquisition of social media app Musical.ly (since rebranded as “TikTok”) by Beijing ByteDance Technology Co. in 2017 for $1 billion. TikTok earlier this year said that approximately 60% of its 26.5 million monthly active users are located in the United States.

U.S. lawmakers first raised national security concerns related to the TikTok platform, particularly its Chinese parent company’s collection of user data and purported censorship of user content. For example, Senators Chuck Schumer and Tom Cotton sent a bi-partisan letter to the Acting Director of National Intelligence in October voicing concerns over TikTok’s data collection practices, highlighting Chinese laws that “compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.” While it is unclear what the outcome of this particular review will be, it puts a spotlight on the types of industries and practices that CFIUS is currently scrutinizing and provides a useful case study for what types of mitigating measures we may see imposed by the Committee down the road.

The updated CFIUS regulations set to take effect in February 2020 expressly expand the jurisdiction of CFIUS to include reviews of non-controlling foreign investments in companies that store and have access to sensitive personal data of U.S. citizens. But the CFIUS review into TikTok is only the latest investigation by the Committee into burgeoning technology apps that store sensitive personal data. CFIUS has previously targeted the proposed acquisition by the Chinese Kunlun Group of the U.S. dating application “Grindr” for data privacy concerns regarding its individual users, and similarly forced the Chinese digital healthcare company iCarbonX to divest from it its investment in the U.S. healthcare startup “PatientsLikeMe.”

These recent cases ultimately show that CFIUS is increasingly focused on the protection of the sensitive personal data of U.S. citizens in emerging technological applications, particularly when Chinese investment is involved. All U.S. companies considering foreign investment will have to take heed of the current and soon-to-be updated CFIUS regulations and increase their due diligence efforts, particularly where Chinese investment is concerned.

3. 5G Supremacy: Timeline on Huawei Restrictions and Licensing Still Unclear

Finally, a critical ongoing area of U.S.-China cybersecurity relations is the debate over the role that China’s telecommunications leader Huawei will have in developing and implementing global 5G technology and data networks. Huawei was placed on the U.S. Department of Commerce “Entity List” over national security concerns in May 2019, which restricts U.S. companies from doing business with it, and a licensing regime was put into place for U.S. companies that seek to engage with Huawei and certain of its subsidiaries. While no such licenses have been issued to date, U.S. Secretary of Commerce Wilbur Ross recently indicated that at least some of the 260 license applications their office has received will be granted and issued shortly.

U.S. critics believe that allowing Huawei to take the lead on 5G and similar data network equipment will potentially give the Chinese government the ability to collect data of the users of Huawei products. However, Huawei is a global leader in 5G technology, and despite pressure from the U.S. government, countries like Germany, Hungary, and Norway have decided against banning Huawei from their 5G networks. The inherent difficulties and concerns in having the global leader in 5G technology also be closely connected to the Chinese government is an issue that every country seeking to develop 5G infrastructure will have to address, and will likely be a focal point in the U.S.-China trade war as well as in global cybersecurity relations for years to come.

If you have any questions about U.S.-China trade relations as it relates to CFIUS, cybersecurity regulatory compliance, or U.S.-imposed licensing restrictions, please contact a member of Baker Donelson’s Global Business Team below.

____________________________________________________________________
Joe D. Whitley is a shareholder at Baker Donelson and chairs the Firm’s Government Enforcement and Investigations Group. He can be reached at jwhitley@bakerdonelson.com.

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com.

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com.

Frank Xue is an associate with Baker Donelson who assists Chinese clients with matters in the U.S. related to foreign direct investments, mergers and acquisitions, and private equity/venture capital. He can be reached at fxue@bakerdonelson.com.

_______________________________________________________________________

1. CCL Translation: “Cyber-security Law of the People’s Republic of China,” Dezan Shira and Associates. https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html.

2. CCL Article 9; see also Laney Zhang, China: New Regulation on Police Cybersecurity Supervision and Inspection Powers Issued, Library of Congress (November 13, 2018) (discussing Measures of Internet Security Supervision and Inspection by the Public Security Organs, (Sept. 15, 2018, effective Nov. 1, 2018)) https://www.loc.gov/law/foreign-news/article/china-new-regulation-on-police-cybersecurity-supervision-and-inspection-powers-issued/.

3. See, e.g., China: Abusive Cybersecurity Law Set to be Passed, Human Rights Watch (November 6, 2016) https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed; China adopts cyber security law in face of overseas opposition, Reuters (November 6, 2016) https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049.

4. Draft Cybersecurity Classified Protection Regulations, China Ministry of Public Security (June 27, 2018) http://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html?from=timeline&isappinstalled=0.

5. See, e.g. Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (October 13, 2019) https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk.

6. Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok, Reuters (November 1, 2019) https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL.

7. Reuters, How TikTok, Caught in U.S. Regulatory Crossfire, Rose to Global Video Stardom, The New York Times (November 4, 2019) https://www.nytimes.com/reuters/2019/11/04/business/04reuters-tiktok-cfius-factbox.html.

8. See, e.g. Senator Marco Rubio Letter to Secretary of Treasury Steven Mnuchin https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0 e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

9. Senators Charles E. Schumer and Tom Cotton Senate Letter (October 23, 2019) https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf.

10. See, e.g., Christiana Farr and Ari Levy, The Trump administration is forcing this health start-up that took Chinese money into a fire sale, CNBC (April 4, 2019) https://www.cnbc.com/2019/04/04/cfius-forces-patientslikeme-into-fire-sale-booting-chinese-investor.html; Echo Wang, China’s Kunlun Tech agrees to U.S. demand to sell Grindr gay dating app, Reuters (May 13, 2019) https://www.reuters.com/article/us-grindr-m-a-beijingkunlun/chinas-kunlun-tech-agrees-to-u-s-demand-to-sell-grindr-gay-dating-app-idUSKCN1SJ28N.

11. Huawei Entity List and Temporary General License Frequently Asked Questions, Department of Commerce (September 18, 2019) https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file

12. Philip Heijmans and Haslinda Amin, Ross Optimistic on China Deal, Trump Wants It Signed in U.S., Bloomberg (November 3, 2019) https://www.bloomberg.com/news/articles/2019-11-03/ross-optimistic-on-china-trade-deal-says-huawei-licenses-coming?srnd=premium.

13. See, e.g., Associated Press, Hungary Says Huawei to Help Build Its 5G Wireless Network, New York Times (November 5, 2019) https://www.nytimes.com/aponline/2019/11/05/business/bc-eu-hungary-huawei.html; Chloe Taylor, Germany set to allow Huawei into 5G networks, defying pressure from the US, CNBC (October 16, 2019) https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html.

Archives, Global Trade Daily, Special Reports

How to Survive the Coming Data Privacy Tsunami

May 25th, 2019 Kristina Podnar Leave a comment

Just as we have gotten used to the idea that the EU’s General Data Protection Regulation (GDPR) is a fact of life and have made modifications in our data collection procedures, the Brazil General Data Protection Law (LGDP), the California Consumer Privacy Act (CCPA), and waves of proposed new data privacy laws are swirling in the calm forewarning of a privacy tsunami heading our way. In the middle of such deep acronym swirls, it could be easy to be overwhelmed. However, all the privacy regulations share a number of commonalities and by addressing these now, you will be on high ground as the waves begin to pound.

The compliance life raft

While you will need to pay attention to the details of individual data regulations as they arise, whether already adopted, pending adoption, or only proposed, all the regulations share certain commonalities that you should consider addressing as part of ongoing operations.

1. Accountability and governance

At the heart of data privacy requirements is the aim to have organizations develop a plan to self-manage data in a way that respects end users. To address accountability and governance requirements in your organization, consider, have you:

-Reviewed the applicability and risk to the organization from data privacy issues, and considered alternatives, including insurance, in case you are fined?

-Mandated that data privacy become part of the policy program, including staff training, measurement, and compliance reporting?

-Clearly documented roles, responsibilities, and reporting lines to embed privacy compliance?

2. Consent and processing

A fundamental privacy regulation concept is that end users are aware when and why their data is collected, and what happens to it once it’s given. To address these requirements, ask yourself whether you have:

-Reviewed that the data being collected and used is necessary and for the benefit of completing a desired action by the user?

-Identified sensitive data and ensured it is treated as such through the use of special encryption or by validating vendor storage practices for sensitive data, etc.?

-Confirmed that user consent for data collection is clearly captured and documented, and that user data can be modified or erased?

3. Notifications and data rights

Gone are the days of legalese or simply taking data from users because we can. Data privacy regulations require transparency, user awareness, and forthright behavior by businesses. To ensure you get this right, ask yourself whether the organization has:

-Written user notices clearly so they can be easily understood—properly targeted to children where relevant—and are reflective of specific data collection and usage purposes?

-Updated the internal organization’s data privacy policy to clearly state the rights of prospects and customers regarding the collection and processing of their personal data?

-Created and tested processes to correct and delete all user data if needed?

Developed a solution to give users their data in a portable electronic format?

4. Privacy design

Organizations that treat privacy as a core design principle will always be in alignment with data privacy regulations. In my consulting experience, I see many self-disciplined organizations that have historically had good privacy practices and have little to address with each new law. To get to that state, ask whether you have:

-Created or updated the policy and associated process to embed privacy into all technology and digital projects, including those outsourced to vendors and partners?

5. Data breach notification

For many organizations, the question nowadays isn’t whether the organization will have a breach, but rather when will it happen and how will they respond. To address regulatory breach aspects, ask whether the organization has:

-Created (or reviewed and updated an existing) data breach policy and response plan to reflect detection, notification, and the actions to mitigate loss?

-Considered and obtained insurance for a possible data breach and regulatory penalties that the organization may face but not be able to handle on its own?

-Incorporated data breach terms and requirements into all vendor and third-party contracts?

6. Data localization

New data privacy regulations state where data physically must be stored, and if transferred to another country, what are the requirements for doing so. Your organization will be well positioned to meet this requirement if it can answer:

-Have we identified and updated all cross-border data flows from the country where the data is collected, and reviewed data export for on-premise and cloud solutions?

7. Children’s online privacy considerations

Data privacy regulations are concerned with end users, but are even more strict about children and their online data protection and rights. It is best to get ahead of these issues by asking whether the organization has:

-Defined what data it collects from children, whether as a business practice or through efforts like “take your child to work day”?

-Are user notifications and online privacy statements written in a way that a child could understand them, and do they state that parental consent is required?

8. Contracting and procurement

Most businesses may struggle to understand exactly what personal user data is collected via websites, mobile applications, and other digital platforms, especially through third-party software solutions and vendors. To make sure that your organization isn’t caught out, ask whether you have:

-Reviewed and ensured that all vendors, customers, and third-party agreements reflect data regulatory requirements?

-Defined procurement processes such that privacy is integrated into all products and services the organization buys, including regarding data minimization, the visibility of onward data flows, and data ownership?

The bottom line

After years of collecting as much data as we could, we are starting to realize that all of that data has an evil twin: risk. In addition, consumers have become more aware that their data is a valuable resource, and they’re asking more questions about how it’s used and who has access to it. Governments, too, are starting to pay attention. Make sure that you get ahead of the coming data privacy regulatory waves before it becomes an unimaginable problem.

KRISTINA PODNAR is a digital policy innovator. For over two decades, she has worked with some of the most high-profile companies in the world and has helped them see policies as opportunities to free the organization from uncertainty, risk, and internal chaos. Podnar’s approach brings in marketing, human resources, IT, legal, compliance, security, and procurement to create digital policies and practices that comply with regulations, unlock opportunity, strengthen the brand and liberate employees.

Podnar speaks regularly at industry conferences, contributes articles to publications, and delivers masterclasses on digital policy. Podnar is the Principal of NativeTrust Consulting, LLC. She has a BA in international studies and an MBA in international business from the Dominican University of California and is certified as both a Change Management Practitioner (APMG International) and a Project Management Professional (Project Management Institute).

The Power of Digital Policy: A practical guide to minimizing risk and maximizing opportunity for your organization is available on Amazon and through other fine booksellers. For more information, visit Kristina @ www.kpodnar.com and on LinkedIn and Twitter.