Data Security Compliance Is Getting Complex and Scary
As policymakers and plaintiffs’ lawyers take a greater interest in cybersecurity risk within businesses, the stakes keep rising for the professionals charged with protecting networks. For one thing, new laws around data privacy — first the European Union’s General Data Protection Regulation, and now the California Consumer Privacy Act, meant to be a U.S. answer to the GDPR — are affecting companies around the world. At RSA 2020, attendees, who numbered about 40,000, learned about how the GDPR and CCPA overlap and where they differ. Those violating either regulation could face steep fines.
Attendees were also admonished about their own personal liability in the event of a breach inside their organizations. It’s not unheard of for cybersecurity leaders to be fired, sued personally or even subjected to criminal penalties in the wake of a serious breach, said Aravind Swaminathan, global co-chair of the cyber, privacy and data innovation practice at Orrick, an international business law firm.
“The last place I want to visit you is a federal penitentiary,” Swaminathan said. “We are not talking about a theoretical possibility; we’re talking about a real possibility.” He said that CISOs and others at a similar corporate level “are taking a ton of risk” and need to work carefully through their potential personal exposure with their employers, with the goal of having their companies indemnify them against legal exposure to the extent possible and write them into insurance policies most companies maintain to protect senior executives.