A new privacy study has found that 60% of states are moving toward new data privacy laws. Despite the push, implementation at the state level is slow – but why? And what impact would these new laws have on the companies and organizations that do business in those states?
Specifically, five states have passed data privacy laws or amendments that will go into effect next year – California, Colorado, Connecticut, Utah, and Virginia. Others are making moves to do the same.
But at the same time, the survey found that less than half of the companies impacted by this legislation have completed necessary compliance actions, despite being in-process to prepare for implementation and also increasing their budgets to make that compliance a reality.
Those compliance actions include:
- Data mapping
- Performance assessments
- Establishing metrics and deadlines to track compliance
What these state data privacy requirements mean for cybersecurity
But what do these changes in state requirements have to with overall cybersecurity posture and management?
“In the commercial sector, the last year alone led to data breaches costing organizations an average of $3.86 million each,” says Eric Bernal, Customer Success Manager with Horizon3.ai. “There are greater impacts than the costs of hiring experts to investigate the breach and look into regulatory findings.”
Reputation costs goes beyond the dollar amount, Bernal notes. “Another cost to consider is your customer’s trust and the organization’s reputation. This would lead to a much greater cost to your organization’s revenue,” he says. “For this reason, it is critical that from the top down it be made a high priority to identify, classify, secure, restrict access to, and purge sensitive information.”
Bernal draws on his time as an Information Systems Security Manager with the U.S. Navy for perspective on identifying, labeling, and protecting critical information.
“The impact of losing critical information could result in losing more than just some data, but also my shipmates,” Bernal says. “The key to properly doing this was having our leadership identify what our organizations considered to be sensitive and critical information. Upon having a clear understanding, we would then make it mandatory for all team members to receive training on information classification.”
The training was held once a quarter as needed whenever changes were made to their policy.
“It’s everyone’s responsibility to know the steps needed to mitigate damages to an organization,” says Bernal. “Our biggest driver for protecting information was knowing what the impacts to our teammates and organization would be if data was lost.”
For more information on how using NodeZero to identify potential risks and vulnerabilities and better protect your organization’s data, visit horizon3.ai.
