No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Investment in Cybersecurity is Key to Minimizing Risk and Gaining a Competitive Edge

Putting a Price on Privacy Risk

by David Ross
May 3, 2019
in Data Privacy, Featured
red price tag on fingerprint

With GDPR and the California Consumer Privacy Act dominating the data privacy conversation, Baker Tilly’s David Ross discusses the myriad benefits of maintaining compliance.

Recently, we saw Google fined $57 million by France in the punishments imposed for violations of the sweeping General Data Protection Regulation (GDPR) legislation passed by the European Union. Fined for not properly disclosing or alerting consumers on how their data would be used, Google’s practices ran afoul of the new data privacy laws enacted in May 2018.

Consumers and corporations alike face unfortunate repercussions when cybersecurity precautions aren’t taken seriously. Gloomy statistics and stories of well-known corporations losing customer and vendor personal information to large-scale data breaches fill the news on a near daily basis. The frequency of data breaches has increased to an unprecedented rate, and the cost continues to rise each year. A study by the Ponemon Institute reports the average cost of a data breach is up 6.4 percent since 2017 to a whopping $3.86 million.

While there is significant press surrounding the fines organizations must pay for breaches and violations, the other less apparent and often difficult-to-quantify costs can be much greater, farther reaching and longer lasting. These may include reputational damage, loss of stock value, loss of current and future customers, class action lawsuits and remediation expenses from breaches such as notification costs or credit report monitoring for affected customers.

Many of these costs can, however, be avoided. Investing time and resources to build a comprehensive privacy program can pay dividends. The more organizations prepare, the better positioned they can be to steer clear of fines, negative press and other organizational challenges.

What Your Organization Can Do Now

The costs of data privacy risks are daunting. With a proactive approach, a concerted upfront investment and the development of a strategic privacy program, organizations will be prepared to prevent data privacy incidents and ensure compliance with privacy regulations.

Regardless of industry, all organizations that process personal data should do the following:

  • Review applicable regulations. Evaluate the organization’s industry and data footprint to determine which regulations apply. Some regulations, such as the GDPR, may apply to the organization even if there is no physical presence in the EU.
  • Maintain accurate records. Document the data processing activities the organization is engaged in. In the event of a violation, any penalties you face may be lessened if you can demonstrate the steps taken toward compliance.
  • Invest strategically in a data privacy program. Prioritize data privacy activities that are easiest to implement and address areas of greatest weakness. Conduct a cost-benefit analysis to evaluate the risks the organization faces and determine the best use of resources.

New Regulations Come with Steeper Penalties

With new data privacy laws like GDPR in force, we’ll see more crack down on offenders. In addition to Google’s fine, the first against a U.S. technology leader, AggregateIQ, a Canadian digital advertising firm, was the first organization outside the EU to receive an enforcement notice on July 6, 2018, after a tip that the organization was using data analytics for political campaigning without user consent.

In September, Facebook reported its largest breach to date. The attack exposed the personal data of 50 million users. Approximately 10 percent of the accounts exposed belonged to European citizens, all of whom qualify as covered under the GDPR. While the organization succeeded in reporting the breach within the GDPR’s required 72-hour window, the case is now under investigation by the Ireland Data Protection Commission. The investigation confirms that simply meeting the reporting requirements is not enough to avoid the scrutiny of the auditors in the event of a breach.   

The ability to demonstrate compliance efforts (in conjunction with cooperating with the supervisory authorities) will be essential in order to minimize fines and penalties in the event of a breach. While Facebook is unlikely to be fined the maximum penalty of 4 percent of revenue, it is likely that the fee will be substantial. 

Recovery Costs Are Often Worse Than Fines

While the fines of today’s data privacy regulations are harsher than ever before, they are not always an organization’s biggest concern. After involvement with the Cambridge Analytica scandal earlier this year, the U.K.’s Information Commissioner’s Office hit Facebook with a $660,000 fine, which seems miniscule given the scale of the organization. The real blows, however, came later in the form of a loss of 3 million users, more than three dozen class-action lawsuits and a stock market valuation that fell by a staggering $156 billion.

The aftershock of a data breach can be a public relations (PR) nightmare: The larger the breach, the more expensive the recovery. Once technology upgrades are added along with notification expenses and corrective services (such as credit monitoring), the dollars add up quickly. In 2018, Facebook invested heavily into PR campaigns designed to reassure and educate users about data privacy, but not all organizations can afford that level of investment. For many organizations, once a customer’s trust is lost, it may be too difficult or too costly to win it back.

The Unknown Costs of Data Subject Requests

Regulators are not the only ones keeping an eye on data privacy policy. In many cases the data subjects involved, better known as customers and employees, are ready to take control of their data and exercise their new rights. Under the GDPR and the California Data Protection Act (CaCPA), data subjects have the right to know what personal information an organization has on them, take the data with them in a usable format and request it be deleted – all within a short window of time. Data subject requests are time consuming to respond to and can expend significant resources. For some organizations, this process is a nuisance. However, if an organization is targeted by activist groups with a campaign designed to disrupt operations, the bombardment could derail the organization’s objectives.

By developing an efficient process to handle these requests and coupling the process with a sound data strategy – one that deletes data unnecessary to providing the requested services, organizations can decrease risk and create efficiencies that will result in significant savings over time. The first line of defense against baseless data subject requests should be a clear and transparent public message about how the organization collects, stores, shares and otherwise processes personal information. To meet GDPR’s transparency requirement, publicly available privacy policies should be designed to help data subjects feel comfortable doing business with the organization by explaining exactly how and why it is processing their personal data. Establishing this level of comfort or trust can play a large role in customer relationships in the years to come and can help decrease the number of requests in the short term.

The Cost of Losing to Competition

Organizations unprepared to comply with data privacy regulations may fall behind their competition. For example, organizations that prioritize the development of a comprehensive data privacy program also actively evaluate vendor security practices for safety and compliance with regulations. Selecting a vendor that is noncompliant with GDPR is not only a risky move, it may also be a violation of GDPR. Vendors should take steps now to become compliant and avoid losing business to competitors who can already demonstrate compliance.

Investing In Better Training and Data Management Practices Pays Off

Most people assume data breaches are caused by hackers stealing information from the outside the organization; however, according to McAfee, 43 percent of data loss occurs from within the organization. Most of these leaks are due to poor data management practices, inadequate controls, lost equipment and negligence. Incorporating data privacy best practices into employee education and training requires an investment of time and resources, but the investment is well worth the effort. By investing in training and awareness programs and protecting devices with multi-factor authentication or remote wipe features, organizations could reduce the number of in-house leaks by half.


Tags: California Consumer Privacy Act (CCPA)GDPRReputation Risk
Previous Post

OFAC Enforcement Action Underscores Russia Sectoral Sanctions

Next Post

We Need More Heroes: 6 Lessons in Leadership from War Hero James Doolittle

David Ross

David Ross

David Ross is Principal and Cybersecurity and Privacy Practices Leader at Baker Tilly Virchow Krause, LLP, where he has served since 2017. Previously, David was with Deloitte’s cyber risk practice, where he provided strategic insight, service design, business development and engagement leadership. As general manager of General Dynamics’ Commercial Cyber Services, he was not only responsible for the design of the business, but also the launch and management of the new commercial organization. As a recognized thought leader and published author, David frequently speaks on cybersecurity strategy, innovation, business strategy, building high-performing sales strategies, social media and critical problem-solving for corporations.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

Next Post
black and white retro image of WW2-era bombers flying in formation

We Need More Heroes: 6 Lessons in Leadership from War Hero James Doolittle

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT