Can’t We All Play in the Same Sandbox

This was the title from one of the break-out sessions I attended last month at the Northern Kentucky University Cybersecurity Symposium.  Currently every organization that has any client information is having to deal with a patchwork of many requirements ranging from industry based, regulatory based, state and federal laws, and even the laws of other countries.  All these different requirements are just making compliance an unreasonable task.

An example of how different states are choosing to treat companies can best illustrated by looking at two extremes, California v. Ohio.  I am proud to say that Ohio has taken the high road on this issue.  On November 2, 2018 the Ohio Data Protection Act became effective.  Ohio is the first state to give organizations an affirmative defense should they suffer a data loss or breach.  The affirmative defense is based on the organization’s voluntary implementation of an  approved framework.  If an organization can prove that they have taken appropriate measures through an approved frame work, and they do suffer a loss the company can be protected against potential liability.

California recently passed the California Consumer Protection Act (CCPA) which goes into effect January 1, 2020.  This ACT creates stringent penalties for theft/breach of data, while offering no guidance on how an organization should protect consumer data.

What makes things even more complicated is the fact that if you do business in any state such as California, you must abide by their state laws.  Each state has a vested interest in protecting their consumers and are reluctant to let any other agency take over this obligation.  The reality is, this patchwork of endless requirements is becoming a huge burden for any organization too keep up with.  The big question is, “Is it time to come up with a common standard”?

Government agencies, regulatory bodies, and states, etc., don’t want to lose political control over the privacy issue.  I believe we are at the tipping point that if something doesn’t change soon, organizations will not be capable of meeting the onerous compliance requirements and will be forced or fined out-of-business. My opinion on this is, compliance is necessary and should be required.  Politics needs to be set aside, and reasonable guidance needs to be published and updated as necessary, so organizations have a clear and reasonable understanding of the requirements.

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs