Complying with the ever-increasing number of privacy laws is a daunting task. In addition to comprehensive state laws, like California’s Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act and the Colorado Privacy Act, there are a multitude of targeted laws on the federal and state level. Other laws to consider include the EU’s General Data Protection Regulation (and corresponding laws in the United Kingdom, Switzerland and a host of other countries); industry specific laws, like the Health Insurance Portability and Protection Act and the Gramm-Leach-Bliley Act; privacy and security standards issued by governmental and industry authorities; and the ever-present risk of individual and class actions that follow a data breach. And the landscape is in constant flux.
At the same time, firms are under attack by increasingly sophisticated threat actors. Bad agents have graduated to attack tools that are comparable to nation-state crypto-weapons, and are often sponsored, explicitly or implicitly, by host nations. The availability of malware on the Dark Web, often in the form of software as a service, has increased the number of potential bad actors, as has the increase in the marketplace for stolen information. Phishing expeditions continue, and individuals continue to open emails they should not, visit websites that expose them to hacking, and publish personal information on social media, making them and their companies more vulnerable.
So what is a company to do? Whether a firm seeks to comply with privacy and security laws or face potential sanctions, or to create actual data security, companies are simply not prepared to face the task in full, especially when the demand for competent privacy and security experts far exceeds the supply. Continue reading