At a Financial Industry Regulatory Authority Conference last month, regulators reportedly stated that they consider companies liable for breaches notwithstanding the types of technical or security models followed, regardless of whether the regulatory model placed the responsibility on the company or not.
While companies may not be pleased to hear about the additional or confirmed scrutiny by U.S. regulators, there may be some overall benefits.
For example, if a company was previously hosting data using a combination of different technical models in order to potentially avoid or minimize liability under U.S. regulations, it may now consider going with a single type of cloud-based model. This could potentially save a company a lot of money from an operational and technical perspective.
The message from U.S. regulators is clear that it is vital for organizations to have (and continue to ramp up) training and education around data privacy and security within their organization so that all employees and third parties are aware of the risks and potential exposure.
Increased security awareness and training has both short and long-term benefits. According to Infosec Resources, a recent study showed that over 80 percent of breaches are caused by employee carelessness. Not surprisingly, an educated staff not only increases compliance, but also reduces error, making it less likely for employees to make mistakes.
This is another great example of how the worlds of security and technology are colliding with legal and compliance initiatives. However, what is arguably more important is the potential outcome of increased collaboration across departments within organizations as a result of the continued pressure from regulators on data privacy.
Cross-department collaboration within an organization is really the key to effectively approaching the various elements and complexities involved in managing data privacy, and the message of accountability across the board with respect to the players involved in those elements pushes companies towards this approach. It is something all compliance professionals advocate for, but often times struggle to enforce.
The message from regulators and the dynamic structure of cloud-based systems in general provides opportunities for compliance professionals to work closely with technical departments to ensure alignment with cloud-based models that apply to due diligence screening tools, monitoring systems and any other programs used for purposes of running compliance programs. Further, it gives organizations a vested interested in having compliance work with both technical and human resources departments to ensure effective security training is implemented for employees and third parties. Perhaps this could lead to further collaboration in other projects and areas of an organization.
Beyond that, the other question the message from U.S. regulators begs is — will this bring us closer to a harmonized approach between the United States and EU?