Qostodian Data Security Platform
PRODUCTS
Ready to eliminate your blindspots?
By Coverage
By Industry
Discover the power of Qostodian!
Latest news posts
Interested in working for Qohash?
Sep 2, 2022
A tightening regulatory climate
As data multiplies, so do the rules around collecting, using, and protecting other people’s personal, sensitive information.
As early as 2020, Gartner analysts forecast that by 2023, 65% of the world’s population will “have its personal data covered under modern privacy regulations” – a prediction that’s likely to come true. Over the last several years, the passage of data privacy legislation has accelerated around the world, and that pace only continues to quicken.
These efforts began as notable one-offs, such as Europe’s GDPR, but every few months a new law is rolled out, each with different requirements, levels of enforcement, and specific fines and sanctions.
The United States has almost 30 states with some form of privacy protection law in place or in draft for debate and passage. California implemented one of the first data privacy rules, and it remains the toughest state law on the books. Its 2018 CA Consumer Protection Act put strict obligations in place around the collection and sale of personal information and recent amendments push those rules even further. Beginning in 2023, California will be the first state to extend data privacy rules to HR data, among other new regulations.
In early 2022, U.S. federal legislators began work on the American Data Privacy and Protection Act (ADPPA), commonly considered an American version of Europe’s GDPR. The law already faces stiff opposition from many privacy advocates who argue for stronger enforcement. Whether or not the bill passes, it will most likely serve as a template for future efforts.
To the north, Canadian legislators continue to work at both the federal and provincial level. The 2022 Digital Charter Implementation Act clarifies the country’s long-standing PIPEDA compliance law, strengthening rules over consent and transparency. Canadian legislators’ stated goal has been to ensure federal standards match European GDPR rules, with a similar right to access but lacking European “right to erasure” and other provisions.
At the same time, Quebec lawmakers also passed a tough Law 25 bill that added to the scope of federal protections, including a right to be forgotten and:
The complexity and complementary nature of new legislation can make compliance even harder. Which frameworks and laws apply depends on many factors, including how and where a business operates, the customers it serves, the number of assets under management, and more. Each law has nuanced and unique compliance requirements, and any organization to which they apply must meet them all.
As the regulatory climate becomes more stringent, it becomes imperative to take compliance seriously. For those companies weighing whether or not to take action, according to the Ponemon Institute, the average cost of compliance ($5.47 million) is significantly less than the cost of non-compliance ($14.82 million). According to IBM, the cost of non-compliance also continues to climb year-over-year, jumping up 45% from 10 years ago and 12.6% from two years ago.
This total cost of non-compliance, as calculated by Ponemon, includes a combination of fines, penalties, and fees, as well as the indirect costs of business disruption, revenue loss, productivity loss, and reputational damage.
Expensive stories about failures to comply are everywhere. Nearly every month brings headlines about another major compliance event and its consequences:
Finally, it’s not just current security posture that drives penalties, but also previous compliance behavior.
One Canadian case, Ari v. Insurance Corporation of British Columbia, held that punitive damages were appropriate where companies had failed to learn from past breaches. This means a single compliance event can incur penalties now as well as potentially leading to larger fines following a subsequent event, depending on how a company responds.
In the event of non-compliance, regulators won’t be the only ones driving up dollar costs. There are many indirect costs that factor into lost revenue and opportunity costs, including:
As threats evolve and regulators react, the compliance environment will continue to tighten, and the cost of doing nothing will continue to rise. Qohash was designed to provide the foundational elements needed to meet data privacy regulatory requirements across North America.
Read about how one fund manager leveraged Recon to meet GDPR-style regulatory requirements here.
meet the foundational elements of meeting data privacy regulatory compliance requests. When the auditors show up—you’ll be ready.
Assess your landscape
Understand the regulations to which you’ll be subject.
This helps you fully understand the rules that dictate the data protection rules and controls that must be put in place.
Before running a data classification tool that can automatically sort the types of data across your business systems – cloud and on-premises – by regulation, configure your tool accordingly. Deciding what information will be regulated depends on your data classification strategy.
With classification rules in place, Recon enables an automated end to end scan of your data environment, discovering sensitive information and gathering critical context about classification. This enables you to build a big picture view of where sensitive data elements are at all times, and tagged data elements give you multiple ways to parse data elements, including:
A robust data discovery serves as a baseline for automated scans and continuous ongoing risk detection and mitigation. Additionally, a comprehensive data inventory is fundamental to building and demonstrating stronger compliance controls, no matter how the rules change.
While the cost of non-compliance continues to rise, getting it right has never been more critical.
Your business, your brand, your bottom line—failure to act can put everything at risk.
Latest posts