Derrick Coston, CISA, CISSP, GIAC

It’s amazing to see on a weekly basis, that organizations are still not taking steps in teh right direction to protect information that it has on its customers and employees.  Kacy Zurkus identified a troubling gap in her article “Nearly Half of US Orgs Not Ready for CCDA”   Despite how there was a push by organizations, about a year or so ago, to be compliant with the EU General Data Protection Regulation (GDPR), there now appears to be a less push or concern.  Is it because of the ability to enforce compliance.  Well Politico has identified an alarming fact in their article “How one country blocks the world on data privacy”  The GDPR is the world’s toughest standard for data privacy. But nearly a year later, its chief enforcer has yet to take a single action against major tech firms like Facebook and Google.  I applaud the State of California for their efforts, however, will the state be able to use its power to enforce compliance?  On paper it sounds great, but in reality, political statements can be made, but true enforcement will very interesting to watch.  It reminds me about 15 years ago when health care facilities were required to be compliant with the HIPAA Security Rule.  However, the enforcement arm, the Center for Medicare and Medicaid, really did not have much enforcement powers.  If you look at the majority of data breaches, the healthcare industry leads the pack.  Hopefully Information Security Professionals will again take their roles and responsibilities serious and do their part.  Since the ultimate decision resides above most information security pay grades, the real test will be at the “C-Level”.  Time will tell.  California’s Consumer Privacy Act (CCPA) will be the test in United States.  Which company will be first to experience true sanctions or ramifications for failure to comply with the CCPA.  Especially knowing that over half at this time are not compliant.

 

source https://derrick-coston.com/2019/05/07/derrick-coston-cisa-cissp-giac-8/