Data Privacy

Every board knows its company will fall victim to a cyber-attack and, worse, that the board will need to clean up the mess and superintend the fallout. This week, guest columnist John Stark, a long-time student of cyber-security risks, breaks down the fundamentals any board must establish for cyber-security, and how you can prepare your board to understand those elements and put them in place.

Image: Everyone stresses the importance of looking at cyber-security as a process. Well—why, exactly? How does viewing cyber-security that way help compliance and audit executives? Because, Compliance Week Editor Matt Kelly writes, cyber-threats are equally about building effective processes—to subvert yours. And until we appreciate the nature of cyber-risks, he warns, companies will not thrive in a world only getting more risky. Details inside.

Companies that handle health information are subject to data privacy rules under HIPAA—rules that have grown more complex with the proliferation of mobile health applications (mHealth apps). Those that want to develop mHealth apps in a compliant manner have two options: Build a HIPAA-compliant application of your own, or buy one. This week, we ask UCLA how it weighed the pros and cons for its mHealth development.

Image: The state of New York is muscling its way into financial regulation, with regulator Benjamin Lawsky proposing moves in anti-money laundering compliance far more bold than anything the feds are doing. Inside is a look at what the Empire State wants to achieve, and the potentially severe liability CCOs in the financial sector might face if it comes to pass.

Intronis, a provider of backup and data protection solutions for the IT channel, this week announced the Winter Release ‘15 of its Intronis ECHOplatform. The Intronis Winter Release ’15 introduces several new business-building features and core functionalities designed to help channel partners better support more complex cloud, virtualized and physical IT environments, grow their share of wallet with existing customers, and attract new business by offering a real-time, cloud-based data recovery solution that’s built to protect the business. Details inside.

Image: New York plan to bolster cyber-security oversight in the insurance sector, including regular, targeted assessments of cyber-security as part of its exam process. “Recent cyber-security breaches should serve as a stern wake-up call for insurers and other financial institutions to strengthen their cyber-defenses,” said New York Department of Financial Services Superintendent Benjamin Lawsky. Consequences are likely to be felt well beyond the Empire State. Details inside.

Companies that move data throughout Europe, or beyond its borders, face a long and exacting list of privacy and security demands. Some companies are choosing to take advantage of Binding Corporate Rules (BCRs), presenting their data compliance framework for approval by data protection authorities. BCRs, despite a lengthy approval process, may hold numerous benefits. We looked at how First Data, a payment technology company in Atlanta, undertook the process.

Unified Compliance, developer of the Unified Compliance Framework, and MetricStream, a provider of GRC apps, plan to launch through a joint initiative a new cyber-security hub via MetricStream’s portal ComplianceOnline.com, a GRC advisory network and online community. The cyber-security hub will consolidate and connect all major cyber-security requirements in a single database, enabling companies to instantaneously analyze gaps or overlaps between requirements issued by national and international standards groups, organizations, and governments. Details inside.

Sometimes a sheriff arrives from the federal government to take an enforcement action against your company, and sometimes a posse of state attorneys general follow behind, determined to investigate you too. Such is the case for JP Morgan, now being pressed by 19 states for more detail on its massive data breach last year. Inside, we look at what state attorneys general typically ask after a cyber-breach, and how to respond.