author photo
By Bruce Sussman
Tue | Jan 28, 2020 | 10:53 AM PST

It will only take a moment of discussion to see that attorney Jordan Fischer is passionate about privacy and the rapidly shifting legal landscape.

I interviewed her at the SecureWorld cybersecurity conference in New York, where she was speaking.

"We're seeing a lot more evolution and newness in the privacy regulatory space. And what I mean by that is we're starting to see regulations pop up across the United States that are oriented to specific types of data," Fischer said.

"So biometric data is a great example of that. We have the Illinois biometric data law, it's been on the books for a couple of years. We're starting to see other states, Texas, Florida, etc., push out biometric data specific regulations."

Podcast interview on data privacy law

We interviewed Fischer for The SecureWorld Sessions podcast, listen here:

During the podcast, the co-founder of XPAN Law Group also talked about the privacy law landscape in easily understandable terms:

"We also see these broader data protection regulations [in the U.S.] that are more analogous to what we're seeing internationally with the European Union's General Data Protection Regulation (GDPR).

Generally, if it's considered personal data then there's going to be a lot of affirmative obligation. A good example of this is the California Consumer Privacy Act. We have Nevada's Privacy Act, ones in Texas, you have things going on in New York, Massachusetts, that are all sort of versions of that more broad privacy regulation. So really, that's what you're looking at from a very broad brushstroke of the U.S. domestic regulatory space."

Cybersecurity vendors on data privacy prominence

Cybersecurity vendors help organizations secure data, which ensures privacy.

And privacy is becoming a bigger focus of their clients as laws tighten and costs from privacy violations rise.

Steve Durbin, Managing Director of the Information Security Forum in London, says failing to protect data privacy is more expensive than ever:

"Fines for breaching data privacy regulations have multiplied, and penalties can be more severe than fines. Increased public awareness and media interest have led to potential commercial and reputational consequences for non-compliance. The risk of private data being compromised has increased as systems are increasingly accessible via connected devices and vulnerable to cyber-attacks."

And Joseph Carson, Chief Security Scientist at Thycotic, notes that the legal landscape for privacy is moving in different directions based on the country you live in.

"Some governments are looking to abolish privacy from their citizens altogether—citing terrorism as the reason. Ironically, these same governments have also stated the need for end-to-end encryption to protect against new risks, with Huawei’s involvement with 5G being a prime example. Encryption is a citizen's right to have digital privacy just as we do in the physical world."

[RELATED: Can You Trust Huawei? Interview with CSO of Huawei USA]

And Carson adds a key point:

"Privacy, security, and trust must come as a package; they are all related and needed in order to build a cyber resilient society. If you sacrifice privacy, you are also sacrificing security, and ultimately it ends in a lack of trust."

And Shahrokh Shahidzadeh, CEO at Acceptto, says we'll need not only laws but also cooperation to reach a reasonable level of privacy:

"Protecting our citizens' identity and privacy requires new regulatory measures and the collaboration of private and public sectors, including all (large or small) companies that today are taking overt advantage of harvested consumer data that is readily available for corporate welfare but not well protected."

How can your organization approach the privacy legal landscape?

While the EU has its standardized GPDR for all citizens, the United States continues to rely on a state by state patchwork of digital privacy laws which seem to be changing almost weekly.

One thing cyber attorney Jordan Fischer told me during our interview is that some organizations are choosing to bury their head in the sand, unsure where to start as they stare at a target made up of moving targets.

"Especially if you look at the C-suite, the leadership level, those executives are almost afraid to delve into this. It feels like Pandora's box. I'm going to open up this can of worms that I don't know if I'm going to want to deal with.

But a lot of times you might be doing good things, you just don't know it, because you don't have the documentation in place. Because you haven't thought, 'Okay, so we're putting stuff in the cloud? Is that a good thing? Is that a bad thing? Are we making informed decisions?'

I would say the first thing if you've never delved into this world, is start asking questions. Where do we store our data? What data do we have? What are we doing with that data when we have it? These are simple questions that will probably provoke responses that will start the conversation going."

And when it comes to privacy and cybersecurity, we could all use more helpful conversations.

[RESOURCE: Join your peers for training and collaboration at a regional SecureWorld conference; see our event calendar.]

Tags: Privacy, Cyber Law,