Our Top 10 Things You Need to Do to Optimize Your Company's Approach to Data Privacy and Cybersecurity in 2022
It's easier than you think.
As we start 2022, we need to plan for what is about to come this year and it is going to be a big year for data privacy and cybersecurity. Lucky for you, planning is my thing. Here are my top 10:
Pay attention to the regulations. January 1, 2023 is the effective date for CPRA, the California Privacy Rights Act, and the VCDPA, the Virginia Consumer Data Privacy Act. The Colorado Privacy Act goes into effect July 1, 2023. Your business has requirements under these new regulations, so plan for them now because your customers will come knocking.
Require multi-factor authentication. This advice was repeated so much in 2021 that people in security got tired of even saying it, let alone hearing it. That doesn’t change its validity though.
Yummy cookie! Santa’s not the only one eating them. You know the cookie banner that provides one choice, accept all? Well that’s illegal. But you probably knew that. Cookie banners are under scrutiny and, unfortunately, a lot of cookie banner vendors aren’t doing it right. The trend is to move away from cookies altogether. You heard it here first.
Tune in to Dora the Explorer. I’m the map, I’m the map, I’m the map, I’m the map. If you don’t know where the data flows in your organization, you might as well set aside a huge bundle of cash to pay people and the regulators. Not sure where to start? It’s as simple as getting on the phone with your developers and asking them, what data do we collect? Use your privacy policy as a guide.
Then map your security surface area. If you collect a lot of data, then your security responsibilities exponentially increase. No box checking. Reduce your footprint and make sure you properly offboard employees and software.
Update your privacy policy. If you didn’t touch your privacy policy in 2021, then it is long overdue. You privacy policy should stay current with the year, at the minimum. Tip: if you don’t want to read it, nor does anyone else.
Get a security page. This is a trend that I have been monitoring for some time. Most security pages are terrible! This isn’t a privacy policy disguised as security. A real security page will not only tell consumers real-time information, but it also won’t violate security, like load JavaScript or set cookies. Security pages are not for marketing.
Designate an owner. Make sure that someone in your organization wears the hat, if only to make sure there is employee training. The labor shortage is real but that doesn’t mean you can stick your head in the sand. Hire a consultant or a lawyer, or both, if you have to. You will thank me later.
Practice responding to an incident. The hardest part of a data breach or ransomware event is the initial discovery. Generally, it causes you to panic, which is why practicing your response will help you to avoid making costly mistakes. Know which forensic firm to reach out to, which law firm and how to isolate communications with the necessary stakeholders within your organization. And for crying out loud, designate a responsible owner or owners.
Get organized. Collecting the data about your business’s data privacy and cyber security operations in a centralized place, will, at the end of the day, be the best thing you did for your business.
If you made it this far, then I will add one bonus piece of advice. Regularly backup your computer. Go on Amazon and buy a “backup external hard drive” from a reputable provider. Do your due diligence on the provider! Once you get it, connect it to your laptop or desktop computer and set a super strong password that you physically store in a secure, but easy to find place. Set reminders to connect that external hard drive weekly (backup and then disconnect).
What does ClearOPS have to do with any of this? We help with #s 2, 3, 4, 5, 7, 8 and 10. #7 is a new feature we just launched called OPSReports. We collect the data about your organization, and display it in a report that is updated weekly. You literally don’t have to do anything to get a security page except add the hyperlink on your website. And it is all verifiable data and the fact that a third party (us) is hosting it gives you added legitimacy. Email me if you are interested. It’s only $100/ month but if you are a reader, I will give you a discount. We can get it up and running in as little as 15 minutes, like we are doing for other clients every day.
And if you are not associated with a company, please tell us in the comments that you would, or would not, prefer companies present their security this way.
You’re the best!
Caroline
I am a lawyer, which makes me an advocate. Now, I am an advocate for individual privacy rights. In today’s business culture, the burden of any data breach is borne by the individual, even though the fault is not theirs to bear. I aim to change that by improving the system from within.
ClearOPS is my company. ClearOPS is a privacy tech company. Want to hear a recent podcast where we talk about privacy tech? Listen here. These posts are just my opinion. Nothing contained herein is legal advice or constitutes legal representation in any way. I do my research but it doesn’t mean I’m perfect.