Technology risk assessment for compliance: Data privacy and security risks

By Lauren Connell

Lauren Connell (connell.lauren@gmail.com) is Managing Associate at The Volkov Law Group in New York, NY.

Compliance officers operate where the rubber meets the road, where regulatory requirements are translated into specific controls over business conduct. We are experts at operationalizing policies and procedures. As technology has transformed the way business is done, it is no surprise that Compliance departments have had to make adjustments to align operations with compliance requirements. Now, Compliance departments are perfectly situated to address new challenges posed by the new risks technology creates, including data security and privacy.

The financial industry has been a compliance leader in this area because of Financial Industry Regulatory Authority regulations that apply to electronic communications and social media and, more recently, requirements imposed by the New York Department of Financial Services.[1] Other industries are behind the curve but, faced with quickly growing risks and regulatory demands, are working hard to catch up.

Risk sources and regulatory demands

Companies are facing risks from criminals and hackers as well as increasing regulatory expectations. Compliance is a natural partner for the Information Technology (IT) department to address these very real dangers.

Criminal risks

In this age of technology driving business operations, hackers are getting increasingly creative, creating serious risks and potentially devastating harm to large and small businesses alike. From basic ransomware attacks to full-out assaults designed to collect sensitive personal and financial information, businesses must embrace compliance and defensive solutions to prevent devastating attacks. Last year, businesses such as HBO, Anthem, Experian, and many others suffered harm that was widely reported in the news media. In the case of HBO, hackers gained illegal access to unreleased shows, including an episode of HBO’s Game of Thrones, embarrassing internal emails, and private employee records. In another case, North Korea launched a global ransomware attack and took advantage of infrastructure weaknesses to spread mass chaos, locking people out of their information systems around the globe. Most worrisome, the attack severely affected the UK’s healthcare industry, causing very real risks to people seeking healthcare.

In addition, traditional risk sources, such as physical security or employee access to confidential information, now pose a greater threat when technology can amplify the impact. For example, whereas a door left open may have resulted in petty theft in the past, now a door left open can result in the theft of technology that holds valuable confidential information. Even the theft of a single external hard drive can cause hundreds of thousands of dollars in remediation costs if it, for example, contained payment information from customers or personal information of employees.

Regulatory demands

Meanwhile, government regulators are addressing the impact technology has had on business by requiring businesses to improve technology and security capabilities. The U.S. Department ofJustice recently released a new Foreign Corrupt Practices Act Corporate Enforcement Policy[2] that requires companies seeking leniency benefits to maintain business record retention policies to prevent the destruction of electronic records, and to prohibit “employees from using software that generates but does not appropriately retain business records or communications.” For example, if your employees are regularly communicating on a chat feature, does your business retain those records? What about communications made on the company’s behalf over social media?

Most businesses are also aware that the EU’s General Data Protection Regulation came into effect in May 2018, along with its very severe penalties, up to 4% of a company’s annual revenue. Businesses covered under this regime must focus on their data privacy regimes and protect any personal data about any EU citizen that the business may collect.[3]

Compliance is a natural partner

These are not just problems for the company’s IT department. Corporate functions across the board now face very real and significant risks concerning data management and privacy. Compliance departments are natural partners—even leaders—when it comes to identifying risks and developing strategies to mitigate such risks. Well-designed policies and procedures, training, cross-functional coordination, and auditing and monitoring to ensure compliance—these are all risk mitigation steps that Compliance departments are best suited and experienced to take on.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings