There Ought to be a Law...
Put the emphasis on the "a" in that title. A law, not 50 different laws.
I'm talking about federal privacy breach legislation. California's SB 1386 broke important new ground when it went into effect, and as we've already discussed here, that landmark law has had national impact over the last 14+ months. However, where SB 1386 rolled back the curtain on information security, exposing a serious and very real problem with the stewardship of private data, the 22 (at last count) states that have followed suit have done little more than complicate the situation. As organizations work to determine how to comply with the various aspects of each state's nuanced take on breach notice, the likelihood that loopholes will be exploited to prevent costly and, these organizations will argue, unnecessary notification, each new state law will be counterproductive in the aggregate.
It's clear to me that an overarching federal law is necessary to clear up the confusion, establish a single national standard, and simplify the process for everyone - businesses and consumers alike.
From a communications perspective, I'm surprised to see how few companies have stepped out with an opinion on this issue. Consumer-facing organizations with a stake in this issue seem reluctant to speak out for fear of sounding anti-consumer. Software vendors and consultancies with a compliance play have been largely silent on this issue as well, perhaps not wanting to seem mercenary in their objectives.
But it doesn't have to be that way.
Joseph Ansanelli, CEO of data protection player Vontu, has been active on this issue for a number of years, testifying before Congress and offering a thoughtful perspective that can be seen in this opinion piece recently published in the Cyber Security Industry Alliance newsletter.
Ansanelli gets bonus points for the fact that he's not a Johnny-come-lately to this issue, which isn't often the case with cause-of-the-day communications, the public relations equivalent to ambulance chasing. I've followed Vontu for a number of years, going back to my earliest work with the IAPP, and have had the privilege of working with them on a few projects recently, so I guess I'm a little biased, but as a comms consultant and also a privacy geek, I've seen the rush to adopt the latest buzzwords and a lot of companies' ham-fisted approach to this "strategy" can have the opposite effect, undermining credibility.
Vontu's credibility comes from their consistent and clear long-term commitment to the issue of data protection.
Recommendation: More organizations, especially startups, can learn from this approach. Most of the companies I've worked with over the years have been possessed of a clear passion for solving problems, but lack the patience that is necessary to wait for their evangelical efforts to pay off. Whether the pressure to build a high media profile comes from investors or from a "grass is always greener" mentality, results not realized in six (or fewer!) months are considered as evidence of failure and the search is on for a new cause du jour. That can be a mistake, especially in cases where the original passion of a founder may simply be early in the development phase. Trusting in instinct may involve a serious test of patience, but commitment to the truth is a long-term strategy.
I'm talking about federal privacy breach legislation. California's SB 1386 broke important new ground when it went into effect, and as we've already discussed here, that landmark law has had national impact over the last 14+ months. However, where SB 1386 rolled back the curtain on information security, exposing a serious and very real problem with the stewardship of private data, the 22 (at last count) states that have followed suit have done little more than complicate the situation. As organizations work to determine how to comply with the various aspects of each state's nuanced take on breach notice, the likelihood that loopholes will be exploited to prevent costly and, these organizations will argue, unnecessary notification, each new state law will be counterproductive in the aggregate.
It's clear to me that an overarching federal law is necessary to clear up the confusion, establish a single national standard, and simplify the process for everyone - businesses and consumers alike.
From a communications perspective, I'm surprised to see how few companies have stepped out with an opinion on this issue. Consumer-facing organizations with a stake in this issue seem reluctant to speak out for fear of sounding anti-consumer. Software vendors and consultancies with a compliance play have been largely silent on this issue as well, perhaps not wanting to seem mercenary in their objectives.
But it doesn't have to be that way.
Joseph Ansanelli, CEO of data protection player Vontu, has been active on this issue for a number of years, testifying before Congress and offering a thoughtful perspective that can be seen in this opinion piece recently published in the Cyber Security Industry Alliance newsletter.
Ansanelli gets bonus points for the fact that he's not a Johnny-come-lately to this issue, which isn't often the case with cause-of-the-day communications, the public relations equivalent to ambulance chasing. I've followed Vontu for a number of years, going back to my earliest work with the IAPP, and have had the privilege of working with them on a few projects recently, so I guess I'm a little biased, but as a comms consultant and also a privacy geek, I've seen the rush to adopt the latest buzzwords and a lot of companies' ham-fisted approach to this "strategy" can have the opposite effect, undermining credibility.
Vontu's credibility comes from their consistent and clear long-term commitment to the issue of data protection.
Recommendation: More organizations, especially startups, can learn from this approach. Most of the companies I've worked with over the years have been possessed of a clear passion for solving problems, but lack the patience that is necessary to wait for their evangelical efforts to pay off. Whether the pressure to build a high media profile comes from investors or from a "grass is always greener" mentality, results not realized in six (or fewer!) months are considered as evidence of failure and the search is on for a new cause du jour. That can be a mistake, especially in cases where the original passion of a founder may simply be early in the development phase. Trusting in instinct may involve a serious test of patience, but commitment to the truth is a long-term strategy.