New Privacy laws #swphl23

Security protects from external threats. Privacy is how data is collected, shared and used.

Every state has a breach notification law. No federal law covering everything. Only certain sectors.

No federal privacy law. There's industry specific ones like HIPAA, glba, gdpr. States have various ones.

New for 2023 Cpra(California updated), vcdoa(Virginia), cpa(Colorado), ctdpa(Connecticut), ucpa(Utah)

Laws will have rules and regs to help interpret the laws. They should be the starting point.

Iowa is coming out in 2025

IAPP is a good resource. https://iapp.org/join/

#swphl23 #infosec session on small teams...

Entry level is not 3 to 5 years of experience...

So many technology solutions that are procured to solve one problem. #techOverload. Instead, figure out how to use more of the tools you have already.

Never ending threats. Many focus on end users. #userawareness is needed.

Limited resources including people. Orgs need to realize they may need to train for experience instead of finding unicorns.

Lots of compliance requirements. Don't waste resources doing compliance if it's not required from outside motivations. Internal measures of program can do better to tell the story to mgmt. (Measure risks and mitigation instead.)

The 5 phases of the NIST CSF framework can be used to help define your program, but still use a business risk approach.

Swatting at flies is ineffective and inefficient.