Regulations and standards from different countries, states, and industries have different provisions, and these change over time. Data that might be deemed non-sensitive today may become sensitive and regulated tomorrow. In this uncertain environment, organizations take a cautious approach; for example, the loss of email addresses, once not considered sensitive, has recently triggered data breach disclosures by multiple organizations.
Regulations range from rather vague to quite specific. While some focus more generally on corporate governance processes, others specify in some detail the kinds of protection required, what organizations need to do to prevent and disclose breaches, and how organizations can prove their compliance with regulations. For example, some regulations require organizations to take action each year to maintain compliance, while others require action only in the case of a security breach.
Many of today’s privacy regulations target particular kinds of data such as healthcare records or specific industries such as European telecommunications firms and ISPs. Some privacy requirements are not government mandates at all, but rather constitute a single industry’s efforts to regulate itself. The best example of this is the Payment Card Industry Data Security Standard (PCI DSS), which has become so widely recognized that it has the potential to become a model for other industries with similar challenges.
Given this somewhat confusing and unstable picture, forward-thinking organizations should proactively take steps to reduce their risk of non-compliance; using a strategic rather than fragmented approach, they should look beyond current privacy requirements while keeping an eye on their broader security goals.