Will we see a federal privacy law in the US?

At RSA 2019, Dana Simberkoff of AvePoint discussed how companies can reevaluate privacy policies.

Will we see a federal privacy law in the US?

At RSA 2019, TechRepublic Senior Editor Alison DeNisco Rayome spoke with Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint Inc., about privacy laws in the US and how companies can make sure they're compliant. The following is an edited transcript of the interview.

Alison DeNisco Rayome: What do you think are the odds that something like what we've seen in California, in terms of a privacy law, could be rolling out across the entire US in the future?

Dana Simberkoff: I think the odds of a federal US privacy law similar to the California Consumer Protection Act (CCPA) are increasingly likely. There is clear motion on the federal level--and even from the industry--supporting the idea of having a US-wide national privacy law versus having states each do their own thing, which would be very difficult for regulatory enforcement, and also for tech vendors and others to comply.

It would be much more consistent and create a repeatable process that would allow both consumers and technology companies, as well as government, to have a consistent approach to protecting information and making sure that we're doing the right thing with the data that we're trusted to hold.

SEE: A winning strategy for cybersecurity (ZDNet special feature) | Download the PDF version (TechRepublic)

Alison DeNisco Rayome: What can companies do to make sure that they're re-evaluating their privacy policies or getting things together for them?

Dana Simberkoff: Companies today can do some work to get ready for any future privacy regulation by looking at what we already know is in place today through newer laws like the EU General Data Protection Regulation (GDPR), which starts a really nice framework for building a strong privacy program. Now, over and above GDPR, you can also look at some of the security standards like ISO 27001. Given that I have both security and privacy responsibilities in my company, this is what we do.

We map our ISO program to our GDPR program so that we're ensuring we have a foundation and a framework that allows us to meet requirements globally, as well as in different regions in which we operate. This allows you to implement processes, policies, and technical controls that meet not only your privacy requirements and obligations, but your security requirements and obligations as well.

SEE: Hiring kit: GDPR data protection compliance officer (Tech Pro Research)

Alison DeNisco Rayome: What advice do you have for CISOs and other security professionals in terms of keeping up with privacy policies right now?

Dana Simberkoff: For CISOs to really understand what's happening in the world of privacy, they need to look back a couple of years because I feel like privacy is today where security was about eight or 10 years ago. There's clearly a huge uptick in regulation around privacy, and I think it's very important for security officers to understand that these newer regulations like GDPR and CCPA actually have a number of security and IT requirements.

So, while it would be very easy to say, 'Well, it's actually privacy's responsibility to ensure compliance with these laws,' a lot of the burden actually falls on security and IT. So I think it becomes increasingly important for security professionals to educate themselves in these privacy laws to understand their obligations under these laws. I think we see a real overlap and intersection between privacy and security.

At the same time, I think it's important for privacy professionals to become proficient in the vocabulary of IT and security as well. I think we're going to see a trend toward merging and overlap in these disciplines, which I think is ultimately a good thing for consumers, and for our professions as well.

Also see