Surely, it would be easier for the whole of USA to...

Caute_cautim · ‎07-13-2019

Surely, it would be far easier if the whole of the USA accepted GDPR legislation universally, rather than having individual states privacy legislation - the whole thing will become a monumental nightmare, unless there is some consistency - it will drive people bonkers over over time?

https://www.jdsupra.com/legalnews/copy-cat-class-actions-meet-copy-cat-68606/

Regards

Caute_cautim

dcontesti · ‎07-14-2019

I totally agree with you.....it would be far easier to have one law but then it wouldn't be invented here and it would need to be synched with other laws on the books.

In doing work on Privacy, there are at least ten states contemplating new Privacy laws, California coming due the beginning of 2020. However, even California is still tweaking what the law will look like.

Of the balance of the states, six have said they will probably follow suit with California, two will follow GDPR and the others are undecided. This coupled with all the other laws, it is doing to be so confusing to not only our corporations but us (the folk that do the work).

Here is the current list of potential fines for violations of privacy:

the UK regulator’s announced intention to fine British Airways £183,390 million ($230 million)
Marriott International more than £99 million ($123 million)
FTC’s announced fine of about $5 billion against Facebook
the Turkish regulator issuing fines against Cathay Pacific totaling 550,000 Turkish lira (€86,163 or $87,000 US) and the Marriott hotel chain for 1.5 million Turkish lira (€234,953 or $265,000 US)

So what's the answer? One might hope that organizations such as IAPP and (ISC)2 / SANS / ISACA might join forces/ work together to help bridge the understanding.

MHOO

d

AppDefects · ‎07-15-2019

@Caute_cautim wrote:
Surely, it would be far easier if the whole of the USA accepted GDPR legislation universally,

Who is to say that the EU's GDPR has gotten it right? Why not PIPEDA? Why not Mexico's Federal Data Protection Law? There is no one size that fits all, BUT I will say that if we all stick to the principles of Privacy by Design then there can be real change. Also, fines do not matter to big tech. We need to be handing out jail sentences for the flagrant offenders. Do you think your CIO would pay attention to that?

AppDefects · ‎07-15-2019

@dcontesti wrote:
So what's the answer? One might hope that organizations such as IAPP and (ISC)2 / SANS / ISACA might join forces/ work together to help bridge the understanding.

MHOO

d

As a petitioner (top Google search) to the (ISC)2 board of elections how are you planning to "join forces" and essentially MERGE the certification efforts of ISACA and (ISC)2? Do you have buy in for this vision from others of the Board?

emb021 · ‎07-15-2019

Sorry, that's not how it works here. By design. Each state is sovereign, with the federal government meant to be small and deal only with certain matters.

Second, who says that GDPR got it right? Maybe something else is better. By having each state do it differently, this allows for someone to get it done better or which better fits that state.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

emb021 · ‎07-15-2019

@AppDefects wrote:
@dcontesti wrote:
So what's the answer? One might hope that organizations such as IAPP and (ISC)2 / SANS / ISACA might join forces/ work together to help bridge the understanding.

MHOO

d
As a petitioner (top Google search) to the (ISC)2 board of elections how are you planning to "join forces" and essentially MERGE the certification efforts of ISACA and (ISC)2? Do you have buy in for this vision from others of the Board?

Why do these groups need to MERGE to "join forces" and work together?

They don't.

I've seen this happen with other groups I'm involved with.

I also do work with parliamentary procedure ("Roberts Rules of Order" etc). There are 2 national orgs for this, NAP and AIP. AIP actually was a kind of spinoff of NAP due to some differences of views of its founder. Each group is different and I don't see any chance of the 2 merging, BUT the 2 groups did come together to develop a joint statement and guidelines on ethics for parliamentarians.

So, yeah, ISC2 could do joint work with ISSA, ISACA, IAPP, etc, without taking of merging the orgs.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

dcontesti · ‎07-15-2019

@emb021 wrote:
@AppDefects wrote:
@dcontesti wrote:
So what's the answer? One might hope that organizations such as IAPP and (ISC)2 / SANS / ISACA might join forces/ work together to help bridge the understanding.

MHOO

d
As a petitioner (top Google search) to the (ISC)2 board of elections how are you planning to "join forces" and essentially MERGE the certification efforts of ISACA and (ISC)2? Do you have buy in for this vision from others of the Board?

Why do these groups need to MERGE to "join forces" and work together?

They don't.

I've seen this happen with other groups I'm involved with.

I also do work with parliamentary procedure ("Roberts Rules of Order" etc). There are 2 national orgs for this, NAP and AIP. AIP actually was a kind of spinoff of NAP due to some differences of views of its founder. Each group is different and I don't see any chance of the 2 merging, BUT the 2 groups did come together to develop a joint statement and guidelines on ethics for parliamentarians.

So, yeah, ISC2 could do joint work with ISSA, ISACA, IAPP, etc, without taking of merging the orgs.

Sorry, I never meant to suggest that the orgs merge but I think they could do some work putting together a strategy to help Security folk deal with all the different privacy laws. I guess I was thinking back to my days as an accountant and thinking of the GAAP (Generally Accepted Accounting Practices) or ISACAs COBIT where practitioners would have a playbook. Think of it like, if I see X, Y and G, I can apply (as an example only) Blockchain.

I do not think the organizations should merge but there are synergies that would benefit them.

The issue is that each state in the US is or has developed numerous laws covering Privacy and what can / cannot be done as had Canada. Canada developed PIPEDA (although this is up for rewrite) which covers most of Canada unless the province or territory has a substantially similar privacy law in place.

So as a security practitioner in Canada, working for a company doing business in the US, I now need to understand the laws in multiple locations as well as things like the Patriot Act.

I think it would be ideal we had a play book so that weren't continually wondering around trying to decipher all the laws.

It should be noted that the organizations have worked in unison in the past dealing with issues such as Ethics (I knew someone that was on the joint committee).

Best

Diana

dcontesti · ‎07-15-2019

@AppDefects wrote:
@dcontesti wrote:
So what's the answer? One might hope that organizations such as IAPP and (ISC)2 / SANS / ISACA might join forces/ work together to help bridge the understanding.

MHOO

d
As a petitioner (top Google search) to the (ISC)2 board of elections how are you planning to "join forces" and essentially MERGE the certification efforts of ISACA and (ISC)2? Do you have buy in for this vision from others of the Board?

Join forces does not necessarily mean merge. It implies cooperation. It could be as simple as a play book.

The thoughts expressed here are mine and mine alone which is why I signed the note MHOO.

Should I be elected to the Board, it would be one of the items that I would champion as Privacy laws differ from state to state to STATE and province to province to Country and country to country.

My take on GDPR is that they were the first consolidated effort and they reached far and wide and now there are huge penalties being suggested against some very large corporations.

CCPA seems (at least today) to only be targeting large corporations.

As to you question on support or buy-in from other board members, that is something that would need to be developed, as I have not discussed with anyone other than this forum but one would hope that the board as a whole would look at an issue and ask management to come back with a strategy to deal with it.

MHOO

d

Jerry · ‎10-11-2019

No system is perfect, but I agree that the US should adopt GDPR. Of course, I am biased. I've worked in healthcare for many years. I work with multiple privacy frameworks and the differences between countries can be maddening. I prefer GDPR for a lot of reasons. Maturity and comprehensive protections, for example. We have adopted GDPR for all our businesses across the globe (we have a footprint in dozens of countries and sell to almost all countries).

I also believe that, like HIPAA or FDA, a minimum federal set of rules should be set for all states. If California wants to go further, then that is good. We cannot continue this wild west mentality, in my opinion.

Surely, it would be easier for the whole of USA to adopt GDPR?