The Regulatory Burden
The media industry delivers content globally and is more visible to the public than virtually any other sector. This means that cybersecurity breaches can be profitable in this lucrative industry and result in high-profile, negative coverage and significant financial and reputational damage.
In the film industry, the consequences of a successful attack can include IP theft, piracy and compromise of customer-facing content, such as the leak of the script to the James Bond movie, Spectre, during the Sony hack. News outlets are also frequently targeted by politically motivated actors who aim to disrupt or compromise the content and its distribution
Along the way, you’ll collect personal information on your readers like name, age, location, credit card and social media accounts.
During the course of business, media companies collect personal information on their readers, movie-goers and streaming service subscribers like name, age, location, credit card and social media accounts.
With cyber threats and numerous data privacy regulations growing, media companies need risk and compliance management software to help them secure their valuable information and streamline their compliance requirements to protect their organization’s reputation, secure high value IP and information, and earn the trust of their customers.
A Framework for Data Privacy Success
Much of the data media companies collect is subject to protection from multiple regulatory frameworks that can reach across various jurisdictions, making media one of the most regulated industries today. Potential compliance obligations include:
- GDPR if you do business with EU citizens
- CCPA if you do business with California citizens
- The NIST Cybersecurity Framework to protect your IT systems
- PCI DSS if you collect credit card information
A critical question is whether the data collected can identify a specific person. C; lass action lawsuits have been levied upon media companies for failing to protect customer and subscriber personal information.
As media companies grow, compliance obligations start to add up. Tracking risk assessments, gap analyses and remediation efforts across multiple compliance and cybersecurity frameworks can be daunting.
Manage Compliance and Risk with Confidence and Ease
While many smaller organizations begin managing risk and compliance through manual efforts and legacy tools and spreadsheets, this is not sustainable long term.
ZenGRC is a risk and compliance management solution that leverages automation functionality, universal control mapping and real-time monitoring to streamline data privacy workflows, cybersecurity risk management and compliance requirements for media companies.
ZenGRC empowers organizations to accomplish compliance objectives faster and with greater accuracy and cost-efficiency, ensuring that data is protected and your organization is protected against cybersecurity threats.
Not only must media companies comply with a number of data privacy regulations, but they can also leverage a variety of risk management frameworks to protect their data and their IT systems.
But managing regulatory requirements while trying to implement a cybersecurity and risk management program can be extremely challenging to do through manual efforts.
That’s where ZenGRC can help with automation, reporting features and guidance to empower media to:
- Take an inventory of data collected from site visitors, subscribers and customers and which data privacy regulations your business must comply with
- Perform a risk assessment of your IT systems and data collection practices
- Remediate weaknesses and non-compliance risks, through improved data collection practices, appropriate data collection notices, security patches or other controls
- Document everything- including your baseline measures, any vulnerabilities found during risk assessment and any mitigation strategies that have been applied to remediate risk
- Study data collection practices for non-compliant behaviors like failure to secure consent for collecting social media profiles
- Diagnose breaches when they happen, with disclosure according to breach notification laws
- Implement an audit trail for all data collection practices, privacy notices and retention of compliance documentation
Frequently Asked Questions
Why should a media company conduct a PCI DSS risk assessment?
Conducting a PCI DSS risk assessment can provide insight into vulnerabilities in your transaction and payment data collection practices. Specifically, it empowers organizations to identify, assess, document and manage information security risks that may impact cardholder data.
Media companies can pinpoint these vulnerabilities through penetration testing, risk assessments and security audits. Furthermore, PCI DSS provides guidance around mitigation strategies so they can get started implementing comprehensive risk management strategies.
How does GRC software help media companies with data privacy?
To protect your info systems and data from unauthorized access or theft, you must first understand what gaps, if any, exist in your security protocols as well as the unique risks facing your organization.
Then, once your risks are assessed and mitigated, your compliance or cybersecurity program will need to be maintained, monitored, and reviewed routinely to ensure that internal controls are still effective and that you are aware of emerging risks.
A governance, risk and compliance management solution like the RiskOptics ROAR Platform can provide a number of options to help you identify, meet and maintain your regulatory requirements and safeguard your organization against cyber threats.
Through automation, control mapping and a dashboard that can provide real-time views of your compliance and risk stance, ROAR ensures you always know where you stand and what action needs to be taken to improve your security posture.
How can the NIST Cybersecurity Framework help media companies implement data privacy controls?
The NIST Cybersecurity Framework can be used to provide additional paths toward tackling GDPR data privacy objectives through its “Identify, Protect, Detect, Respond and Recover” principles. As GDPR is so broad, the NIST CF provides a holistic approach to security so your organization can accelerate its GDPR compliance journey.