New Laws on Data Privacy and Security Are Coming. Is Your Company Ready?

By Andrew Burt
September 27, 2019

Companies today are often not equipped to sell secure software, because they are not incentivized to do so, and because consumers are in no position to demand it. But this market failure won’t last long.

Governments are in the process of passing new laws to ensure higher standards for software security and data privacy. The era in which tech companies inadequately test their software for security and privacy vulnerabilities is coming to an end. Last year, for example, California became the first U.S. state to enact basic standards for software used in the “internet of things.” And various proposed state laws around the country would raise the penalties for privacy or security failures. Similar efforts are ongoing around the world, from India to Brazil.

Software companies and their corporate customers shouldn’t wait to take action. To start with, they should not only gauge their level of security in terms of the patches they install or the incidents they respond to, but also consider the labor-intensive, ongoing processes they devote to preventing privacy and security vulnerabilities. That means that the time devoted to testing software and maintaining it once it is deployed will become central metrics in securing enterprise data.

Companies that create and deploy software can ready themselves by adopting two additional strategies.

First, they must focus on embedding security processes into the software design and deployment life cycle as early and as often as possible. Companies that purchase software should continuously track their attack surface and ensure that the teams appointed to simulate attackers are actively probing company networks and testing security readiness.

Second, companies need to connect the resources they spend on privacy and security to the volume and complexity of the code they seek to protect. As the number of lines of code in any given software system grows, or as its user base expands, organizations will have to increase their efforts to protect the privacy and security of their customers.

Soon, a less than robust software security strategy will become more than a public relations liability; it will become a serious legal vulnerability. It’s best to be prepared.

(Andrew Burt is chief privacy officer and legal engineer at Immuta.)

Copyright 2019 Harvard Business School Publishing Corp. Distributed by The New York Times Syndicate.

Topics: Technology

Podcast: DME (Durable Medical Equipment): Possibilities and Pitfalls in Your Practice
Doctor Alexa Will See You Now: Is Amazon Primed To Come To Your Rescue?
Transform your organization - Get leadership training from the experts!

Popular Articles


About Physician Leadership News

Now more than ever, physicians are leaders in their organizations and communities.

The American Association for Physician Leadership maximizes and supports physician leadership through education, community, and influence. We promote thought leadership in health care through our Physician Leadership News website, bimonthly Physician Leadership Journal and other channels.

We focus on industry leadership issues such as patient care, finance, professional development, law, and technology. Association announcements and news of association events can be found.

Send us your feedback at

Journal Submission Guidelines

AAPL's award-winning print publication, the Physician Leadership Journal, welcomes originally authored manuscripts for peer review that meet competency, formatting and preparation criteria. To review these guidelines and other information regarding submissions, click here.