Cybersecurity and Privacy Expertise and Community Support at RMISC 2025.

At AmericanCSM.com (https://www.americancsm.com/ ), we are thrilled to announce our continued support and sponsorship for the Rocky Mountain Information Security Conference (RMISC) 2025. This prestigious event, set to take place at the Colorado Convention Center from May 28-30, 2025, represents a vital meeting ground for cybersecurity, compliance and privacy professionals in the Rocky Mountain region and beyond.

As a company that prides itself on delivering top-notch cybersecurity and privacy services—including Security or Privacy Assessments, Pen Tests, and our CISO-as-a-Service and DPO-as-a-Service, AmericanCSM.com understands the importance of fostering a strong cybersecurity community. RMISC 2025 is the perfect platform for this, offering a rich tapestry of sessions that cover the most pressing topics in our field today, from IT security and compliance to emerging threats and cybersecurity innovations.

At AmericanCSM.com, we also offer Privacy services, such as privacy assessments and DPO-as-a-Service, recognizing that privacy and security are two sides of the same coin. Events like RMISC allow us to showcase these services while gaining insights into the needs and challenges faced by our community, ensuring that our offerings remain at the cutting edge.

As always, we are not just sponsors; we are also proud participants. Several of our esteemed colleagues will be speaking at the conference. Carlin Dornbusch, Brian Sudis, and Paul Herbka will share their insights and expertise, contributing to the knowledge exchange that RMISC facilitates so well. Also, Carlin Dornbusch is now a member of the RMISC Operational Committee and now serves as one of the board members for the RMISC newly founded business entity.

Supporting local cybersecurity events like RMISC is crucial for several reasons. First, it allows us to give back to the community that drives our industry forward. These gatherings are essential for networking, sharing knowledge, and discussing new ideas and technologies that can shape the future of cybersecurity and privacy. Second, by sponsoring RMISC, we help ensure that the local cybersecurity, compliance and privacy community remains vibrant and accessible, providing professionals of all levels with opportunities to learn, grow, and collaborate.

We invite all attendees to connect with us during the conference, whether it’s attending one of our talks, visiting our booth in the exhibitor’s hall, or just saying hello. Let’s make RMISC 2025 a landmark event for collaboration, learning, and advancement in cybersecurity!

Come listen to our insights on:

• Thursday May 29 at 11:00 – Noon – “Boardroom Blunders – Cyber Risk in the Boardroom” 
• Friday May 30 at 11:00 – Noon – “Leadership, Cybersecurity and the CISO – Wish I Had Known…”

For more information on RMISC 2025, please visit their website at https://rmisc.org/ and we look forward to seeing you there and continuing to build a safer digital world together.

Many companies are trying to do more with less these days. In some cases, they leverage existing resources to play multiple roles in their company. When managing your Privacy Program, you need to be extra careful that your DPO role is not in conflict with the resource being utilized. Case in point is the recent, 3/14/2025, decision of the Data Protection Authority (DPA) in Norway regarding this issue with a local business, Telenor.

Summary of Findings from the Norwegian Data Protection Authority’s Decision on Telenor ASA

The Norwegian Data Protection Authority (Datatilsynet) conducted an inspection of Telenor ASA’s compliance with GDPR requirements for Data Protection Officers (DPOs) and organizational measures. Here are the key findings and implications regarding internal counsel serving as DPO:

Key Findings and Violations

• Article 37 (DPO Designation):
  • Telenor ASA failed to document its assessment of whether it was obligated to appoint a DPO
  • The company’s record of processing activities was incomplete and inconsistent
  • The DPO’s contact information was not properly published (Article 37(7))
• Article 38 (DPO Position):
  • The DPO lacked direct reporting line to highest management level (Article 38(3))
  • Resources allocated to the DPO were insufficient (Article 38(2))
  • Independence and conflict of interest concerns were not properly addressed
• Article 24 (Organizational Measures):
  • Inadequate policies and organizational measures to ensure GDPR compliance
  • Unclear division of controllership responsibilities
  • Lack of documented procedures for DPO involvement

Internal Counsel as DPO – Requirements and Challenges

The decision addresses whether an internal counsel can serve as DPO. While not prohibited, several significant requirements must be in place:

1. Clear Distinction Between Roles

• The job description must clearly distinguish DPO duties from legal counsel duties
• The roles must be formally separated with distinct responsibilities and reporting lines
• Using a separate email address for DPO matters is necessary to differentiate functions clearly

2. Independence Safeguards

• The DPO must be able to provide independent advice that may conflict with business interests
• The supervisor-trainee-lawyer relationship can potentially compromise independence
• Potential conflicts of interest (including share ownership) must be specifically assessed and documented

3. Resource Allocation

• Sufficient time must be allocated for DPO duties – the 50% FTE allocation was found to be insufficient
• The DPO should not face competing priorities between legal counsel work and DPO responsibilities
• The DPO should have access to necessary resources without having to request them from direct superiors

4. Reporting Structure

• A direct reporting line to the “highest management level” must be established and documented
• This reporting line should allow the DPO to bypass intermediate management levels when necessary
• The reporting structure must be formalized in policies, not merely described in presentations

Conclusion

While internal counsel can serve as DPO, Datatilsynet found significant challenges in combining these roles. The decision highlights that:

1. It’s not automatically prohibited for in-house legal counsel to serve as DPO, but robust safeguards must be in place to ensure independence and prevent conflicts of interest.
2. The combination requires clear organizational separation, adequate resource allocation, direct access to top management, and formal policies documenting these arrangements.
3. The company must assess and document potential conflicts of interest, including how the professional dependency relationship related to legal career development might affect DPO independence.
4. The Norwegian authority expressed serious doubts about whether an Associate Lawyer position can be effectively combined with the DPO role, given the inherent tensions between these functions.

You can read the whole story here: https://www.datatilsynet.no/en/news/aktuelle-nyheter-2025/sanctions-imposed-on-telenor-asa-for-lack-in-the-organisation-of-the-data-protection-officer-and-lack-of-internal-control/

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security, and privacy implementation assistance, CISO-as-a-Service, and DPO-as-a-Service, to mention a few.
To learn more about how ACSM can help support your cyber defense needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

We at American Cyber Security Management are happy to announce the release of our newest offering: AI Readiness Assessment.

You can read more here: https://www.americancsm.com/artificial-intelligence-readiness-offering/

The benefits can be extremely substantial as businesses begin using AI, both consciously and unconsciously. And the risks/issues can be just as detrimental and long-lasting. Accelerated AI adoption suffers from as much chance to harm others as it does from lack of strategic vision and follow through.

We are seeing AI being successfully applied to many use cases:

• IT/Security
• Marketing
• Customer Service
• Manufacturing

Being prepared for AI adoption can help business units be more efficient with the application of the technology, ensure proper use of AI, and help the business remain compliant with upcoming regulations.

Our AI Readiness offering can provide the following benefits:

• Knowledge of your AI responsibilities
• Create a custom approach/roadmap for AI compliance
• Testing your Privacy and Security Programs
• Through access to our unique AI talent team

We might even find data sets that are already under AI utilization. Our offering helps provide the business with a roadmap for proper AI utilization with the lowest risk.

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security, and privacy implementation assistance, CISO-as-a-Service, and DPO-as-a-Service, to mention a few.
To learn more about how ACSM can help support your cyber defense needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

Happy Data Privacy Day!

Did you know Data Privacy Day has been celebrated in the U.S. since 2008, and the U.S. federal government made it official in 2011?

It is a good time to reflect on the Principals of GDPR, which have now become the core privacy principals all business should follow for Data Privacy:

• Lawfulness, fairness, and transparency: Personal data must be processed in a lawful, fair, and transparent manner. 
• Purpose limitation: Personal data can only be collected for specific, legitimate, and explicit purposes. 
• Data minimization: Personal data processing must be relevant, adequate, and limited to what is necessary. 
• Accuracy: Personal data must be accurate and kept up to date. 
• Storage limitation: Personal data should only be kept for as long as necessary to fulfill the purposes for which it was collected. 
• Integrity and confidentiality: Personal data must be protected with integrity and confidentiality. 
• Accountability: Everyone who processes personal data must be able to demonstrate compliance with the other six principles. 

And of course, here is just a reminder of some critical steps for businesses to take to protect their data:

• Know how your data is collected
• Know your data locations
• Know your data types
• Know where you data is going
• Classify your data
• Secure your data with encryption
• Manage access to your data based on classification and roles
• Delete data as it ages or becomes unnecessary
• Utilize data deliberately

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security and privacy implementation assistance, CISO-as-a-Service and DPO-as-a-Service, to mention a few.

To learn more about how ACSM can help support your cyber defense needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

Building a Privacy-First Organization: Strategies for 2025 and Beyond

In an era where data breaches and privacy scandals make headlines regularly, prioritizing data privacy is no longer just a regulatory necessity—it’s a business imperative. As we enter 2025, companies recognize that embedding privacy into the core of their operations is essential for building trust, protecting sensitive information, and maintaining a competitive edge. (Oh yeah, and it helps with compliance.)

Adopting a privacy-first approach means proactively addressing data protection at every level of the organization, from executive leadership to frontline employees. Here are the key strategies for embedding privacy into your business culture and operations in 2025 and beyond:

1. Develop a Privacy-Driven Culture

Building a privacy-first organization starts with cultivating a culture where privacy is valued by every employee. This requires:

• Executive Buy-In: Leadership must champion privacy initiatives and allocate necessary resources.
• Continuous Training: Regular, engaging training programs should ensure employees understand the importance of privacy and their role in maintaining it.
• Transparent Communication: Create open channels to discuss privacy policies, updates, and potential risks, fostering a sense of collective responsibility.

2. Adopt Privacy by Design and Default

Privacy should not be an afterthought—it must be integrated into product development, IT systems, and business processes from the outset. This concept, known as “Privacy by Design and Default,” includes:

• Data Minimization: Collect only the data you need and retain it for the shortest necessary period.
• Default Protections: Ensure that the most privacy-protective settings are enabled by default in all systems and services.
• Embedded Safeguards: Incorporate encryption, anonymization, and access controls into the design of new technologies and workflows.

3. Enhance Transparency and User Control

Customers and stakeholders increasingly expect transparency about how their data is collected, used, and shared. To meet these expectations:

• Clear Privacy Policies: Draft policies that are concise, easy to understand, and regularly updated to reflect evolving regulations.
• Consent Management: Implement robust systems for managing user consent, ensuring clear options for opting in and out of data collection practices.

4. Strengthen Data Governance and Accountability

A strong governance framework is vital for ensuring data privacy policies are consistently applied across the organization. Key actions include:

• Appoint a Data Protection Officer (DPO): Designate a dedicated professional to oversee privacy initiatives and ensure compliance.
• Conduct Regular Audits: Perform frequent internal and external audits to identify and mitigate potential privacy risks.
• Establish Accountability: Clearly define roles and responsibilities related to data protection at every organizational level.

5. Stay Ahead of Regulatory Changes

Privacy regulations continue to evolve globally, with laws like GDPR, CPRA, CPA and new legislation emerging worldwide. To stay compliant:

• Monitor Regulatory Developments: Dedicate resources to tracking changes in privacy laws and adapting your practices accordingly.
• Participate in Industry Initiatives: Engage with industry groups and privacy coalitions to stay informed and share best practices.
• Engage Legal Experts: Maintain close collaboration with legal teams to ensure policies align with current and upcoming regulations.

Conclusion

Building a privacy-first organization in 2025 is about more than just compliance—it’s about fostering trust, enhancing resilience, and positioning your company as a leader in data protection. By embedding privacy into the core of your operations and culture, you not only safeguard sensitive information but also build stronger relationships with customers and stakeholders. As privacy expectations continue to rise, forward-thinking organizations that prioritize privacy will thrive in the digital landscape.

Sounds like too much to do, remember we can support you in these efforts. We have a full privacy team with experts who live and breathe privacy and keep abreast of the changing laws.  Please contact us via this post or visit: https://www.americancsm.com/