Effective leaders of any organization are investing a lot of time and resources to prevent unauthorized access of data and information. And it’s not just about regulations or compliance. These companies are prioritizing data privacy to build and maintain trust with customers, employees, outside vendors, and shareholders.
Meet Joyce Kim, an attorney at Octillo, who thoroughly enjoys guiding her clients through the difficult work of preventing a breach or recovering from one.
The path to Octillo
As an undergraduate student studying public policy, Joyce honed her research and analytic skills, peeling back the layers of all types of legislative actions. She found the psychology that existed behind the drafting of these policies to be fascinating, intentionally designed to shape our behaviors and guide our actions.
Joyce was inspired by this work, which naturally paved the way for pursuing a career in law. She imagined she would be able to craft policies and provide counseling to help individuals and businesses manage the challenges that exist today while contributing to the overall strength and health of her community.
Joyce forged ahead, earning her Juris Doctor from the Washington University in St. Louis School of Law. She joined a firm and started practicing litigation. Her focus was the courtroom, navigating the fallout from difficult situations her clients found themselves in, which proved to be interesting and challenging work. Her next move was joining the corporate finance group at the firm, assisting clients with complex business transactions.
Now armed with a holistic view of the law, Joyce began to look closely at data privacy, which was a topic that arose in all types of situations including in litigation matters, mergers and acquisitions, and pro bono work. Her interest was piqued.
To fully test the waters and make sure this path was the right one, Joyce earned her certification as a privacy professional (CIPP/US). In July of 2023, Joyce joined Octillo, which offered a great opportunity to focus solely on the area of the law that she found so intriguing.
Interpreting a complex maze of rules and regulations
Today, regulatory enforcement is an area of focus for Joyce. Her extensive research and analysis skills allow her to excel in this work.
In 2023, the U.S Securities and Exchange Commission (SEC) updated its requirements to expand investor protections and disclosures related to cybersecurity, and organizations are paying attention. Registrants must now disclose various aspects of their cybersecurity program. In addition, a 4-day notification deadline was established for “material” cybersecurity incidents..
“These amendments by the SEC nudged our clients to revisit how to prioritize data privacy in compliance with these requirements,” said Joyce. “A public disclosure of a material cybersecurity incident is designed to create a level of transparency and accountability, which ultimately better protects both consumers and investors, but can create extra considerations and significant challenges for any organization.”
It’s not just the SEC many have to think about. The Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) are just two of the other active agencies enforcing laws to protect consumers and investors. Each has its own regulations, and each can lead to enforcement actions and fines. When faced with an inquiry from any of these agencies, companies are encouraged to seek legal counsel, and Joyce is eager to help.
Doing work that matters
More and more clients are asking for the firm’s training and assessment services, which Joyce says is a valuable step forward. Having a sophisticated data privacy strategy in place and leading key personnel through valuable exercises better prepares a team for navigating a cyber incident and managing the stress involved in responding to a regulatory inquiry.
When a breach does happen that results in an inquiry, Joyce is called on to defend her clients. She brings a positive energy throughout this complex process and reminds clients that a cybersecurity incident can be a time to learn and grow. “Once you've exposed areas that need improvement, you can strategize about how to implement changes in your data security program or policies to avert or reduce risk in future incidents.”
