Compliance is changing: ‘Security and privacy can no longer function independently,’ expert says

By Ken Showers, Managing Editor
Updated 1:22 PM CDT, Tue June 17, 2025

YARMOUTH, Maine — With the lack of comprehensive consumer data privacy laws on a federal level, several states have moved to enact their own in 2025, and that means new hurdles to compliance for security companies, experts say.
On Jan. 1, new laws went into effect in Delaware, Iowa, Nebraska and New Hampshire that, generally, seek to control the processing and sale of consumer and personal data. In July, they’ll be joined by Tennessee and Minnesota.
This growing list of states means more complications for any business that handles significant amounts of consumer data, says Simon Randall, CEO of Pimloc.
“We’re specifically talking about insurers, retailers, health care providers, transportation agencies and, of course. organizations relying heavily on video and audio data, such as in public safety or law enforcement,” he said. “It’s not just the big tech companies anymore; mid-sized firms and local businesses that handle sensitive personal data, including video footage, biometric identifiers, health information and location data, will also be squarely in scope to face new compliance obligations and enforcement risks.”
So, what’s the best path to compliance for affected businesses? Randall believes that compliance starts with embracing privacy-first technologies that automate protection at scale, saying that manual redaction or relying solely on policies won’t suffice anymore.
Maurice Uenuma, VP & GM, Americas, at Blancco believes that data sanitization is a key factor in maintaining compliance.
"As it pertains to cybersecurity, data sanitization is important in several ways,” he said. “It reinforces robust data management, which has the effect of tightening an organization’s control of its sensitive data, while minimizing the presence of redundant, obsolete or trivial (ROT) data, which has the effect of reducing the data 'attack surface.' It substantially reduces the risk of data leakage by sanitizing data-bearing assets, such as storage media, prior to transfer or decommissioning, while maintaining compliance with cybersecurity regulations and standards. Data sanitization is one of the very few absolute, definitive security controls – if the data’s gone, it can’t be stolen.”
Both experts agree that staying compliant means having privacy measures embedded throughout every stage of data handling, rather than taking a reactive approach.
So, what implications does this fragmented legislation have for cybersecurity, in particular, going forward?
“These new laws are elevating cybersecurity from a technical back-office function to a critical boardroom priority,” Randall asserts. “Protecting data today surpasses merely fending off hackers; it requires actively managing how sensitive personal information moves through your systems. This shift fundamentally changes how organizations approach data protection. Security and privacy can no longer function independently; they must be integrated seamlessly to build genuine trust with consumers and to comply with increasingly stringent regulatory requirements.”
Comments