Information security is undergoing a fundamental shift. Once comfortably resting within IT, expanding information security and privacy regulatory regimes are driving general counsel’s offices to spend more and more time in the data center.
While information security laws and regulations are meant to improve security, the effect of nearly all existing regulations is to incentivize compliance, not security. The end result is that many organizations, driven by counsel, operationalize regulations instead of securing their business.
Using HIPAA as a case study, we will discuss potential problem areas and strategies for aligning compliance and security goals, and tips for improving communication between the data center and counsel’s office.
- Security drivers are shifting from IT to general counsel's offices.
- Compliance and security are not one and the same.
- Organizations must identify and address where compliance and security diverge.
About Andy Blair

Andy Blair is an associate in Dentons’ Corporate practice, focusing on privacy and data security and technology transactions. Andy’s practice draws on his technical background in information security and enterprise IT to counsel clients wherever technology and the law intersect. He has experience in federal and state regulatory compliance and enforcement, litigation, outsourcing and vendor management, privacy and security policies, intellectual property, risk management and data governance.
Andy’s rare combination of legal and technical expertise helps clients translate between legal compliance and technical requirements, an obstacle for many organizations. His perspective helps clients understand the technical impact of regulations and implement appropriate technical and procedural controls that manage cost and risk.