BLOG

Hidden Data. Thriving Threats: Webinar Q&A

BY SPIRION
August 18, 2025

In the final minutes of our recent cybersecurity compliance webinar, “Hidden Data. Thriving Threats.”, the panel delivered some no-nonsense advice in response to audience questions. Here’s what you need to know. 

1. What’s the Most Common Misstep That Triggers FCA Liability? 

Julie Bracker, Partner, Bracker & Marcus LLC didn’t hesitate. The biggest mistake? Certifying compliance without actually having a System Security Plan (SSP). 

Too many organizations treat Controlled Unclassified Information (CUI) like it’s low-risk. After all, it’s not classified. However, it does cover defense information, and signing off on compliance when you haven’t done the work is a serious misstep under the False Claims Act (FCA). 

The root cause? Assuming IT generalists can handle specialized cybersecurity assessments. As Bracker bluntly put it: “You wouldn’t ask your GP to do brain surgery. Cybersecurity is just as specialized.” 

2. I Don’t Know Where All My Sensitive Data Is. Where Do I Start? 

Scott Giordano, Esq., Partner, The CISO Law Firm offered this simple strategy: start small. 

Rather than tackling your most complex system (like HR), pick the smallest system where sensitive data lives and run a full discovery and assessment. “Get your arms around it,” he said. Treat it as an exercise. That first win builds momentum and knowledge you’ll need for tackling the bigger beasts. 

3. Why Should I Think ‘Program,’ Not ‘Project’ When It Comes to Privacy and Security? 

Kevin Coppins, CEO, Spirion emphasized mindset. Too many leaders see compliance as a one-time box to check. In reality, data privacy and risk management need to be ongoing programs, not one-and-done projects. 

Think of it like Identity and Access Management, which evolved from a project to a permanent function in many orgs. Treat your data with the same respect because the threats never stop, and neither should your efforts. 

4. What Should I Be Asking My Vendors About Risk? 

Scott Giordano circled back with this final critical insight: “Ask vendors what protections they had in place BEFORE your relationship began.” 

If they can’t clearly explain how they safeguard data, whether through SOC 2, ISO certification, or concrete policies, that’s a red flag. It’s better to walk away early than discover a security hole after the fact. 

Final Takeaway 

Cyber risk isn’t a checkbox. It’s a daily discipline. Whether you’re avoiding legal traps, mapping your data, or choosing the right partners, the key is to get real, get specific, and get help when you need it. 

Watch the full Q&A clip.  

FOUND IN Sensitive dataCompliance & RegulationsCybersecurity

Related Blog Posts

Blog Post
PCI DSS 4.0.1 Is Here: What You Need to Know  
Blog Post
From Chaos to Control: How to Get Started Building a Sustainable Data Security Program
Blog Post
From Lincoln to Cyber Fraud: The Evolving Power of the False Claims Act
Blog Post
The Legal Maze of Compliance Complexity

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →