The GDPR’s Got Teeth

This week, the UK’s Information Commissioner’s Office (ICO) proposed two massive fines against companies found in violation of the EU’s newly enacted General Data Protection Regulation (GDPR).  

The first came on Monday when the ICO announced the proposed £183.39m fine against British Airways for a data breach in September 2018. The breach began in June 2018 after users attempting to access British Airways’ website were diverted to a fraudulent site. The attackers used this site to harvest customer information, resulting in the personal data of approximately 500,000 customers being stolen. 

British Airways first notified the ICO of the cyber-attack in September 2018. According to the ICO’s statement, their investigation found that customer information was comprised due to “poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”  

Then on Tuesday the ICO put out another statement, this time proposing a £99.2m fine against Marriott International for a data breach that was discovered in November 2018. The breach was the result of a compromise in the Starwood Hotels’ systems dating back to 2014. Marriott acquired Starwood in 2016 but did not discover the vulnerability until 2018. It is believed that roughly 339 million guest records were exposed between the initial breach and the time it was discovered.  

With regards to the Marriott investigationICO Information Commissioner Elizabeth Denham stated, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” 

The GDPR is the EU’s wide-ranging privacy regulations, requiring companies to “implement appropriate technical and organizational measures… in an effective way… in order to meet the requirements of [the] Regulation and protect the rights of data subjects.” In addition, the regulation establishes broad privacy rights for consumers, including widened conditions of consent for companies to process personal information, the right of users to obtain information on how their data is being used, and even provides users the right to request that companies delete their information.   

Under the GDPR, organizations can be fined up to €20 Million or 4% of annual global profits (whichever is greater).  

Both incidents make clear that the GDPR is taking matters of consumer’s privacy extremely seriously, and they’re sending a message that companies need to as well. From the perspective of the GDPR, business are not passive victims of cyber-attacks, but directly responsible for securing consumers’ information. 

Every organization should take this news to heart, no matter where they do business. Lawmakers in the U.S. are beginning to pass regulations such as the California Consumer Privacy Act that are modelled after the GDPR. Fines such as those proposed against British Airways and Marriott could be devastating to a company. So, it’s essential that all business take steps to ensure they are doing the upmost to protect their data. Now.  

 

The One Thing

 

Remember Curly from City Slickers?  He’s the character played by Jack Palance who said the meaning of life is “One Thing”.  And when it comes to an  effective cybersecurity program, that One Thing is You.

Often, when we think about cybersecurity and business the assumption is that it should fall under the domain of IT. With the ever-increasing and complicated role technology and data play in business, it might seem to make sense to just leave it to those within the organization who were hired to handle technological systems. The problem, however, is that in many cases data breaches occur and magnitude of the breach is greatly increased because of a disconnect between IT and business leadership. The massive Equifax breach, for example, occurred in large part because of a governance structure that stifled communication between security and IT. 

Here are a few steps any business should take to create a governance structure that properly emphasize cyber security. 

Identify and Communicate Security Expectations

All members of the senior-level leadership team should work to identify the organization’s expectations for securing company information and assets in a way that aligns with overall business goals and objectives. Leadership teams should also create a well-defined framework for compliance with these security exceptions across all aspects of the business. Ensuring everyone within the company — from the board-level down — is working to protect the organization’s data is key, and must be well-communicated throughout all levels of the company. 

Inspect what you Expect

Develop and review on an ongoing basis key metrics around cybersecurity, such as engagement with cyber-awareness programs, results of phish simulation campaigns, key alerts reviewed by your security team, plans of action and milestones resulting from previous vulnerability scans or audits.  Make this part of your quarterly executive meeting agenda.

Adapt and Respond

Make sure you have someone reviewing the threat and regulatory landscape to determine what changes need to be made in your systems, controls or operating procedures to ensure you are maximize your cybersecurity efforts.

Demonstrate and Communicate

It bears repeating.  Governance requires Leadership and Leadership requires Communication as well as Walking the Walk.  Bring up cybersecurity in your Town Hall meetings, position it in the context of how it helps build reputation and brand value and the respect of your customers.  Make it part of your business strategy, not simply compliance.

Like customer satisfaction, with cybersecurity operational excellence is only as good as the visible commitment leadership brings to it. Protecting your business always starts at the top. Creating, maintaining, and regularly reviewing your governance structure is essential to keeping your information, communications, and assets safe.

And that’s good business.

Cyber Security Regulations for Small and Medium Size Businesses

As cybersecurity concerns increase, so have government regulations. The problem, however, is that these regulations are not all enforced on the federal level, and sometimes pertain only to specific types of businesses. It is important for  businesses to understand the regulations for their industry and/or geographic location and take steps to put the right cybersecurity program in place in order to comply. To help with that process, here is a short guide to four of the most important cybersecurity and privacy regulations in the U.S. today.

  • HIPPA –  The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is one of the oldest and well-known federal privacy regulations in the U.S. These regulations requires that all companies within the healthcare and health insurance industry implement administrative, physical, and technical safeguards to ensure the protection of all electronic health information. This includes periodic risk assessment reports, workforce training and management, and access and audit controls. More information on HIPPA and how to ensure compliance can be found here

 

  • NYSDFS Cybersecurity Regulations – In 2017 The New York State Department for Financial Services put in place regulations for all financial institutions requiring a license to operate in New York. These regulations require that a comprehensive cybersecurity program be put in place including the designation of a Chief Information Security Officer, the implementation of cybersecurity policies based on  a comprehensive risk assessment, and periodic penetration and vulnerability tests. The regulations require businesses to provide cybersecurity training for employees, limit the amount of time data is retained, encrypt all nonpublic information, audit their third party vendors, develop an incident response plan, as well as notify the NYSDFA of any breach of nonpublic information. 

 

  • Securities and Exchange Commission: As of 2018, the SEC has put in place cybersecurity initiatives designed to protect retail investors from cyber-related attacks. These regulations effect all investment and public companies operating in the U.S. The role of these initiatives is primarily to provide resources for business to identify and assess cybersecurity risks, detect compromises to systems, plan for response to compromises, and steps to recover stolen data. However, SEC does require companies to report how data is being secured, and any cyber-related incidents such as data breaches. You can find the SEC’s resource page here. For even more information, the Financial Industry Regulatory Authority has additional resources and checklists for small business.

 

  • California Consumer Privacy Act (CCPA): The CCPA is one of the newest regulatory laws in the U.S. and provides consumers extensive control over how businesses collect and use personal information. The law applies to all for-profit entities doing business in California that collect personal consumer data. According to the CCPA, companies must provide consumers information on what data is being collected, and gives consumers the right to opt-out of the sharing or selling of personal information. Consumers additionally have the right to sue if a breach occurs when the company used careless or negligent means to protect data. The CCPA will go into effect in January 2020, and the full initiative can be found here

 

 

While not all of these regulations are will pertain to your business, it is likely that such initiatives will be standardized across industries and states in the near future. It is therefore essential that businesses begin to put some of these practices in place now. Here are some basic steps that can be taken today:

  1. Develop a cybersecurity policy. Two tools that can help come from the National Institute of Standards and Technology (NIST), which provides security and privacy controls for federal organizations, and the International Organization for Standardization (ISO), which specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization.
  2. Work towards improving the security controls in the organization with special emphasis on access control, data encryption, security governance, incidence response, vulnerability management (eg: patching and scanning), and vendor management.
  3. Train everyone on their role in cybersecurity
  4. Have someone in the organization responsible for cybersecurity and make sure they are getting training.

Finally, while the emphasis in this post is compliance, recognize who you are really doing this for:  your customers, your employees, your investors and yourself.

Is MFA necessary or just a PIA?

Are the days of simply keying in a login name and password coming to an end?  Perhaps not, but increasingly, cybersecurity standards and certain regulations are requiring that you need to have more than a password to log in to areas that contain sensitive data or critical processes.  MFA or “Multi-Factor Authorization” is a log-in process that provides the ability to do just that.  In fact, you may already be using it when you are asked to key in a code that is texted to your cell phone in order to log on to your credit card account as an example.

In essence, MFA requires a minimum of two authentication protocols:   (1) something you know (e.g., password); (2) something you have (e.g., a  a mobile app on a smart-phone that generates a one-time password or code; and (3) something you are (e.g., a biometric like a fingerprint or retinal scan.

The US Department of Defense requires MFA for its contractors and any service which adheres to NIST 800-171 of NIST 800-63-3 will have similar MFA requirements.  In addition, the New York Department of Financial Services has issued Cybersecurity Regulations which include the requirement that MFA must be used when accessing internal networks from an external network, unless the CISO (Chief Information Security Officer) has provided written approval to use reasonably equivalent, or more secure, access controls. It is not difficult to imagine that MFA will be a staple part of future regulations.

MFA does require an extra step, and most of us are used to technology decreasing the time it take to get things done.  However, it greatly reduces the ability of a bad guy to leverage your login account name and password to get in to your system.  And that is a good thing.

Even if you are not currently required to use MFA,  Consider adding MFA to any site may have key data you would want to protect, like client information, employee information, your bank accounts, credit cards, insurance, social media, email and even travel sites (that may be storing your passport info).  Most of these sites will provide MFA.  If not, they are certainly working on it.

MFA might be a PIA, but it’s also good CYA, as in “Cover Your Assets”!

 

Independence

Technology has radically altered our lives, democratized abilities and possibilities and has subsumed itself in virtually everything we do.

But perhaps we should not confuse technology with the possibility of more freedom or increased liberty. In fact, technology might more often get in the way.

I think Independence can be best felt walking in the meadow or along a stream on a sunny morning, measuring my breath against the songs of the insects and the birds.

And I see Liberty in the smiles of family, friends and neighbors when we get together and do nothing but enjoy each other’s company.

In other words, on this Independence Day, what a great time to set down our phones and laptops and desktops and relive freedom, relive independence, relive what it means to be human.

Happy Fourth of July!