While cyber attacks such as ransomware have steadily increased in frequency over the past few years, more recent, widely publicized attacks like the Colonial Pipeline attack have finally caused government agencies to sit up and start taking action. The White House’s unprecedented executive order, for example, aims to help modernize the federal government’s cybersecurity practices, and the FBI recently requested an additional $40 million for cybersecurity defenses. While these important steps are aimed at strengthening the government’s response to cyber threats, other government agencies are now starting to issue updated guidelines for regulated industries. Much of these new guidelines cover a lot of the basics of cybersecurity practices, like creating a cybersecurity policy and encrypting sensitive data. However, what becomes clear is that for regulated industries to fully adopt these guidelines there must be a focus on managing and mitigate the human risks involved in cybersecurity.
Of the various government agencies issuing new cybersecurity guidelines, the U.S. Department of Labor’s Employee Benefits Security Administration guidelines is notable for being the first time the department has issued any sort of cybersecurity guidance. The guidelines are aimed at entities covered under the Employee Retirement Income Security Act, including “benefit plan sponsors, plan fiduciaries, record keepers and plan participants” and are designed to protect the estimated $9.3 trillion in assets the department oversees. Included in the guidelines are practices widely considered essential for defending against cyber threats, including a formal cybersecurity policy, annual risk assessments, and conducting security reviews of 3rd party vendors.
Many of the guidelines issued by the Department of Labor are aligned with the New York Department of Financial Service’s 2017 cybersecurity regulation, which itself is starting to ramp up its own guidelines. In June, the NYDFS released updated FAQ’s that offer further guidance on complying with the state regulation while also releasing new ransomware guidelines. The updated FAQ shows the department is not messing around. While the NYDFS outline which covered entities can file for an exemption, they also emphasize that even exempt entities must comply with certain aspects of the regulation, such as maintaining a cybersecurity policy, conducting risk assessments, and notifying the department of any cybersecurity events. In their ransomware guidance, the department cites the importance of practices such as cyber awareness training, MFA and password management, and strong access privilege restrictions — all of which are already required under the department’s regulation.
While many of the cybersecurity guidelines government agencies are now offering cover some of the basic cybersecurity practices, implementing and maintaining these guidelines can be pretty daunting for a business to try to put in place. What becomes clear is that even the technical aspects of cybersecurity involve managing and mitigating human risks. For example, the NYDFS urges covered entities to implement a patch management program, which requires leadership ensuring their IT team regularly apply patches to the organization’s software and systems. If their IT fails to do this, they could be slapped with millions in fines. It’s therefore essential businesses focus not only on staying compliant, but also ensuring their teams are developing habits that align with their cybersecurity needs. Managing these human risks first and foremost involve three factors: keeping tasks simple, using prompts for employees, and providing positive feedback. In combination, these three factors will help to ensure employees can develop and sustain these habits that, ultimately, can make or break an organization’s cybersecurity posture.
On Wednesday, The New York Department of Financial Services (NYDFS) announced their first ever cybersecurity charges against title insurance company First American for a data breach that exposed hundreds of millions of records containing sensitive information over the course of nearly five years.
The First American data breach initially occurred in October 2014 after an error in an application update left 16 years worth of mortgage title insurance records available to anyone online without authentication. These documents included information such as social security numbers, tax records, bank statements, and drivers license images. The error went undetected until December 2018, when First American conducted a penetration test that discovered the venerability. According to the NYDFS, however, First American did not report the breach and left the documents exposed for another 6 months, until a cybersecurity journalist discovered and published about the breach.
Charges against First American for their role in the data breach is the first time the NYDFS is enforcing the department’s cybersecurity regulations established in 2017. The regulation requires financial organizations with a license to operate in New York to establish and follow a comprehensive cybersecurity policy, provide training for all employees, implement effective access controls, and conduct regular venerability tests in line with a cybersecurity risk assessment.
First American is facing 6 charges, including failing to follow their internal cybersecurity policy, misclassifying the exposed documents as “low” severity, as well as failing to investigate and report the breach in a timely manner.
While the fine for a violation of the regulation is only up to $1,000, the NYDFS considers each exposed document as a separate violation. So, with up to 885 million records potentially exposed, First American could be looking at millions of dollars in fines if the charges stick.
News of the charges should serve as a wake-up call to U.S. organizations unconcerned with cybersecurity regulations. While the U.S. does not have any federal regulations, and there are a number of state regulations that have gone into effect in the past 5 years. This is merely one of what is likely many companies that will face enforcement unless they take steps now to ensure compliance.
Last week the top court in the European Union found that Privacy Shield, the framework used to transfer data between the E.U. and the U.S., does not sufficiently protect the privacy of E.U. citizens. and is therefore invalid. The courts decision has left many businesses scrambling and throws the difference between E.U and U.S. privacy standards in stark relief.
Privacy Shield was a data sharing framework enacted by the E.U. courts in 2015. Since then, however, the E.U. established the General Data Protection Regulation (GDPR) three years later, which places stricter privacy requirements when processing the data of E.U. citizens. According to the Washington Post, over 5,300 companies — including Facebook, Google, Twitter, and Amazon — that signed up to use the Privacy Shield framework now need to find a new way to handle the data of E.U. citizens in the United States.
The court made their decision after privacy expert Max Schrems filed a complaint against Facebook for violating his privacy rights under the GDPR once Facebook moved his information to the U.S. for processing. While the GDPR does allow the data of E.U. citizens to be transferred to other countries, that data must continue to comply with the GDPR standards after it is transfer. The problem with Privacy Shield, according to the E.U. decision, is that the U.S. government has wide-reaching access to personal data stored in the United States. And while the E.U. acknowledges that government authorities may access personal information when necessary for public security, the courts ultimately found that the U.S. does not meet the requirements of the GDPR “in so far as the surveillance programmes…. are not limited to what is strictly necessary.”
This decision starkly highlights the differences not only in E.U. and U.S. privacy regulations but also the privacy standards used in surveillance activities. In a statement to the Washington Post, Schrems said, “The court clarified…that there is a clash of E.U. privacy law and U.S. surveillance law. As the E.U. will not change its fundamental rights to please the [National Security Agency], the only way to overcome this clash is for the U.S. to introduce solid privacy rights for all people — including foreigners….Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
Moving forward, U.S. companies processing E.U. citizen data will either need to keep that data on servers within the E.U. or use standard contractual clauses (SCCs). SCCS are legally agreements created by individual organizations that cover how data is used. Of course, any SCCs will need to be compliant with the GDPR.
The good news: Many companies these days are using cybersecurity controls and security training for their employees. The bad news: A lot of these businesses are putting in the place the bare minimum in order to meet compliance requirements. The truth is, however, the you can be compliant but not secure. Remember the big Target breach in 2013? Hackers were able to take the debit and credit card information of millions are shoppers by accessing Target point-of-sale systems. The irony is that, just months before the attack, Target was certified PCI compliant. In the words of then-CEO Gregg Steinhafel, “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” Simply put: Target was compliant but not secure.
Creating a Culture
If your security awareness program is a “check the box” compliance program, you can bet your employees are going through the same motions as you are. How has that improved your security posture? It hasn’t. Instead, creating a strong security program is first and foremost about creating a culture around security. And this has to start at the top, with your executive officers and your board. If business leaders set a security-focused tone, then employees will likely follow suit.
The reason a business can be compliant and not secure is because cybersecurity isn’t a one and done deal. Compliance is a state, cybersecurity is an ongoing process that involves the entire organization — from the boardroom to the cubicle. Verizon Data Breach Investigation Report shows that the human factor is the largest factor leading to breaches today. If that’s the case, perhaps instead of checking off the boxes and before investing in that new machine learning intrusion detection gizmo, consider focusing on human learning, engagement and the behaviors that can drive a mindful security culture.
Other than California, New York now has some of the strictest cybersecurity regulations in the U.S. In 2017, New York passed a bill that regulates data privacy for the financial services. Now, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is in effect as of March 21st. Unlike previous legislation, compliance is not limited to specific industries and pertains to any business that processes the personal information of New York residents. And, despite the current pandemic, lawmakers have not delayed the implementation of the new law.
Here is what you need to know to ensure compliance with the SHEILD Act.
Much of the data protected under the SHIELD act is already covered by the state’s breach notification laws. This includes social security numbers, driver license numbers, account numbers, and debit and credit card numbers. However, the new regulation expands the definition of protected data by also including biometric data, and email addresses in combination with passwords or security questions and answers.
The SHIELD Act also expands the definition of a security breach. A breach is considered to occur not just if an unauthorized person takes or uses private information, but also if that data is accessible to anyone not considered authorized to view that information. There are many examples of where this could possibly take place, including providing access of sensitive information to third party vendors who do not need to access that information or having the credentials of an email account compromised even though there was no sensitive data in the email folder.
The SHIELD Act also lays out a series of cybersecurity protections needed to maintain compliance with the regulation. Broadly, the act requires businesses to put in place “reasonable safeguards” to ensure the privacy of their information. However, the regulation also requires organizations to maintain a written cybersecurity policy. One of the unique requirements of the policy is that organization must have at least one employee dedicated to maintaining cybersecurity procedures. In addition, cybersecurity policies need to address the following:
Identification of internal and external security risks
Assessment of the ability of technical safeguards to protect against identified risks
The training of employees on security practices
Reviewing security practices of third party vendors
Proper detection and response to unauthorized access
Regular testing of security controls
Secure disposal of protected information within a reasonable time frame.
There are certain businesses that do not need to meet these exact security requirements. Small businesses with under 50 employees, for example, are exempt if they can demonstrate they have taken reasonable steps to ensure the privacy of their information. In addition, organization already regulated by other privacy laws such as HIPAA, Graham-Leach-Bliley Act, or New York Department of Financial Services regulations are covered if they maintain compliance with these other regulations.
Because the scope of the SHIELD Act is so broad and could affect many businesses outside of New York, it is very important for all organizations to carefully review the new regulation. New York is likely to begin enforcement of the regulations very soon, and non-compliant business may receive fines of $5,000 per violation with no penalty caps.
However, even businesses not affected by the SHIELD Act should think seriously about implementing some of the recommended security measures. More and more states are beginning to implement similar regulations, and the burden of implementation could be costly if it is left to the last minute.
Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them. At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.
After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.
Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels. “If you do something that upsets your customers from a privacy standpoint and then you tell them ‘Well I’ve done everything correct under the law’ will they be any more satisfied? Probably not. That’s privacy risk in a nutshell.”
When focusing on cybersecurity or data privacy, the key is to understand what your risks are. In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.
“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase. If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.