On Wednesday, The New York Department of Financial Services (NYDFS) announced their first ever cybersecurity charges against title insurance company First American for a data breach that exposed hundreds of millions of records containing sensitive information over the course of nearly five years.
The First American data breach initially occurred in October 2014 after an error in an application update left 16 years worth of mortgage title insurance records available to anyone online without authentication. These documents included information such as social security numbers, tax records, bank statements, and drivers license images. The error went undetected until December 2018, when First American conducted a penetration test that discovered the venerability. According to the NYDFS, however, First American did not report the breach and left the documents exposed for another 6 months, until a cybersecurity journalist discovered and published about the breach.
Charges against First American for their role in the data breach is the first time the NYDFS is enforcing the department’s cybersecurity regulations established in 2017. The regulation requires financial organizations with a license to operate in New York to establish and follow a comprehensive cybersecurity policy, provide training for all employees, implement effective access controls, and conduct regular venerability tests in line with a cybersecurity risk assessment.
First American is facing 6 charges, including failing to follow their internal cybersecurity policy, misclassifying the exposed documents as “low” severity, as well as failing to investigate and report the breach in a timely manner.
While the fine for a violation of the regulation is only up to $1,000, the NYDFS considers each exposed document as a separate violation. So, with up to 885 million records potentially exposed, First American could be looking at millions of dollars in fines if the charges stick.
News of the charges should serve as a wake-up call to U.S. organizations unconcerned with cybersecurity regulations. While the U.S. does not have any federal regulations, and there are a number of state regulations that have gone into effect in the past 5 years. This is merely one of what is likely many companies that will face enforcement unless they take steps now to ensure compliance.
Last week the top court in the European Union found that Privacy Shield, the framework used to transfer data between the E.U. and the U.S., does not sufficiently protect the privacy of E.U. citizens. and is therefore invalid. The courts decision has left many businesses scrambling and throws the difference between E.U and U.S. privacy standards in stark relief.
Privacy Shield was a data sharing framework enacted by the E.U. courts in 2015. Since then, however, the E.U. established the General Data Protection Regulation (GDPR) three years later, which places stricter privacy requirements when processing the data of E.U. citizens. According to the Washington Post, over 5,300 companies — including Facebook, Google, Twitter, and Amazon — that signed up to use the Privacy Shield framework now need to find a new way to handle the data of E.U. citizens in the United States.
The court made their decision after privacy expert Max Schrems filed a complaint against Facebook for violating his privacy rights under the GDPR once Facebook moved his information to the U.S. for processing. While the GDPR does allow the data of E.U. citizens to be transferred to other countries, that data must continue to comply with the GDPR standards after it is transfer. The problem with Privacy Shield, according to the E.U. decision, is that the U.S. government has wide-reaching access to personal data stored in the United States. And while the E.U. acknowledges that government authorities may access personal information when necessary for public security, the courts ultimately found that the U.S. does not meet the requirements of the GDPR “in so far as the surveillance programmes…. are not limited to what is strictly necessary.”
This decision starkly highlights the differences not only in E.U. and U.S. privacy regulations but also the privacy standards used in surveillance activities. In a statement to the Washington Post, Schrems said, “The court clarified…that there is a clash of E.U. privacy law and U.S. surveillance law. As the E.U. will not change its fundamental rights to please the [National Security Agency], the only way to overcome this clash is for the U.S. to introduce solid privacy rights for all people — including foreigners….Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
Moving forward, U.S. companies processing E.U. citizen data will either need to keep that data on servers within the E.U. or use standard contractual clauses (SCCs). SCCS are legally agreements created by individual organizations that cover how data is used. Of course, any SCCs will need to be compliant with the GDPR.
The good news: Many companies these days are using cybersecurity controls and security training for their employees. The bad news: A lot of these businesses are putting in the place the bare minimum in order to meet compliance requirements. The truth is, however, the you can be compliant but not secure. Remember the big Target breach in 2013? Hackers were able to take the debit and credit card information of millions are shoppers by accessing Target point-of-sale systems. The irony is that, just months before the attack, Target was certified PCI compliant. In the words of then-CEO Gregg Steinhafel, “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” Simply put: Target was compliant but not secure.
Creating a Culture
If your security awareness program is a “check the box” compliance program, you can bet your employees are going through the same motions as you are. How has that improved your security posture? It hasn’t. Instead, creating a strong security program is first and foremost about creating a culture around security. And this has to start at the top, with your executive officers and your board. If business leaders set a security-focused tone, then employees will likely follow suit.
The reason a business can be compliant and not secure is because cybersecurity isn’t a one and done deal. Compliance is a state, cybersecurity is an ongoing process that involves the entire organization — from the boardroom to the cubicle. Verizon Data Breach Investigation Report shows that the human factor is the largest factor leading to breaches today. If that’s the case, perhaps instead of checking off the boxes and before investing in that new machine learning intrusion detection gizmo, consider focusing on human learning, engagement and the behaviors that can drive a mindful security culture.
Other than California, New York now has some of the strictest cybersecurity regulations in the U.S. In 2017, New York passed a bill that regulates data privacy for the financial services. Now, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is in effect as of March 21st. Unlike previous legislation, compliance is not limited to specific industries and pertains to any business that processes the personal information of New York residents. And, despite the current pandemic, lawmakers have not delayed the implementation of the new law.
Here is what you need to know to ensure compliance with the SHEILD Act.
Much of the data protected under the SHIELD act is already covered by the state’s breach notification laws. This includes social security numbers, driver license numbers, account numbers, and debit and credit card numbers. However, the new regulation expands the definition of protected data by also including biometric data, and email addresses in combination with passwords or security questions and answers.
The SHIELD Act also expands the definition of a security breach. A breach is considered to occur not just if an unauthorized person takes or uses private information, but also if that data is accessible to anyone not considered authorized to view that information. There are many examples of where this could possibly take place, including providing access of sensitive information to third party vendors who do not need to access that information or having the credentials of an email account compromised even though there was no sensitive data in the email folder.
The SHIELD Act also lays out a series of cybersecurity protections needed to maintain compliance with the regulation. Broadly, the act requires businesses to put in place “reasonable safeguards” to ensure the privacy of their information. However, the regulation also requires organizations to maintain a written cybersecurity policy. One of the unique requirements of the policy is that organization must have at least one employee dedicated to maintaining cybersecurity procedures. In addition, cybersecurity policies need to address the following:
Identification of internal and external security risks
Assessment of the ability of technical safeguards to protect against identified risks
The training of employees on security practices
Reviewing security practices of third party vendors
Proper detection and response to unauthorized access
Regular testing of security controls
Secure disposal of protected information within a reasonable time frame.
There are certain businesses that do not need to meet these exact security requirements. Small businesses with under 50 employees, for example, are exempt if they can demonstrate they have taken reasonable steps to ensure the privacy of their information. In addition, organization already regulated by other privacy laws such as HIPAA, Graham-Leach-Bliley Act, or New York Department of Financial Services regulations are covered if they maintain compliance with these other regulations.
Because the scope of the SHIELD Act is so broad and could affect many businesses outside of New York, it is very important for all organizations to carefully review the new regulation. New York is likely to begin enforcement of the regulations very soon, and non-compliant business may receive fines of $5,000 per violation with no penalty caps.
However, even businesses not affected by the SHIELD Act should think seriously about implementing some of the recommended security measures. More and more states are beginning to implement similar regulations, and the burden of implementation could be costly if it is left to the last minute.
Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them. At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.
After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.
Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels. “If you do something that upsets your customers from a privacy standpoint and then you tell them ‘Well I’ve done everything correct under the law’ will they be any more satisfied? Probably not. That’s privacy risk in a nutshell.”
When focusing on cybersecurity or data privacy, the key is to understand what your risks are. In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.
“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase. If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.
When processing customer’s payments, you are asking them to trust you with some of the most sensitive information they have. It’s essential to ensure that data is being properly secured. One of the main ways organizations can ensure data security is by complying with the Payment Card Industry Data Security Standard (PCI DSS). While PCI DSS is not government mandated, it is required by Visa, American Express, MasterCard, Discover, and JCB International before handling any amount of payment cards by these companies. So, if you process payments cards by any of these brands you’ll need to be in compliance.
The PCI DSS outlines 12 privacy-focusedrequirements for companies. These requirements include both operational and technical components ranging from encryption of card holder data, to regular vulnerability tests, to the development of a comprehensive Information Security Policy. You can find an overview of all 12 requirements here.
Compliance Validation for Processors
While all companies processing any amount of payment card information need to meet the 12 PCI DSS requirements, the method of validating compliance differs. Reporting requirements are based primarily on processing volume (amount of payment cards processed) and whether a company has suffered a data breach in the past. Each credit card company has slightly different reporting requirements, but in general compliance reporting breaks down as follows:
Organizations handling large amount of transactions or who have suffered a breach will be required to have an onsite assessment completed by an external, Qualified Security Assessor (QSA).
Organizations with smaller processing volume can instead opt-in to file a Self-Assessment Questionnaire. The specific questionnaire required depends on several variables, such as whether you are an e-commerce merchant, type of payment terminal used, and whether processing is outsourced to third-party.
Compliance Requirements If You Use Third-Party Processors
Using a third-party can help streamline payment processing but does not exempt organizations from PCI compliance and reporting requirements. Organizations that outsource processing are still ultimately responsible for ensuring secure processing.This requires a self-assessment questionnaire that evaluates your security posture. Typically, this would either be PCI SAQ-A or SAQ A-EP. In addition, you should vet third-party vendors before working with them, create detailed agreements with policies and procedures that outline each party’s responsibilities in maintaining compliance, as well as regularly monitor your vendor’s compliance statues. Full information on using third-party vendors can be found here.
Credit card fraud can be a devastating experience. So when a customer chooses to hand over payment information, they are putting an extreme about of trust in your organization to handle that information with care. Whether you process the information yourself, or use a third-party, at the end of the day you are responsible for ensure that your customer’s sensitive information is completely secure. PCI DSS compliance is one of the most useful tools for doing this