Article written by Dave Hansen of ACES – published in January 2018 issue of Cedar Valley Business Monthly
In the wake of investigations around the Equifax 2017 data breach, the admission that the Yahoo breach of 2013 exposed the personal data of ALL 3 billion Yahoo accounts (rather than the original report of 500 million user accounts) and the delayed disclosure of Uber’s 2016 breach, it is not a stretch to expect new laws tightening the requirements of businesses to protect consumer data and outlining penalties for ignoring security measures and delaying the reporting of a breach.
Legislation was introduced on November 30, 2017 that would impose criminal penalties, including potential jail time, for individuals who conceal a data breach from those impacted. The bill also calls for the Federal Trade Commission to establish and enforce security protocols for businesses to follow as part of an effort to better protect consumer data.
There is already a global precedent for this type of legislature. In 2016, the European Union passed the GDPR (General Data Protection Regulation) requiring compliance with several data security measures for any business or organization that handles personal data for any citizen in the European Union (made up of 28 countries). This law goes into force in May 2018 and will impact even U.S. companies who conduct business with any citizen in a European Union country.
While the U.S. government has in the past established regulations on specific industries such as healthcare with HIPAA (Health Insurance Portability and Accountability Act) and on financial institutions with GLBA (Gramm-Leach-Bliley Act), it has not introduced wide-spread regulations for data security. In fact, the most comprehensive data protection guidelines have come from the industry itself, as in the case of PCI DSS (Payment Card Information Data Security Standards) which was introduced and is enforced by the major credit card providers (Visa, Mastercard, American Express and Discover).
The Equifax breach is likely the straw that broke the camel’s back after weeks of Senate hearings that ultimately had top level executives from Equifax, Yahoo and Uber making excuses and deflecting blame for their company’s failure to protect data and disclose their breach in a timely manner.
What does all this mean to an organization in Eastern Iowa? It means it is time to take steps to secure your data even if you don’t believe you have anything that a hacker would want to steal. Modern cyber-crime has evolved into a much more sophisticated business than simple theft of something valuable. Today there are greater risks to your business. For example, the denial of access to the data and systems that are needed to operate your business or the threat that a criminal could act as you or your staff using email, social media or any other digital communication technology that you and your staff use in your daily business activities.
At the core of all the aforementioned data security regulations are specific strategies, technologies and practices that make it much more difficult for a criminal to gain access to your data. If you value anything stored on any computer in your business, following these practices will add layers of protection for your business from millions of outside threats to that data.
Data breaches continue to increase every year because of a simple fact, it is easier and safer to steal from someone, damage a business or smear a reputation anonymously via the internet than it is in person. Behind this escalation in criminal activity can be nation-states, organized crime syndicates, anti-establishment groups or simply enterprising individuals.
Many businesses and organizations continue to take the set-it-and-forget-it approach to IT security and this strategy is clearly not working. Industry experts estimate that 3 trillion dollars were lost to cyber-crime in 2016, an amount that is expected to double by 2021. Now is the time to get a handle on your data security before you suffer a breach or our government mandates changes. I suppose the alternative is to shut all the computers down, destroy them and conduct business without them.