It is difficult to visit a major news source without reading about an incident involving a data breach or cybersecurity attack. Laptops are stolen or lost, private information is compromised, or sensitive information is hacked. No organization is really immune, and the costs incurred after a breach (both direct and indirect) continue to mount. However, many organizations still operate on the assumption that, “It won’t happen here.”
Demonstrating a return on investment for prevention can be a challenge, and it may be a struggle to gain support for additional cybersecurity resources or software upgrades. Funding for tangible items is often an easier sell, and initiatives that can’t show immediate returns may be put on the back burner. However, as those of us in the industry know, you can’t roll the dice with cybersecurity. In your next budget presentation, it may be helpful to include some of the legal consequences that you can face if appropriate security controls aren’t put in place.
Depending on the type of information that you are protecting (e.g. payment card data, healthcare records, student records, etc.), there are different standards and regulations that apply – PCI DSS, HIPAA, National Privacy Principals (AUS), FERPA, GLBA, FACTA, etc.
There are also data breach notification laws that require organizations to notify consumers whose personal information has been exposed in a data breach. These laws are more general and tend to cover any type of personally identifiable information.
In the US, 50 of the 50 states have enacted legislation requiring notifications to consumers, and Australia recently passed their own mandatory data breach notification law. While the specific details of each law differ from state to state, and country to country, the laws generally require that organizations provide prompt notification as soon as they become aware of the breach, and if the organization reasonably believes that the personal information has been compromised or could be at “risk”.
Laws will continue to become more stringent as risks and threats evolve. Just today, March 1, a new state cyber security regulation in New York takes effect, requiring banks and insurers to meet minimum cyber security standards and report breaches to regulators. We predict similar laws to be put in place in other states and for other industries, as additional measures are taken to protect organizations and consumers from economic harm.
Do laws really help improve cybersecurity? More legislation may seem unnecessary to some – shouldn’t organizations be protecting this information anyway? Well, yes, they should, but with the ever increasing sophistication of threats, and the speed in which vulnerabilities can be exploited, having this type of legislation in place can provide additional motivation to organizations to do a better job of protecting data.
Cybersecurity is now a public concern. Laws are in the best interest of the consumers, and ensure individuals are informed and are able to understand how their sensitive and personal information is being secured. In an interesting study from Kapersky Lab last month, 73% of adults believe retailers should be responsible for protecting consumer data. What was most shocking was that only 36% of those surveyed said they would choose to be a customer of their own employer, knowing what they did about their company’s cybersecurity practices. Higher Education take note – this study also revealed that the younger generation is beginning to make purchasing decisions based on the cyber security practices of businesses.
The reputational damage from a large public disclosure could be devastating. As a member of the PCI Team or IT staff, you can use these laws and regulatory standards to your advantage when working to secure funding for improved technology or additional resources for your compliance efforts. Executives will likely pay more attention if you present the potential for huge fines as a penalty for non-compliance.
Referencing specific requirements in discussions with merchants reminds them that there are actual consequences for the organization if they are unable to protect sensitive information. Clearly defined laws and standards can play a role in your third-party contract negotiations as well. Rather than a lengthy outline of all of the different security controls that a vendor must have in place, you can simply state that they must adhere to specific state or federal requirements for protecting sensitive information in order to do business with your organization.
Being proactive about cyber security is critical, and this includes understanding the applicable laws your organization must comply with in the event of a breach. Having a strong information security program in place that includes education, policy, procedure, and technology will help to ensure you are in the best position possible should a breach occur. Reaction-mode or damage-control mode is not where you want to be when you become the target of an attack.
Some additional guidance from our Security Advisor team below:
[Gilmore]: Without laws governing how merchants should protect sensitive information, businesses would often make the decision to make the minimal investment to be able to say they have security in place. The consideration that the most they will have to deal with is a possible fine, as opposed to an investigation by authorities, doesn’t push some of these businesses to employ more adequate protection. Laws and their consequences will persuade business decision makers to invest in the technology and training to protect personal data. It is the responsibility of all businesses to handle sensitive data properly according to the requirements regulating how it should be handled. The PCI DSS is a very prescriptive standard that if followed is intended to help keep the amount of devices and people handling sensitive data at a minimum. All of these standards and regulations help to recognize and reduce the risk of data loss for those people and processes involved in storing, processing, and transmitting sensitive data.
Please contact us if you have any questions or would like to discuss how particular standards or regulations might apply to your organization.
