We don’t claim to be fortune tellers. Unfortunately, there is no crystal ball in our conference room that helps us predict the future. But when it comes to assessing the IT infrastructure of a business, we can spot problems before they happen from a mile away.
Today, we're going to take a broad look at the issue of data security. Specifically, issues that are influencing best practices right now, and factors that might make the landscape of data security different in the future.
If reading this makes you squirm around in your chair it’s likely because the data security practices around your office consist of locking your office doors at the end of the day. Statistically speaking, it’s only a matter of time before a company with lax data security practices becomes the victim of a cyber attack
And, as we’ll point out later in this article, the consequences of data breaches could be increasing exponentially.
For European businesses, May 25th was an important date to remember this year. The worlds strongest data protection rules came into effect. Colloquially called ‘GDPR’, the General Data Protection Regulation was designed to update the laws which protect the personal information of individuals.
GDPR was the latest iteration of data protection laws which were originally created during the 1990s. Companies defined as being controllers or processors of personal data (pretty much any modern business) are subject to the rules defined under the GDPR.
Personal data can be a complex category, but essentially it’s a piece of information that can be used to identify a person. Names, addresses, phone numbers, IP address are all protected under the new set of regulations. There are 99 articles under the GDPR that outline the obligations of businesses which collect personal data. Some of these rules require companies to provide better access for consumers to see the data that companies collect and save about them.
Additionally, new fines and penalties are made clear for companies that collect information on consumers without proper consent.
What’s the cost of non-compliance? In some cases, very expensive. An article in WIRED provided more:
In the UK, these monetary penalties will be decided upon by Denham's office and the GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm's global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm's global turnover (whichever is greater). These are larger than the £500,000 penalty the ICO could previously issue.
The American Translation
While this is going on in the EU, a natural question is “how does this apply to the US?”. Regulators have certainly been examining the GDPR legislation and attempting to craft equivalent options here in the United States that can help protect consumers data.
Currently, all 50 states have legislation requiring that both private and government entities notify individuals of security breaches which involve personal information of customers.
Exactly when they’re supposed to act in this manner, however, has been called into question. At this point in time, there’s not an exact definition for that a “timely notification” means. In some states, 30 days is considered timely, while others maintain a 45-day or even 60-day notification schedule falling into the “timely” category.
United States regulators haven’t nailed down exactly what “personally identifiable” information encompasses which further complicates the adoption of any new regulation. What business owners should be concerned with is the fact that in many cases, legislators are drafting laws that place more responsibilities on the entities that are guilty of the data breaches, rather than the hackers themselves.
But even with a 30-day benchmark, that’s nearly a month of lag time. Hackers move quickly after they’ve obtained your data.
What can happen to stolen data in a month? CPO magazine paints a disturbing picture:
Just think of what could happen in those 30 days – a criminal hacker could use personal information as part of an identity theft scheme. Or a hacker could use that personal information to open new credit cards in your name, or to drain your existing bank account. In fact, the range of negative outcomes is only limited by the scope of your imagination. In a best-case example, hackers might just sell off your data to some third-party advertiser, who will then try to show you targeted ads based on what it knows about your age, gender, and income. In a worst-case scenario, you might spend years trying to un-do all the financial chaos that hackers have set into motion.
While many decisions that happen within a company stem from the executive leadership, in terms of data breaches, these individuals have been somewhat protected from the consequences.
While CEO’s are often the public figures resigning after a major data breach, the legal liability rarely falls on their shoulders. Severance packages also make the transition to new employment more comfortable.
With the recent public failures of major technology companies like Google and Facebook, the public eye is on data protection for US technology companies more than ever.
Could the prospect of steeper fines and even prison time be on the horizon for CEO’s of companies who fail to protect their customer’s data? One U.S. senator unveiled a draft of legislation that would allow for as much as 20-year prison terms for executives who overlook cybersecurity standards.
Ron Wyden, a Democratic senator from Oregon released the draft of legislation that could grant authority to the FTC (Federal Trade Commission) to level hefty fines, equivalent to 4% of annual revenue or worse, prison time.
An article in Reuters described more about Wyden’s proposed “Do Not Track” system:
Data privacy has become an increasingly important issue since massive breaches compromised the personal information of millions of U.S. internet and social media users, as well as breaches involving large retailers and credit reporting agency Equifax Inc.
Wyden would also create a national “Do Not Track” system to stop companies from tracking internet users by sharing or selling data and targeting advertisements based on their personal information. The bill would also subject senior executives at companies with privacy violations to fines of $5 million or more.
Solutions for Now
While it’s difficult to estimate what type of legislation will come out of Washington – we can tell you that acting now to protect your existing network will be far more effective than waiting for politicians to decide what is and is not considered compliance.
Hackers are coming up with new ways to infiltrate your network and steal data faster than politicians can draft broad-reaching legislation to protect your customers data. Being proactive as a business will send the right message to your clients about taking their data protection seriously.
But we’re aware that hiring dedicated IT staff is a financial burden. Apart from the salary expense, there are other overhead costs to consider when bringing IT in-house. Many small businesses don’t have massive budgets, and for that reason consider partnering with an outsourced vendor for IT solutions.
An outsourced partner, like Continuous Networks, allows a business the ability to function like a company with a large IT team for a fraction of the cost. A security audit of the existing infrastructure can be a helpful starting point for bolstering network security, but our services don’t stop there.