A New Era of Cyber Regulation
The recent passage of the General Data Protection Regulation (GDPR) marks a significant, albeit gradual, global transition in ensuring data protection and privacy. The sweeping legislation imposes strict rules on any industry that collects data on EU citizens, and the cost of non-compliance is astounding. But the EU isn’t the only country grappling with the issue of data privacy. Virtually every “connected” country susceptible to a data breach is struggling with how to keep their data secure.
For private industry in the United States, big companies such as Yahoo, MySpace, Under Armour, Equifax, Target, and LinkedIn have been hit by devastating cyber breaches. Large enterprise organizations aren’t alone, according to the Ponemon Institute's 2017 State of Cybersecurity in Small & Medium-Sized Businesses report, the percentage of small businesses that have experienced a cyber attack in the past 12 months is up from 55% in 2016 to 61% in 2017, with the number projected to continue to increase in 2018.
Where is the United States’ GDPR?
With cyber crises on the rise for both public and private industry in the United States, why hasn’t there been a sort of comprehensive GDPR in the United States? An unfortunate reality about cybersecurity is that efforts to protect networks, generally speaking, are often reactive rather than proactive meaning that with scattered cyber incidents impacting both industries the legislative response has also been as such, scattered. Moreover, the sheer nature of the laggard U.S. political system tends to wait for a focusing event before making significant and widespread legislation. A focusing event often refers to when a disaster (or another event) is so significant in scope in breadth of disruption that it creates high and widespread levels of public discontent. In turn, the discontent influences political will and consequently leads to changes in policies and laws (the 9/11 tragedy is a good example).
Coincidently, senior leaders in the U.S. government have decried that the United States isn’t equipped to cope with a cyber 9/11 equivalent (to whatever that means we’ll leave to the policy experts). But, this begs the question, what would such a cyber crisis look like? Thus far, to name a few but pertinent examples, the U.S. government has played victim to interference into the 2016 Presidential Election, intrusion campaigns targeting critical infrastructure, and the 2015 Office of Personnel Management hack. These severe breaches leave a rather open-ended question as to what would ultimately qualify as this impending cyber 9/11 tragedy and how damaging it would have to be to become the focusing event necessary for the U.S. to pass its version of GDPR?
State-Level Legislation Paves the Way
While we can belabor and debate the reasons why the U.S. is absent its own federal-level data protection legislation, there is hope to be found in the state-level initiatives that are taking place when it comes to consumer and data protection. However, without unified and overarching regulation at the Federal level, organizations and their senior leadership teams must navigate a complex landscape of differing (and sometimes contradictory) laws and requirements with which to comply. The first notable step the states have made in ensuring consumer data privacy comes in the form of accountability on behalf of businesses that have experienced a cyber breach. As of March 2018, all 50 states now have established breach notification laws, ensuring that companies can no longer withhold key details about data breaches that may be critical for stakeholders to know.
In addition to breach notification laws, states in the post-Equifax breach world are ramping up consumer protections when it comes to data privacy. Vermont has recently passed legislation to crack down on data brokers that buy and sell personal information. As a result, data brokers will have to comply with legislation that protects the privacy of Vermont residents, particularly in the event of a data breach. The new rules have been established to protect consumers and increase data broker security and accountability.
Meanwhile, California has recently enacted the California Consumer Privacy Act of 2018 (CCPA), a series of new laws that some are contending will be the most stringent laws regarding personal data protection in the United States. The Act ensures that California residents will be able to determine what data companies are collecting, whether or not they want to have that data removed, and can prohibit the sale of their data. CCPA also allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” As put by Security Magazine, “Under the current California law, only “‘customers’” can sue a company, and only then if they can prove they were actually harmed as a result of a breach - a virtually impossible standard to meet.”
While numerous states are beginning to take the initiative when it comes to cyber regulatory policy, it will be important to see how CCPA will serve as a potential model to combat the traditional reactive approach to cybersecurity.
What Can You Do?
Amidst the proliferation of cyber and data privacy legislation, it’s important for businesses to stay apprised of how they can ensure compliance. Here are a few tips to do just that:
- Know Who Leads Your Compliance Efforts - Take the time to designate someone in your organization who, as a part of their job function, stays up to up to date on legal and regulatory issues and ensures that your organization is compliant.
- Communicate With Legal - Make sure that compliance is taken seriously by your general counsel. Ensure that your organization is operating with its legal framework when it comes to cybersecurity regulation on the state, national, and international level. Also be sure that your information security leadership is communicating with legal on this issue as well.
- Remember Your Metrics - Don’t let ambiguity cloud your understanding of whether or not you are staying compliant with regulatory policy. Include compliance as a measurement component of your businesses’ risk management. Turn compliance into a measurable component of your risk framework. Need help? Take a closer look at our Digital Cyber Risk Program.
- Know How to Respond - Not only should your business have a well-developed cyber incident response plan, that plan needs to operate in accordance to all breach notification laws your business is subject to adhere to. So, how are adversarial nation states able to do their dirty work in the cyber domain? In some instances, adversarial nation states use a combination of trained professionals, as well as hired mercenaries and/or proxy groups. Outsourced support could include people who have similar political motives as the state they serve, or those who have been coerced by their host government to work for them. In some cases, state-sponsored hackers will have ties to the military or intelligence community of their host country and are selected for specific job functions ranging from disinformation to destruction (to name a few).