Where do we draw the line between fear and preparation, government oversight and corporate responsibility, victim and villain? What seemingly resonates like the introduction to a Hollywood blockbuster instead describes the ever-changing landscape of Cybersecurity, Incident Response, and Data Privacy. The unfortunate reality is that these questions represent some of the many challenges facing companies around the world every day.
Navigating this treacherous terrain requires a cogent understanding of the obstacles companies must overcome. Companies must strike a balance between fearfully reacting to every report of a security or data incident and knowing the risks, understanding their own security posture, and being prepared to address the evolving threats. Likewise, companies must balance reliance on government resources against corporate civil, fiscal, and fiduciary responsibilities. Weighing heavily on those decisions is the reality that companies victimized by cybercriminals are often villainized in the court of public opinion for “disclosing” sensitive information. Knowing how to allocate your time, resources, and emotion between investigating the incident to identify and satisfy your obligations and fending off negative publicity about the incident is critically important to mitigating the impact of a cyber incident.
The business of cybercrime – and make no mistake, it is a lucrative business – has experienced exponential growth and change in recent years. It is unclear whether the growth curve has reached its apex or is even primed to plateau in 2020. Complicating matters further, as the method, means, and mode of attacks evolve, it becomes increasingly challenging to predict what is to come. In 2019, businesses saw a staggering increase in the number and cost of the attacks, both in terms of ransoms demanded and the debilitating aftermath. As a result of increased cybercrime, businesses continue incurring both monetary and reputational harm, and millions of consumers have had their personal information held by businesses exposed, oftentimes for months before ever knowing that their personal information was compromised.
A collateral effect of these evolving cybercrime tactics is the appearance of additional privacy legislation and regulations. Governments, faced with immense pressure to respond, have enacted sweeping legislation with an expressed purpose of protecting individual privacy rights. From the EU’s General Data Privacy Regulation (GDPR), to the California Consumer Privacy Act (CCPA), these statutes provide individuals with more control over their data, and both regulators and individuals with legal recourse in the event of a breach.
With this backdrop of increased criminal activity, privacy regulation, and both civil and regulatory penalties for a suffering a breach, it can seem a Herculean task to both protect your organization and continue gainful business operations domestically and abroad. Prioritizing your approach based upon the specific needs of your organization will help you navigate these turbulent waters in an efficient and effective manner. To tackle the Labours of Hercules now thrust upon companies, you first must explore the following things:
- Know Your Data. Gone are the days where companies can ask their customers open-ended questions and hold in perpetuity any information those customers willingly disclose. Companies now must carefully craft inquiries and store the responses only so long as required to serve a business purpose or satisfy a law. Yet if asked the question, most companies cannot identify the data they collect, the purpose for collecting the data, and the location of the data. Knowing your data not only provides the ability to streamline operations, but also enables you to identify and mitigate risk, vulnerabilities in security and compliance posture, and weaknesses in your employee awareness and training with respect to how sensitive information is handled. Sensitive information includes traditional data elements such as Social Security Number, Driver’s License Number, financial account information, and healthcare information. However, new privacy laws have expanded the scope of that information to data elements such as IP Address, biometric information, email address, and behavioral analytics. It is also important to understand whose data you possess to fully understand your compliance posture. For example, privacy laws may treat data from consumers and employees differently than applicants and may have more stringent or additional requirements for students and minors. Without understanding your data, you limit your ability to comply with the law, assess your risks, and prepare for an incident.
- Know The Law. Seems a straight-forward ask, does it not? What a critical look at the privacy regulatory landscape reveals is that it is anything but. Following the launch of the GDPR, California passed the CCPA, which took effect on January 1, 2020. These laws not only expand the scope of protected information, but also provide an entirely new regulatory framework triggering compliance obligations for companies and industries not accustomed to regulation. Additionally, these regulations provide an enforcement mechanism for regulators, and in the case of the CCPA, a private cause of action for individuals whose data has been compromised in a breach. There are currently approximately 25 states issuing or contemplating Data Privacy regulations using a similar approach to GDPR and CCPA. Despite seemingly limited to a specific state or county, the current and proposed Data Privacy regulations impact businesses outside of the enacting jurisdiction by regulating entities that collect, process, buy, and/or sell data belonging to individuals residing in the specific jurisdiction.
- Know Your Risks. Unfortunately, U.S. companies provide a target-rich environment for cybercriminals because they operate in a connected and data-driven world. Cybercriminals understand your operational weaknesses and seek to exploit them for financial gain. The most prominent cybercrime schemes are Business Email Compromise (“BEC”), aka Social Engineering Fraud (“SEF”), and Ransomware. In simplest terms, SEF is where a bad actor uses a communication (typically email) to mislead an employee into directing payment (or sensitive data) to the fraudster. If SEF is used to transfer money electronically, the loss to your organization is immediate. On the other hand, Ransomware is simply a modern extortion scheme. First, the bad actors infect your system with malicious code that encrypts your data, essentially rendering your network inoperable. Next, the bad actors demand payment in return for a decryption key that will “unlock” your data. In many cases, the bad actors also deploy additional malicious code that enables them to transfer data from your system during a Ransomware attack. This more egregious approach has both immediate (ransom payment, costs to investigate and notify, etc.) and long-term effects (reputational harm, potential regulatory actions, civil litigation).
- Know You’re Prepared. Although it is impossible to prevent all cyber-related risks, you can and should take steps to prepare your organization. Privacy planning is more important now than ever. Understand your compliance obligations and ensure that your privacy program is reviewed throughout the year as legislation and regulations are enacted and changed. The same holds true for cybersecurity. This includes reviewing the internal and external resources in place to ensure that your network infrastructure is secure, tested, and appropriate for the current threat environment and that employee training is updated and delivered. Finally, make certain that your incident response and recovery plans are updated to address current threats, that employees understand their roles, and that you have the legal and technical resources ready to respond when necessary.
The well-known adage “knowledge is power” is never more true than when it comes to companies’ privacy and security posture. Cybercriminals seek to deprive you not only of sensitive information and money, but also of your confidence in running your business safely and securely. By knowing what you have, what you do with it, what your professional and legal obligations are, and what options are available to you when nefarious characters behave badly, you minimize the impact of cyber incidents and the potential ire of the public and regulators alike.