If your organization has not already suffered a cybersecurity breach, there is little doubt that it will in the...
future. Cyber incidents, no matter how minor they may seem, put your organization at risk and require a response. Even a seemingly benign issue could be the precursor to something much more serious, so organizations need a plan to handle every type of data security investigation. With the odds of being attacked so high, planning for the inevitable should start immediately.
Your organization likely has data protection requirements that cover physical assets and digital information. Here, we will focus entirely on identifying digital information security vulnerabilities and how regulatory compliance rules influence companies' approaches to data protection.
Know your cyber vulnerabilities
As you begin to consider what to include in your data protection plans and create predefined roles and responsibilities, remember that a company's size and complexity matters. A plan that is too complex and detailed, however, can actually work against you: You don't want a plan to be so complex that you and your staff will not understand or follow it when the time comes.
Conducting advanced planning helps make the response smooth and professional, but be very careful of copying other plans that were designed to support another organization. While they may read well and seem impressive, they could miss critical issues and create undue burdens on your team.
In order to provide for a proper response, we need to understand what might be motivating the attackers. Some common motivations proven to drive modern cybercriminals include:
- Gathering critical information on systems and people for a variety of illicit uses;
- Nationalism and patriotism;
- Nation-states preparing for future attacks on business and critical infrastructure;
- Theft of customer data and financial information for identity theft, extortion and blackmail;
- Theft of designs, research and other intellectual property for corporate espionage;
- Theft of monies from individuals and/or organizations to finance lifestyle and even terrorism; and
- Digital activism and hacktivism for religious or personal beliefs.
Don't forget security compliance rules
Companies also must also consider government-mandated data protection requirements, as well as breach transparency regulations dictating disclosure requirements to consumers, law enforcement and other government agencies.
Some data privacy and security regulations, such as the Health Information Portability and Accountability Act (HIPAA), provide for "federal preemption" -- meaning that federal law generally takes precedent unless the state law provides better protections for consumers. To quote the National Conference of State Legislatures, "Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information." This leaves Alabama, New Mexico and South Dakota without state-level data protection requirements and/or breach legislation.
As you research your regulatory obligations, keep the following discrepancies in mind when considering data breach notification guidelines:
- Some state laws cover businesses because they operate within the state, while others tie compliance obligations to those providing products or services to state residents.
- Certain laws require data breach notification for simple unauthorized access or disclosure, while others don't require notification unless a risk analysis shows significant risk of harm.
- Some regulations require attorneys general and other state agencies to be notified, and others have specific notification and remediation deadlines for different classes of information.
Depending on the class of information that you possess and the associated protection and data breach notification obligations, planning will vary. While there are some fundamental actions you must take in any instance, it is very important to understand your company's specific legal obligations. Federal regulations such as the Red Flags Rule under the Fair and Accurate Credit Transaction Act and the Children's Online Privacy Protection Act under HIPAA, have specific breach reporting obligations.
It's also important to not confuse Payment Card Industry (PCI) rules with law. These regulations do not have the backing of government, although they do have the ability to impose penalties against a company that fails to follow the PCI rules. These penalties are part of a contractual construct companies agree to when they apply to accept credit cards. If a company accepts Visa, MasterCard, American Express, Discover, or any other payment card, the business must agree to their terms and conditions. Under PCI, there are a set of behaviors that all card acceptors must comply with, or face penalties.
When designing your plans, keep in mind that while PCI rules don't have the force of government regulations, you should treat them as if they do. Much like failing to protect health and other personal data, penalties for noncompliance with PCI can have a big impact on a company's bottom line.
Data breach security and incident response have become a fact of life for the modern business, but companies can actually use this fact to their advantage. By staying prepared for seemingly endless threats and knowing what data assets are the biggest targets, companies can stay out in front of the quest to protect sensitive business and consumer information.