02.05.2019 Views

Cyber Defense eMagazine May 2019

Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group

Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

‘assume breach’ has become the dominant defensive strategy. While this may reflect the modern reality,<br />

our national defensive posture will never improve if we aspire to such a low bar.<br />

Understanding the necessity for thoughtful regulation to help shift incentives to encourage greater<br />

defenses and data protection, and absent a federal law, individual states have proposed or passed their<br />

own data privacy and security legislation. At a recent Senate hearing on a federal data privacy framework,<br />

the discussion highlighted the growing patchwork of regulations in the United States, including over 90<br />

data protection and privacy proposals currently at state capitols. Similarly, last year Alabama and South<br />

Dakota became the final two states to enact data breach notification laws. There are now over 50 different<br />

data breach notification laws in the United States, with Puerto Rico, the U.S. Virgin Islands, Guam, and<br />

Washington, DC also passing their own laws. Each of these data breach notification laws has different<br />

requirements and penalties, and may be contradictory from state to state.<br />

The most prominent piece of state privacy legislation is the California Consumer Privacy Act (CCPA),<br />

which will take effect in 2020. The CCPA focuses on unauthorized data access and intentionally targets<br />

both cyber attacks and third-party data disclosure violations. Individuals can hold organizations<br />

accountable for failing to protect their data, while organizations are required to implement “reasonable<br />

security measures” to protect their data. Accountability is core to any data protection framework as it<br />

provides the necessary incentives to drive organizational change in favor of security. Despite the range<br />

of cyber attacks and third-party data sharing, accountability has largely been absent in the United States.<br />

Vermont has taken a different approach and passed a law focused on the data brokers themselves. As<br />

we saw with Equifax and the Office of Personnel Management breaches, organizations with significant<br />

amounts of personal data are ideal targets but may not prioritize implementing best security practices.<br />

Data brokers have largely remained off the radar but manage significant amounts of data. Vermont’s data<br />

broker law requires data brokers to take appropriate security measures and penalizes them for failing to<br />

do, while also prohibiting the use of the data for criminal purposes. This is the first such law in the United<br />

States that holds significant data aggregators and sellers accountable for data security.<br />

Legislation introduced in Massachusetts, Washington, Colorado and Washington, DC further reflects the<br />

current movement toward greater privacy and security in the absence of a federal framework. Largely<br />

driven by the ongoing data breaches as well as unauthorized data sharing, these laws explicitly aim to<br />

incentivize greater data protection as well as transform data sharing and storing practices, while also<br />

looking ahead to the future data challenges with biometrics, surveillance, and facial recognition. Left<br />

unprotected, these too will be a gold mine for bad actors.<br />

Given the steady pace of security and privacy hearings on the Hill coupled with new state-level privacy<br />

laws, as well as foreign laws such as the European Union’s General Data Protection Regulation, the<br />

likelihood for U.S. federal privacy regulation continues to grow. Until then, states are setting the bar and<br />

forcing the federal government to evaluate what core components should be included at a federal level.<br />

58

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!