2016 a Year of Data Breaches and Regulation

Although governments and their agencies once lead cyber-security initiatives; reported serous data breaches in 2015 and 2016, highlight unacceptable data security ‘corner-cutting’ and ‘cost-cutting’ behaviour and attitudes to the obvious need for robust data security.

Similarly, the business sector continues to be criticised for ‘risky behaviour’ and minimalist approaches to data security.

But in the UK, EU, USA and Asia numerous national security and regulatory bodies are sounding warnings by their actions. The clear message is ‘act or pay the price’!

The clear message from government regulators, who seek to protect their national economies, is to ensure unprotected data is never able to get into unauthorised hands. That requires robust data encryption – while at rest and when transmitted across networks.

After many catastrophic data security breaches – in government and business sectors – media and security experts were heard to scream: “How could such a data breach occur?”; “Why wasn’t that data encrypted?” Whether the data breach was enabled by Internet links, systems and servers or hacking into dedicated data networks, the criticisms were much the same.

Recognising data security issues in the business sector, McKinsey & Company published ‘Cyber Security for Commercial Advantage’, authored by James Kaplan. The article is an excerpt from ‘Handbook of System Safety and Security’.

In seeking to get businesses to see data security as a competitive tool, rather than an inconvenience, Kaplan wrote: “However, given that most companies still treat cybersecurity as a ‘back office’ or “control” functional they have not yet been able to integrate cybersecurity into their commercial interactions either with suppliers or with customers. As a result, cybersecurity is already creating significant turbulence in the value chain, slowing down collaboration between companies and, potentially, reducing competitiveness and innovation in some markets.

To read the Handbook of System Safety and Security article click here

NETWORK DEVICE VULNERABILITIES

In 2016 data breach analysts report that some of the largest increases in data security breaches have involved the Internet of Things (IoT) – the network connection of devices such as office equipment, webcams, healthcare equipment and routers, which are vulnerable to cyber-attacks. Whether the IoT driven breach has resulted in theft of network data or systems data at rest, the impact of such attacks continues to grow.

For example, HealthIT Security reported that the healthcare sector is the number one most targeted sector by cyber-criminals. The number of attacks and successful data breaches are staggering and highly damaging. That may explain why the US regulators have introduced criminal sanctions in certain data breach situations.

“Healthcare Data Breaches Top Concern in 2016, says Experian”. In its report, HealthIT Security warns that Experian’s Data Breach Resolution white-paper noted that the “valuable information stored within health records” is the key driver of continuing cyber-security threats to the healthcare sector – both criminal attacks and innocent systems and human mistakes. Experian stated that “nearly 91% of healthcare organisations have experienced some kind of healthcare data breach within the past two years!”.

To read the HealthIT Security article click here

INCREASING DATA SECURITY REGULATION

It seems that national security leaders in the USA, EU, UK and Asia are determined to push hard against poor data security practices and policies – in government and business. In many cases the security question has shifted from: “what sensitive data should we encrypt when it’s transmitted?” to: “explain why all transmitted data is not encrypted”.

Additionally, reports indicate significant weaknesses in government agencies’ interpretation of data security policy and the subsequent poor actions. In the USA it was revealed government agencies spent $billions on network devices that proved to be vulnerable. In Australia federal agencies were criticised for failing to encrypt sensitive data transmitted on ‘public’ networks. And still, the Australian government lags behind the world by failing to produce ‘mandatory breach notification’ legislation.

ACTION

On the bright side, there have been examples of where national security organisations are acting:

  • UK Information Commissioner fined TalkTalk US$500,000 for a ‘serious consequence’ data breach that reflected a failure to patch its database systems. Had that breach occurred when the GDPR regulations took effect, that penalty would have been US$9,000,000!
  • The UK commenced operation of its new National Cyber-Security Centre in October. Under tits four objectives charter, the NCSC is expected to act as a single point of contact to coordinate network and information security issues and manage the cross-border relationship with the EU. The objectives include ‘leadership on national cyber-security issues’.
  • In the USA, New York State announced new cyber-security regulations focused on businesses. These include requirements that businesses: identify data security risks; protect data; detect security events and restore operations.
  • In Japan, the government is planning to set up an ‘Industrial Cyber-Security Promotion Agency’ specifically to protect Japan’s critical infrastructure.
  • The US Commodity Futures Trading Commission has announced expansion of its cyber-security regulations aiming at protecting the markets from cyber-security ‘melt-downs’.
  • Singapore announced its new Cyber-Security Strategy which includes collaboration among ASEAN members and other Asia Pacific nations to help ensure effective data security policies including severe sanctions for non-compliance.
  • The US healthcare sector’s cyber-security is universally regulated under wide reaching rules and sanctions. The ‘HIPPA Omnibus Final Rule’ was introduced to to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability (HIPAA). Already criminal and civil proceedings have been initiated for serious data breaches. The ‘Omnibus Final Rule’ specifically covers: healthcare business associates, quality of security measures and use of encryption.