Cybersecurity and privacy professionals may be dubbing 2019 as the “Year of Privacy.” As with previous years, the industry faced multiple data breaches that negatively impacted millions of individuals globally. As we drive towards 2020, taking a look in the rear view mirror can help give us insight into what we’ll see in front of the dashboard.
What did the 2019 statistics look like?
2019 was not a “pretty” year. According to the IBM Cost of a Data Breach, statistics showed that the sizes and costs of data breaches were on the rise, again. The staggering numbers don’t engender confidence:
- $3.92 Million: average data breach cost
- 25,575 Records: average size of a data breach
- 279 Days: average time to contain a data breach
- 314 Days: lifecycle of malicious attack from breach to containment
- $1.2 Million: average cost savings when breach lifecycle under 200 days
While the average cost of a data breach are high, more astounding is the attack life cycle. The average data breach, from start to finish, is nearly a year. The containment alone is 279 days. Organizations need to mature their cybersecurity and privacy programs to decrease these timelines and costs.
Who did we talk about the most?
Facebook had the dubious honor of being “the most discussed” company for the second year in a row. While the Cambridge Analytics debacle held customer attention for most of 2019, the Facebook Follies continued well into 2019, with three separate breaches.
- April 2, 2019: A third-party application interface issue impacted 540 million records.
- April 19, 2019: An unsecured cloud database weakness impacted 419 million records
- April 10, 2019: A new account sign-up vulnerability impacted 1.5 million records
Data impacted included email contacts, email passwords, account passwords, user names, comments, and likes. A six month look back at the Facebook stock prices hit an all-time low in mid-July 2019, coinciding with the FTC levying the privacy fines.
Can you quantify the impact data breaches have?
We make a lot of assumptions about customer trust based on information such as stock prices or new mentions. However, PWCr’s 2017 Protect Me Survey goes straight to the source: customers. The data shows that consumers increasingly look to a company’s cybersecurity posture when making purchasing decisions:
- 69% of consumers believe companies are vulnerable to attacks
- 72% of believe businesses are better equipped to protect data than government
- 85% of consumers will not do business with a company if they don’t trust it
Consumers today want to buy from and give their information to businesses that respect their privacy and data.
In other words, as we look to 2020, your cybersecurity posture may be what a consumer uses to differentiate you from your competitors.
How did governments and industry standards organizations react?
2019 followed the path of 2018 by giving the “gift” of more regulatory oversight.
General Data Protection Regulation (GDPR)
Whether tired of discussing the GDPR or not, any privacy and security analysis needs to harken back to the regulation’s May 2018 enforcement date.
As a trendsetter, the GDPR expanded consumer rights as a response to the increased number and complexity of data breaches. By the end of 2018, 91 fines had been reported, and 59,000 personal data breach reports had been made.
California Consumer Privacy Act (CCPA)
Considered the “GDPR of the Americas,” the CCPA takes a similar approach to data privacy. With language that establishes extraterritorial jurisdiction, the California legislature seeks to expand the law’s reach beyond a single state. As we hurtle towards the 2020 enforcement period, the ability of California to force its law upon other states will prove an interesting legal battle.
Where California goes, will the US follow?
Other states’ response, however, may be even more interesting as we watch the privacy rights movement unfold. CCPA inspired Washington State to draft its own privacy law. Meanwhile, the New York Legislature enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).
As the US’s patchwork quilt approach to privacy slowly grew, the 116th Congress began the battle over a potential US Data Privacy Legislation. Whether we like it or not, privacy regulations are here to stay, possibly becoming more complex.
Where do we go from here?
They say that those who don’t learn from history are apt to repeat it. Unfortunately, as we look at the history of privacy compliance through the lens of 2019, many companies haven’t learned enough. Too many companies still experience data breaches. From a compliance standpoint, we have five predictions that already seem to be taking form.
Geographic expansion: extraterritorial reach
As the GDPR goeth, so went the CCPA. The GDPR expanded data protection agencies’ reaches by applying to all EU citizens, regardless of location, and all people living in the EU, regardless of citizenship.
Similarly, the CCPA applies to all consumers who are California citizens and all people living in California. Until courts start to adjudicate whether these laws can be applied as written, they will be applied outside their geographic locations.
Term expansion: definition of personal data
As the GDPR expanded its geographic reach, it also expanded the definition of personal data. Explicitly, the law states that personal data includes name, identification number, location data, online identifier, physical, psychological, genetic, mental , commercial, cultural, social identity of natural persons. Implicitly, it adds that the term “should be as broadly interpreted as possible.”
Similarly, the CCPA defines twelve data categories but also expands that definition to include “inferences drawn” from combining categories of data.
We’re looking at governments expanding these definitions because they don’t want loopholes that leave consumers at risk. In other words? When in doubt, protect it.
Business responsibility expansion: vendor risk monitoring
As more organizations embrace digital transformation, their IT ecosystems become more complex. Gone are the days when your on-premises IT infrastructure is the only weak point that should concern you.
The GDPR defined two categories of organizations - data collectors and data processors. Under the Saudi Arabian Monetary Authority (SAMA) cybersecurity framework, financial institutions are responsible for monitoring the cybersecurity posture of their contractors, vendors, and companies to whom they outsource work. Finally, the CCPA requires organizations to monitor the cybersecurity of companies from whom they collect data and to whom they sell it.
Whether your third-parties are people or Software-as-a-Service (SaaS) providers, you are liable for the controls they place over consumer data.
Management responsibility expansion: Board oversight
As if Boards of Directors weren’t already under scrutiny, the Facebook FCC Debacle, complete with Mark Zuckerberg’s attempt at distancing himself from the problems, placed the spotlight even more directly on the Board.
Unlike Facebook’s Zuckerberg, however, the average Board member is not a computer science genius. To prove governance over their organization’s privacy programs, business leadership needs to understand risks and make informed decisions.
Fiscal expansion: fines and penalties
In light of the above predictions, compliance leaders should be ready for the final cautionary tale. Every single compliance requirement incorporates more fines as a way to drive stronger security and privacy.
In some cases, we’re seeing increased penalties, such as the GDPR’s “4% of annual revenue” fine. The CCPA instituted private causes of action, allowing individuals to sue companies in civil court. Several dissenting commissioner opinions in the Facebook FCC case noted that Zuckerberg should have faced personal or professional liability.
If the compliance landscape follows suit, then organizational leadership may no longer be able to use their company as a shield.
What can you do to protect your organization?
Establishing a privacy program or maturing a current program may be the best way to meet these new challenges.
Whether you have a program in place or are just starting your journey, you need to be ready for whatever comes your way.
- Breaches: Increased number and severity
- Regulations: Incorporate higher fines and expanded rights of action for governing bodies and private citizens
- Audits: Increase in both regulatory and industry-focused
- Board Responsibility: Document governance and oversight
The compliance program
The core tenet of any compliance program is “iteration.” Take stock of what you have, and look to make it better than it was.
- Policy: Establish and enforce formal organizational goals
- Procedures: Designate responsible parties and their daily duties
- Implementation: Establish and enforce settings, configurations, and third-party vendor controls
- Measurement: Gain insight by testing, establishing baselines, and setting key performance indicators
- Management: Prove governance by detect anomalies and responding to alerts
Continuous control monitoring
Don’t stop thinking about tomorrow and what the next threat might be.
- Automate: Mitigate human error risks arising from manual processes
- Verify: Sampling may not work as you add systems, networks, software, devices, and vendors
- Calculate: Gain insight from data for better audit outcomes
- Proactive: “Point in time” audit and review no longer suffice
Document everything as audits become more important to business sustainability.
- Governance: Put the G in GRC
- Prioritize: Focus on proving response and mitigation
- Document: Establish and enforce privacy and security controls as part of service level agreements with vendors
Establish trust and obtain better audit outcomes.
- Prove: Privacy and security posture to upstream supply chain partners
- Streamline: Audit documentation gathering
- Communicate: Across all stakeholders
SecurityScorecard enables a secure and compliant 2020
SecurityScorecard’s security ratings platform helps organizations mature their cybersecurity and privacy programs with continuous monitoring and documentation for continuous assurance. Our platform collects information from across the internet to see your ecosystem the way an attacker would.
We correlate the information to provide a holistic security rating and then drill down into ten collected factors to help you prioritize your most critical weaknesses. Using an easy-to-read A-F rating system, SecurityScorecard’s platform creates a common language that IT and business leadership can use to communicate effectively.