Posted on Dec 23, 2019
Cybersecurity and privacy professionals may be dubbing 2019 as the “Year of Privacy.” As with previous years, the industry faced multiple data breaches that negatively impacted millions of individuals globally. As we drive towards 2020, taking a look in the rear view mirror can help give us insight into what we’ll see in front of the dashboard.
2019 was not a “pretty” year. According to the IBM Cost of a Data Breach, statistics showed that the sizes and costs of data breaches were on the rise, again. The staggering numbers don’t engender confidence:
While the average cost of a data breach are high, more astounding is the attack life cycle. The average data breach, from start to finish, is nearly a year. The containment alone is 279 days. Organizations need to mature their cybersecurity and privacy programs to decrease these timelines and costs.
Facebook had the dubious honor of being “the most discussed” company for the second year in a row. While the Cambridge Analytics debacle held customer attention for most of 2019, the Facebook Follies continued well into 2019, with three separate breaches.
Data impacted included email contacts, email passwords, account passwords, user names, comments, and likes. A six month look back at the Facebook stock prices hit an all-time low in mid-July 2019, coinciding with the FTC levying the privacy fines.
We make a lot of assumptions about customer trust based on information such as stock prices or new mentions. However, PWCr’s 2017 Protect Me Survey goes straight to the source: customers. The data shows that consumers increasingly look to a company’s cybersecurity posture when making purchasing decisions:
Consumers today want to buy from and give their information to businesses that respect their privacy and data.
In other words, as we look to 2020, your cybersecurity posture may be what a consumer uses to differentiate you from your competitors.
2019 followed the path of 2018 by giving the “gift” of more regulatory oversight.
Whether tired of discussing the GDPR or not, any privacy and security analysis needs to harken back to the regulation’s May 2018 enforcement date.
As a trendsetter, the GDPR expanded consumer rights as a response to the increased number and complexity of data breaches. By the end of 2018, 91 fines had been reported, and 59,000 personal data breach reports had been made.
Considered the “GDPR of the Americas,” the CCPA takes a similar approach to data privacy. With language that establishes extraterritorial jurisdiction, the California legislature seeks to expand the law’s reach beyond a single state. As we hurtle towards the 2020 enforcement period, the ability of California to force its law upon other states will prove an interesting legal battle.
Other states’ response, however, may be even more interesting as we watch the privacy rights movement unfold. CCPA inspired Washington State to draft its own privacy law. Meanwhile, the New York Legislature enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).
As the US’s patchwork quilt approach to privacy slowly grew, the 116th Congress began the battle over a potential US Data Privacy Legislation. Whether we like it or not, privacy regulations are here to stay, possibly becoming more complex.
They say that those who don’t learn from history are apt to repeat it. Unfortunately, as we look at the history of privacy compliance through the lens of 2019, many companies haven’t learned enough. Too many companies still experience data breaches. From a compliance standpoint, we have five predictions that already seem to be taking form.
As the GDPR goeth, so went the CCPA. The GDPR expanded data protection agencies’ reaches by applying to all EU citizens, regardless of location, and all people living in the EU, regardless of citizenship.
Similarly, the CCPA applies to all consumers who are California citizens and all people living in California. Until courts start to adjudicate whether these laws can be applied as written, they will be applied outside their geographic locations.
As the GDPR expanded its geographic reach, it also expanded the definition of personal data. Explicitly, the law states that personal data includes name, identification number, location data, online identifier, physical, psychological, genetic, mental , commercial, cultural, social identity of natural persons. Implicitly, it adds that the term “should be as broadly interpreted as possible.”
Similarly, the CCPA defines twelve data categories but also expands that definition to include “inferences drawn” from combining categories of data.
We’re looking at governments expanding these definitions because they don’t want loopholes that leave consumers at risk. In other words? When in doubt, protect it.
As more organizations embrace digital transformation, their IT ecosystems become more complex. Gone are the days when your on-premises IT infrastructure is the only weak point that should concern you.
The GDPR defined two categories of organizations - data collectors and data processors. Under the Saudi Arabian Monetary Authority (SAMA) cybersecurity framework, financial institutions are responsible for monitoring the cybersecurity posture of their contractors, vendors, and companies to whom they outsource work. Finally, the CCPA requires organizations to monitor the cybersecurity of companies from whom they collect data and to whom they sell it.
Whether your third-parties are people or Software-as-a-Service (SaaS) providers, you are liable for the controls they place over consumer data.
As if Boards of Directors weren’t already under scrutiny, the Facebook FCC Debacle, complete with Mark Zuckerberg’s attempt at distancing himself from the problems, placed the spotlight even more directly on the Board.
Unlike Facebook’s Zuckerberg, however, the average Board member is not a computer science genius. To prove governance over their organization’s privacy programs, business leadership needs to understand risks and make informed decisions.
In light of the above predictions, compliance leaders should be ready for the final cautionary tale. Every single compliance requirement incorporates more fines as a way to drive stronger security and privacy.
In some cases, we’re seeing increased penalties, such as the GDPR’s “4% of annual revenue” fine. The CCPA instituted private causes of action, allowing individuals to sue companies in civil court. Several dissenting commissioner opinions in the Facebook FCC case noted that Zuckerberg should have faced personal or professional liability.
If the compliance landscape follows suit, then organizational leadership may no longer be able to use their company as a shield.
Establishing a privacy program or maturing a current program may be the best way to meet these new challenges.
Whether you have a program in place or are just starting your journey, you need to be ready for whatever comes your way.
The core tenet of any compliance program is “iteration.” Take stock of what you have, and look to make it better than it was.
Don’t stop thinking about tomorrow and what the next threat might be.
Document everything as audits become more important to business sustainability.
Establish trust and obtain better audit outcomes.
SecurityScorecard’s security ratings platform helps organizations mature their cybersecurity and privacy programs with continuous monitoring and documentation for continuous assurance. Our platform collects information from across the internet to see your ecosystem the way an attacker would.
We correlate the information to provide a holistic security rating and then drill down into ten collected factors to help you prioritize your most critical weaknesses. Using an easy-to-read A-F rating system, SecurityScorecard’s platform creates a common language that IT and business leadership can use to communicate effectively.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.