Originally appeared in the Boston Business Journal, July 26, 2021 |
- Hackers continue to exploit weaknesses in cybersecurity systems and practices.
- The cost of a data breach can be in the millions of dollars, and take close to a year to detect and rectify the situation.
- Pre- and post-breach cyber regulations have been specifically developed for some industries and states.
- Take steps now to develop a strong, compliant cybersecurity program for your organization.
When a business suffers a cyber incident, a myriad of legal and regulatory implications follow. To handle such an incident effectively — and legally — it’s crucial to:
- Understand the specific cybersecurity regulations applicable to your company and industry.
- Determine what your company needs to do to achieve compliance.
- Make sure you don’t break the law in how you respond should an incident occur.
The current cyber threat landscape is incredibly active — given the rush to remote work as a result of the pandemic, a significant increase in security incidents has occurred. Meanwhile, hackers — both individuals and nation-states — recognize this and continue to exploit weaknesses in cybersecurity systems and practices.
A recent global study conducted by Ponemon Institute and IBM Security noted the average cost of a data breach in the U.S. is $8.64 million, and 80% of breaches include records containing customers’ personal information. The average number of days in a breach cycle is around 275, with the first 200 days used to find and detect the breach, and the remaining 75 to contain it.
Unfortunately, hackers can do a lot of damage in those first 200 days. They use this time to learn everything about your business, find and take your business’s crown jewels, disable backups and security systems, and create numerous back doors.
How labeling ransomware as the “top threat” can create a false narrative
Although ransomware is a major issue for businesses and organizations, labeling it as the “top threat” creates a false narrative. In fact, ransomware is usually coupled with other acts (e.g., data exfiltration), and is the most visible part of the attack. Resuming operations after an attack is just the first step; legal and business ramifications of a data breach can live on long after the data has been released.
Despite these negative consequences, hackers know the balance is still tipped in their favor. Why? Implementing appropriate cybersecurity measures is costly and inconvenient, and businesses want to avoid reputational damage from a data breach, leading them to keep things quiet. As a result, individuals are frequently kept in the dark about their data being compromised.
Small organizations are not immune to pre-breach cyber regulations
Regulators understand most businesses aren’t interested in the investment needed to keep themselves and their data safe, and would rather live under the unwise assumption that they are too small or inconsequential to get targeted by hackers. But proven time and again, hackers are rather indiscriminate when it comes to targets, and sometimes the smaller the organization the easier to operate undetected for months on end.
As a result, cyber regulations have been developed with two general objectives: pre-breach, which forces businesses to spend money to implement protocols to reduce the likelihood of a breach; and post-breach, which requires businesses to notify impacted individuals of potential damages as a result of a breach.
Some well-known, pre-breach cyber regulations regarding specific industries include the Health Insurance Portability and Accountability Act (HIPAA), the Department of Defense Cybersecurity Maturity Model Certification (CMMC), and Cybersecurity Requirements for Financial Services Companies (23 CRR-NY 500.0). Depending on your industry, you may be required to implement one or more of these protocols before doing virtually anything else.
Additionally, there are geographically centered regulations promulgated by individual states. For example, the California Consumer Privacy Act (CCPA), which extended consumer privacy protections to the internet, is considered the most comprehensive internet-focused data privacy legislation in the U.S., with no equivalent at the federal level.
All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification after a breach. Security breach laws typically have provisions regarding who must comply with the law, definitions of “personal information,” what constitutes a breach, requirements for notice and exemptions.
The most common cyber regulation trends
As cybersecurity continues to evolve as new threats are identified and understood, so do cyber regulations. The most common trends in legislation this year include proposals that would establish or shorten the timeframe within which an entity must report a breach; require state or local government entities to report data breaches; provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach; expand definitions of “personal information;” and require private sector entities to report breaches to the state attorney general or other state entity.
What to do if you’re not in compliance
Although the lack of an appropriate cybersecurity program is all too commonplace, a strong, compliant cybersecurity program is as important to your business as enterprise resource planning, human resources and accurate financials. If you find that your business is not in compliance:
- Assess your environment for gaps between current and required state protections.
- Create a plan to address the gaps.
- Implement the plan and remediate the gaps.
- Reassess on a regular basis.
- Heather Bearfield
- Frank Rudewicz
- David Sun
Compliments of CliftonLarsonAllen – a member of the EACCNY.