09:06 AM
Connect Directly

Snowden, Bitcoin, Data Breaches Foretell New Regulations

It's inevitable that more businesses will be penalized for breaking customer trust. Is your enterprise prepared for new security laws?

Through the activities of "whistle blowers" like Edward Snowden and the recent high-profile Mt. Gox Bitcoin heist, issues around information privacy and data protection are being fiercely debated across the globe. And while opinion is polarized on Snowden's motivations or the viability of crypto-currency, discussions around intelligence gathering exercises and security failures are intensifying.

So much so that countries, businesses, government agencies, consumer bodies, and citizens are revisiting security, from new regulations and the law to Facebook profile settings. All of this is a good thing, especially the regulations part.

We know from history that laws follow business failures -- like the calamitous corporate accounting scandals that spawned SOX (Sarbanes-Oxley) legislation. Unfortunately, when it comes to IT security, government oversight has often taken the form of guidelines that are out of touch with digital realities and lack the teeth to address complex security and compliance issues across mobility, the cloud, and big data.

[Leaked accounts showing 100,000 bitcoins remain missing. Read Mt. Gox Chief Stole 100,000 Bitcoins, Hackers Claim]

And since they're mostly unenforceable, the government directives are open to interpretation by the businesses operating within their domain -- plus, of course, there are the furious lobbying efforts by parties with a vested interest in "blunting the teeth" of any regulation.

But all this is gradually changing, and I expect the pace and relevance of regulation to increase and improve. This will be not only as a result of "whistle blowing" revelations, but also due to the fallout from major risk scenarios playing out on many levels, affecting countries (Stuxnet virus) and businesses (the Target breach of credit and debit card data from as many as 40 million customers), not to mention the theft of $450 million of Bitcoins from the Mt. Gox exchange (which filed for bankruptcy as a result).

Just last year, the European Union ratified a breach notification regulation for electronic communications services. It states that companies must notify their own country's national data protection agency within 24 hours of a security breach being detected. And here's the sharp-teeth part -- fines of up to 5% of annual revenue are being proposed for noncompliance.

Now imagine if a similar enforceable regulation were in place in the US and you were Target (acknowledging a security issue three weeks after the first breach). Not only has your brand been tarnished, but also your bottom line -- potentially to the tune of millions of dollars.

Of course, it could be argued that, in this scenario, authorities were notified as soon as the breach was detected, but isn't that an open admission that your event monitoring and incident detection are lacking (by 21 days)? Even worse, Mt. Gox's immediate response to the Bitcoin exchange hack wasn't even disclosure, but rather concealing the problem by refusing to honor withdrawal requests from depositors.

All this won't cut it with consumers, who are already initiating a number of class actions with a similar ring -- "failing to provide reasonable and appropriate security measures to protect personal information." They're also gaining the attention of government officials such as US senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT), who are calling for companies to be held accountable for -- guess what -- "failing to take appropriate security measures to protect personal information."

So it's not a stretch to see major security events becoming the impetus for new legislation.

Failing to protect against the latest security events and associated risks will have profound implications for businesses when legislation catches up to technology and gains more teeth. This will be different across countries, but for now enterprise security professionals and consultants, risk managers, and service providers need to be better prepared.

From an enterprise perspective, organizations will need to become far more skilled at determining their particular risk in the context of their business models and overarching regulations. Then it'll be critical to outline what new strategies, skills, processes, and technologies are needed to protect data.

For some, this could involve building new data protection offices to drive more repeatable security practices. For others with immature security disciplines, compliance will be more challenging and guaranteed only at a basic level. Perhaps that's enough for one new localized law relating to data retention, but not sustainable when you're a global operation and suddenly encounter a range of new regional regulations covering complex issues like personal information disclosure and customer profiling.

For cloud providers, aggregators, and brokers, new legislation around data sovereignty and cross-border data transfers will present thorny challenges. But it will also offer the opportunity to benefit from new service offerings -- "data location guaranteed" service levels, for example. Many SaaS providers will also rise to the challenge by offering complementary security services to their core offerings, while security software vendors and service providers could deliver tools addressing complex issues in areas like mobile content management, data leakage prevention, and security forensics.

Of course, great businesses won't wait for legislation. They're already working to understand new IT security risks and maintaining the trust of their customers through better people, process, and technology. The question: Are you doing the same?

WebRTC, wireless, video, unified communications, contact centers, SIP trunking, the cloud: All of these topics and more make up the focus for Enterprise Connect 2014, the leading conference and expo on enterprise communications and collaboration. Across four days, you'll meet thought- and market-leaders from across the industry and access the information you need to implement the right communications and collaboration products, services, software, and architecture for your enterprise. Find out more about Enterprise Connect and register now. It happens March 17-20.

Peter Waterhouse is a senior technical marketing advisor for CA Technologies' strategic alliance, service providers, cloud, and industry solutions businesses. View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
3/12/2014 | 9:30:54 AM
More regs?
Our own security expert Mathew Schwartz has argued more financial penalties are necessary in order to make some retailers bear down on security. Structuring those rules to ensure that both retailers and the major credit card companies make changes (changes that will require serious financial investment) will be no small feat. Do you agree readers?
Lorna Garey
Lorna Garey,
User Rank: Ninja
3/12/2014 | 10:54:32 AM
Variable-size teeth
Here's what's smart: "fines of up to 5% of annual revenue are being proposed for noncompliance."

Part of the problem with HIPAA and some other regs is that for large institutions, it's less expensive to pay the fines than to do the work to comply. Yet if fines were high enough to really bite those orgs, they'd put small practices out of business. A sliding scale is needed.
User Rank: Apprentice
3/12/2014 | 7:25:59 PM
Re: Variable-size teeth
@Lorna that makes sense. For some companies the fines are a relative drop in the bucket. 
User Rank: Apprentice
3/13/2014 | 6:42:43 PM
Re: Variable-size teeth
Interesting - I quite like the idea of variable-sized teeth, though how easy it would be to administer and control I'm not so sure. IMO regulations have to be more prescriptive so that large organiztions can't manouvre their way around by achieving only the very basic levels of compliance -- tick-in-the-box approach.
User Rank: Apprentice
3/19/2014 | 1:13:03 PM
These ongoing events should be a wake-up call for organizations around the importance of a security first culture. Beyond simply integrating the best technologies fighting this fight means embracing an education-based strategy that improves awareness and ultimately helps bring costs back under control.  Some interesting stats that paint the full picture within the 2013 HP Ponemon Cost of Cyber Crime report available here: (http://www.hpenterprisesecurity.com/ponemon-study-2013).  


Peter Fretty (j.mp/pfrettyhp)
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

Published: 2015-03-30
Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.