Risk
3/12/2014
09:06 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Snowden, Bitcoin, Data Breaches Foretell New Regulations

It's inevitable that more businesses will be penalized for breaking customer trust. Is your enterprise prepared for new security laws?

Through the activities of "whistle blowers" like Edward Snowden and the recent high-profile Mt. Gox Bitcoin heist, issues around information privacy and data protection are being fiercely debated across the globe. And while opinion is polarized on Snowden's motivations or the viability of crypto-currency, discussions around intelligence gathering exercises and security failures are intensifying.

So much so that countries, businesses, government agencies, consumer bodies, and citizens are revisiting security, from new regulations and the law to Facebook profile settings. All of this is a good thing, especially the regulations part.

We know from history that laws follow business failures -- like the calamitous corporate accounting scandals that spawned SOX (Sarbanes-Oxley) legislation. Unfortunately, when it comes to IT security, government oversight has often taken the form of guidelines that are out of touch with digital realities and lack the teeth to address complex security and compliance issues across mobility, the cloud, and big data.

[Leaked accounts showing 100,000 bitcoins remain missing. Read Mt. Gox Chief Stole 100,000 Bitcoins, Hackers Claim]

And since they're mostly unenforceable, the government directives are open to interpretation by the businesses operating within their domain -- plus, of course, there are the furious lobbying efforts by parties with a vested interest in "blunting the teeth" of any regulation.

But all this is gradually changing, and I expect the pace and relevance of regulation to increase and improve. This will be not only as a result of "whistle blowing" revelations, but also due to the fallout from major risk scenarios playing out on many levels, affecting countries (Stuxnet virus) and businesses (the Target breach of credit and debit card data from as many as 40 million customers), not to mention the theft of $450 million of Bitcoins from the Mt. Gox exchange (which filed for bankruptcy as a result).

Just last year, the European Union ratified a breach notification regulation for electronic communications services. It states that companies must notify their own country's national data protection agency within 24 hours of a security breach being detected. And here's the sharp-teeth part -- fines of up to 5% of annual revenue are being proposed for noncompliance.

Now imagine if a similar enforceable regulation were in place in the US and you were Target (acknowledging a security issue three weeks after the first breach). Not only has your brand been tarnished, but also your bottom line -- potentially to the tune of millions of dollars.

Of course, it could be argued that, in this scenario, authorities were notified as soon as the breach was detected, but isn't that an open admission that your event monitoring and incident detection are lacking (by 21 days)? Even worse, Mt. Gox's immediate response to the Bitcoin exchange hack wasn't even disclosure, but rather concealing the problem by refusing to honor withdrawal requests from depositors.

All this won't cut it with consumers, who are already initiating a number of class actions with a similar ring -- "failing to provide reasonable and appropriate security measures to protect personal information." They're also gaining the attention of government officials such as US senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT), who are calling for companies to be held accountable for -- guess what -- "failing to take appropriate security measures to protect personal information."

So it's not a stretch to see major security events becoming the impetus for new legislation.

Failing to protect against the latest security events and associated risks will have profound implications for businesses when legislation catches up to technology and gains more teeth. This will be different across countries, but for now enterprise security professionals and consultants, risk managers, and service providers need to be better prepared.

From an enterprise perspective, organizations will need to become far more skilled at determining their particular risk in the context of their business models and overarching regulations. Then it'll be critical to outline what new strategies, skills, processes, and technologies are needed to protect data.

For some, this could involve building new data protection offices to drive more repeatable security practices. For others with immature security disciplines, compliance will be more challenging and guaranteed only at a basic level. Perhaps that's enough for one new localized law relating to data retention, but not sustainable when you're a global operation and suddenly encounter a range of new regional regulations covering complex issues like personal information disclosure and customer profiling.

For cloud providers, aggregators, and brokers, new legislation around data sovereignty and cross-border data transfers will present thorny challenges. But it will also offer the opportunity to benefit from new service offerings -- "data location guaranteed" service levels, for example. Many SaaS providers will also rise to the challenge by offering complementary security services to their core offerings, while security software vendors and service providers could deliver tools addressing complex issues in areas like mobile content management, data leakage prevention, and security forensics.

Of course, great businesses won't wait for legislation. They're already working to understand new IT security risks and maintaining the trust of their customers through better people, process, and technology. The question: Are you doing the same?

WebRTC, wireless, video, unified communications, contact centers, SIP trunking, the cloud: All of these topics and more make up the focus for Enterprise Connect 2014, the leading conference and expo on enterprise communications and collaboration. Across four days, you'll meet thought- and market-leaders from across the industry and access the information you need to implement the right communications and collaboration products, services, software, and architecture for your enterprise. Find out more about Enterprise Connect and register now. It happens March 17-20.

Peter Waterhouse is a senior technical marketing advisor for CA Technologies' strategic alliance, service providers, cloud, and industry solutions businesses. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/12/2014 | 9:30:54 AM
More regs?
Our own security expert Mathew Schwartz has argued more financial penalties are necessary in order to make some retailers bear down on security. Structuring those rules to ensure that both retailers and the major credit card companies make changes (changes that will require serious financial investment) will be no small feat. Do you agree readers?
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
3/12/2014 | 10:54:32 AM
Variable-size teeth
Here's what's smart: "fines of up to 5% of annual revenue are being proposed for noncompliance."

Part of the problem with HIPAA and some other regs is that for large institutions, it's less expensive to pay the fines than to do the work to comply. Yet if fines were high enough to really bite those orgs, they'd put small practices out of business. A sliding scale is needed.
Ariella
50%
50%
Ariella,
User Rank: Apprentice
3/12/2014 | 7:25:59 PM
Re: Variable-size teeth
@Lorna that makes sense. For some companies the fines are a relative drop in the bucket. 
PeteJW
50%
50%
PeteJW,
User Rank: Apprentice
3/13/2014 | 6:42:43 PM
Re: Variable-size teeth
Interesting - I quite like the idea of variable-sized teeth, though how easy it would be to administer and control I'm not so sure. IMO regulations have to be more prescriptive so that large organiztions can't manouvre their way around by achieving only the very basic levels of compliance -- tick-in-the-box approach.
pfretty
100%
0%
pfretty,
User Rank: Apprentice
3/19/2014 | 1:13:03 PM
Culture
These ongoing events should be a wake-up call for organizations around the importance of a security first culture. Beyond simply integrating the best technologies fighting this fight means embracing an education-based strategy that improves awareness and ultimately helps bring costs back under control.  Some interesting stats that paint the full picture within the 2013 HP Ponemon Cost of Cyber Crime report available here: (http://www.hpenterprisesecurity.com/ponemon-study-2013).  

 

Peter Fretty (j.mp/pfrettyhp)
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.