It's inevitable that more businesses will be penalized for breaking customer trust. Is your enterprise prepared for new security laws?

Peter Waterhouse, Senior Technical Marketing Advisor, CA Technologies

March 12, 2014

5 Min Read

Through the activities of "whistle blowers" like Edward Snowden and the recent high-profile Mt. Gox Bitcoin heist, issues around information privacy and data protection are being fiercely debated across the globe. And while opinion is polarized on Snowden's motivations or the viability of crypto-currency, discussions around intelligence gathering exercises and security failures are intensifying.

So much so that countries, businesses, government agencies, consumer bodies, and citizens are revisiting security, from new regulations and the law to Facebook profile settings. All of this is a good thing, especially the regulations part.

We know from history that laws follow business failures -- like the calamitous corporate accounting scandals that spawned SOX (Sarbanes-Oxley) legislation. Unfortunately, when it comes to IT security, government oversight has often taken the form of guidelines that are out of touch with digital realities and lack the teeth to address complex security and compliance issues across mobility, the cloud, and big data.

[Leaked accounts showing 100,000 bitcoins remain missing. Read Mt. Gox Chief Stole 100,000 Bitcoins, Hackers Claim]

And since they're mostly unenforceable, the government directives are open to interpretation by the businesses operating within their domain -- plus, of course, there are the furious lobbying efforts by parties with a vested interest in "blunting the teeth" of any regulation.

But all this is gradually changing, and I expect the pace and relevance of regulation to increase and improve. This will be not only as a result of "whistle blowing" revelations, but also due to the fallout from major risk scenarios playing out on many levels, affecting countries (Stuxnet virus) and businesses (the Target breach of credit and debit card data from as many as 40 million customers), not to mention the theft of $450 million of Bitcoins from the Mt. Gox exchange (which filed for bankruptcy as a result).

Just last year, the European Union ratified a breach notification regulation for electronic communications services. It states that companies must notify their own country's national data protection agency within 24 hours of a security breach being detected. And here's the sharp-teeth part -- fines of up to 5% of annual revenue are being proposed for noncompliance.

Now imagine if a similar enforceable regulation were in place in the US and you were Target (acknowledging a security issue three weeks after the first breach). Not only has your brand been tarnished, but also your bottom line -- potentially to the tune of millions of dollars.

Of course, it could be argued that, in this scenario, authorities were notified as soon as the breach was detected, but isn't that an open admission that your event monitoring and incident detection are lacking (by 21 days)? Even worse, Mt. Gox's immediate response to the Bitcoin exchange hack wasn't even disclosure, but rather concealing the problem by refusing to honor withdrawal requests from depositors.

All this won't cut it with consumers, who are already initiating a number of class actions with a similar ring -- "failing to provide reasonable and appropriate security measures to protect personal information." They're also gaining the attention of government officials such as US senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT), who are calling for companies to be held accountable for -- guess what -- "failing to take appropriate security measures to protect personal information."

So it's not a stretch to see major security events becoming the impetus for new legislation.

Failing to protect against the latest security events and associated risks will have profound implications for businesses when legislation catches up to technology and gains more teeth. This will be different across countries, but for now enterprise security professionals and consultants, risk managers, and service providers need to be better prepared.

From an enterprise perspective, organizations will need to become far more skilled at determining their particular risk in the context of their business models and overarching regulations. Then it'll be critical to outline what new strategies, skills, processes, and technologies are needed to protect data.

For some, this could involve building new data protection offices to drive more repeatable security practices. For others with immature security disciplines, compliance will be more challenging and guaranteed only at a basic level. Perhaps that's enough for one new localized law relating to data retention, but not sustainable when you're a global operation and suddenly encounter a range of new regional regulations covering complex issues like personal information disclosure and customer profiling.

For cloud providers, aggregators, and brokers, new legislation around data sovereignty and cross-border data transfers will present thorny challenges. But it will also offer the opportunity to benefit from new service offerings -- "data location guaranteed" service levels, for example. Many SaaS providers will also rise to the challenge by offering complementary security services to their core offerings, while security software vendors and service providers could deliver tools addressing complex issues in areas like mobile content management, data leakage prevention, and security forensics.

Of course, great businesses won't wait for legislation. They're already working to understand new IT security risks and maintaining the trust of their customers through better people, process, and technology. The question: Are you doing the same?

WebRTC, wireless, video, unified communications, contact centers, SIP trunking, the cloud: All of these topics and more make up the focus for Enterprise Connect 2014, the leading conference and expo on enterprise communications and collaboration. Across four days, you'll meet thought- and market-leaders from across the industry and access the information you need to implement the right communications and collaboration products, services, software, and architecture for your enterprise. Find out more about Enterprise Connect and register now. It happens March 17-20.

About the Author(s)

Peter Waterhouse

Senior Technical Marketing Advisor, CA Technologies

Peter Waterhouse is a senior technical marketing advisor for CA Technologies' strategic alliance, service providers, cloud, and industry solutions businesses.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights