Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:06 AM
Connect Directly

Snowden, Bitcoin, Data Breaches Foretell New Regulations

It's inevitable that more businesses will be penalized for breaking customer trust. Is your enterprise prepared for new security laws?

Through the activities of "whistle blowers" like Edward Snowden and the recent high-profile Mt. Gox Bitcoin heist, issues around information privacy and data protection are being fiercely debated across the globe. And while opinion is polarized on Snowden's motivations or the viability of crypto-currency, discussions around intelligence gathering exercises and security failures are intensifying.

So much so that countries, businesses, government agencies, consumer bodies, and citizens are revisiting security, from new regulations and the law to Facebook profile settings. All of this is a good thing, especially the regulations part.

We know from history that laws follow business failures -- like the calamitous corporate accounting scandals that spawned SOX (Sarbanes-Oxley) legislation. Unfortunately, when it comes to IT security, government oversight has often taken the form of guidelines that are out of touch with digital realities and lack the teeth to address complex security and compliance issues across mobility, the cloud, and big data.

[Leaked accounts showing 100,000 bitcoins remain missing. Read Mt. Gox Chief Stole 100,000 Bitcoins, Hackers Claim]

And since they're mostly unenforceable, the government directives are open to interpretation by the businesses operating within their domain -- plus, of course, there are the furious lobbying efforts by parties with a vested interest in "blunting the teeth" of any regulation.

But all this is gradually changing, and I expect the pace and relevance of regulation to increase and improve. This will be not only as a result of "whistle blowing" revelations, but also due to the fallout from major risk scenarios playing out on many levels, affecting countries (Stuxnet virus) and businesses (the Target breach of credit and debit card data from as many as 40 million customers), not to mention the theft of $450 million of Bitcoins from the Mt. Gox exchange (which filed for bankruptcy as a result).

Just last year, the European Union ratified a breach notification regulation for electronic communications services. It states that companies must notify their own country's national data protection agency within 24 hours of a security breach being detected. And here's the sharp-teeth part -- fines of up to 5% of annual revenue are being proposed for noncompliance.

Now imagine if a similar enforceable regulation were in place in the US and you were Target (acknowledging a security issue three weeks after the first breach). Not only has your brand been tarnished, but also your bottom line -- potentially to the tune of millions of dollars.

Of course, it could be argued that, in this scenario, authorities were notified as soon as the breach was detected, but isn't that an open admission that your event monitoring and incident detection are lacking (by 21 days)? Even worse, Mt. Gox's immediate response to the Bitcoin exchange hack wasn't even disclosure, but rather concealing the problem by refusing to honor withdrawal requests from depositors.

All this won't cut it with consumers, who are already initiating a number of class actions with a similar ring -- "failing to provide reasonable and appropriate security measures to protect personal information." They're also gaining the attention of government officials such as US senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT), who are calling for companies to be held accountable for -- guess what -- "failing to take appropriate security measures to protect personal information."

So it's not a stretch to see major security events becoming the impetus for new legislation.

Failing to protect against the latest security events and associated risks will have profound implications for businesses when legislation catches up to technology and gains more teeth. This will be different across countries, but for now enterprise security professionals and consultants, risk managers, and service providers need to be better prepared.

From an enterprise perspective, organizations will need to become far more skilled at determining their particular risk in the context of their business models and overarching regulations. Then it'll be critical to outline what new strategies, skills, processes, and technologies are needed to protect data.

For some, this could involve building new data protection offices to drive more repeatable security practices. For others with immature security disciplines, compliance will be more challenging and guaranteed only at a basic level. Perhaps that's enough for one new localized law relating to data retention, but not sustainable when you're a global operation and suddenly encounter a range of new regional regulations covering complex issues like personal information disclosure and customer profiling.

For cloud providers, aggregators, and brokers, new legislation around data sovereignty and cross-border data transfers will present thorny challenges. But it will also offer the opportunity to benefit from new service offerings -- "data location guaranteed" service levels, for example. Many SaaS providers will also rise to the challenge by offering complementary security services to their core offerings, while security software vendors and service providers could deliver tools addressing complex issues in areas like mobile content management, data leakage prevention, and security forensics.

Of course, great businesses won't wait for legislation. They're already working to understand new IT security risks and maintaining the trust of their customers through better people, process, and technology. The question: Are you doing the same?

WebRTC, wireless, video, unified communications, contact centers, SIP trunking, the cloud: All of these topics and more make up the focus for Enterprise Connect 2014, the leading conference and expo on enterprise communications and collaboration. Across four days, you'll meet thought- and market-leaders from across the industry and access the information you need to implement the right communications and collaboration products, services, software, and architecture for your enterprise. Find out more about Enterprise Connect and register now. It happens March 17-20.

Peter Waterhouse is a senior technical marketing advisor for CA Technologies' strategic alliance, service providers, cloud, and industry solutions businesses. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/9/2015 | 1:54:11 AM
Snowden,was a hero,as far as risking his own life,destroying his personel life to tell us what was going on inside the goverment.Big brother 84 is here.thank you MR Snowden for you bravery and you are my American hero! As for those who would doubt his motive,you are a shame a wimp! the real trators are those who say nothing,when wrong is being done.
User Rank: Apprentice
3/19/2014 | 1:13:03 PM
These ongoing events should be a wake-up call for organizations around the importance of a security first culture. Beyond simply integrating the best technologies fighting this fight means embracing an education-based strategy that improves awareness and ultimately helps bring costs back under control.  Some interesting stats that paint the full picture within the 2013 HP Ponemon Cost of Cyber Crime report available here: (http://www.hpenterprisesecurity.com/ponemon-study-2013).  


Peter Fretty (j.mp/pfrettyhp)
User Rank: Apprentice
3/13/2014 | 6:42:43 PM
Re: Variable-size teeth
Interesting - I quite like the idea of variable-sized teeth, though how easy it would be to administer and control I'm not so sure. IMO regulations have to be more prescriptive so that large organiztions can't manouvre their way around by achieving only the very basic levels of compliance -- tick-in-the-box approach.
User Rank: Apprentice
3/12/2014 | 7:25:59 PM
Re: Variable-size teeth
@Lorna that makes sense. For some companies the fines are a relative drop in the bucket. 
Lorna Garey
Lorna Garey,
User Rank: Ninja
3/12/2014 | 10:54:32 AM
Variable-size teeth
Here's what's smart: "fines of up to 5% of annual revenue are being proposed for noncompliance."

Part of the problem with HIPAA and some other regs is that for large institutions, it's less expensive to pay the fines than to do the work to comply. Yet if fines were high enough to really bite those orgs, they'd put small practices out of business. A sliding scale is needed.
User Rank: Apprentice
3/12/2014 | 9:30:54 AM
More regs?
Our own security expert Mathew Schwartz has argued more financial penalties are necessary in order to make some retailers bear down on security. Structuring those rules to ensure that both retailers and the major credit card companies make changes (changes that will require serious financial investment) will be no small feat. Do you agree readers?
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.