Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:06 AM
Connect Directly

Snowden, Bitcoin, Data Breaches Foretell New Regulations

It's inevitable that more businesses will be penalized for breaking customer trust. Is your enterprise prepared for new security laws?

Through the activities of "whistle blowers" like Edward Snowden and the recent high-profile Mt. Gox Bitcoin heist, issues around information privacy and data protection are being fiercely debated across the globe. And while opinion is polarized on Snowden's motivations or the viability of crypto-currency, discussions around intelligence gathering exercises and security failures are intensifying.

So much so that countries, businesses, government agencies, consumer bodies, and citizens are revisiting security, from new regulations and the law to Facebook profile settings. All of this is a good thing, especially the regulations part.

We know from history that laws follow business failures -- like the calamitous corporate accounting scandals that spawned SOX (Sarbanes-Oxley) legislation. Unfortunately, when it comes to IT security, government oversight has often taken the form of guidelines that are out of touch with digital realities and lack the teeth to address complex security and compliance issues across mobility, the cloud, and big data.

[Leaked accounts showing 100,000 bitcoins remain missing. Read Mt. Gox Chief Stole 100,000 Bitcoins, Hackers Claim]

And since they're mostly unenforceable, the government directives are open to interpretation by the businesses operating within their domain -- plus, of course, there are the furious lobbying efforts by parties with a vested interest in "blunting the teeth" of any regulation.

But all this is gradually changing, and I expect the pace and relevance of regulation to increase and improve. This will be not only as a result of "whistle blowing" revelations, but also due to the fallout from major risk scenarios playing out on many levels, affecting countries (Stuxnet virus) and businesses (the Target breach of credit and debit card data from as many as 40 million customers), not to mention the theft of $450 million of Bitcoins from the Mt. Gox exchange (which filed for bankruptcy as a result).

Just last year, the European Union ratified a breach notification regulation for electronic communications services. It states that companies must notify their own country's national data protection agency within 24 hours of a security breach being detected. And here's the sharp-teeth part -- fines of up to 5% of annual revenue are being proposed for noncompliance.

Now imagine if a similar enforceable regulation were in place in the US and you were Target (acknowledging a security issue three weeks after the first breach). Not only has your brand been tarnished, but also your bottom line -- potentially to the tune of millions of dollars.

Of course, it could be argued that, in this scenario, authorities were notified as soon as the breach was detected, but isn't that an open admission that your event monitoring and incident detection are lacking (by 21 days)? Even worse, Mt. Gox's immediate response to the Bitcoin exchange hack wasn't even disclosure, but rather concealing the problem by refusing to honor withdrawal requests from depositors.

All this won't cut it with consumers, who are already initiating a number of class actions with a similar ring -- "failing to provide reasonable and appropriate security measures to protect personal information." They're also gaining the attention of government officials such as US senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT), who are calling for companies to be held accountable for -- guess what -- "failing to take appropriate security measures to protect personal information."

So it's not a stretch to see major security events becoming the impetus for new legislation.

Failing to protect against the latest security events and associated risks will have profound implications for businesses when legislation catches up to technology and gains more teeth. This will be different across countries, but for now enterprise security professionals and consultants, risk managers, and service providers need to be better prepared.

From an enterprise perspective, organizations will need to become far more skilled at determining their particular risk in the context of their business models and overarching regulations. Then it'll be critical to outline what new strategies, skills, processes, and technologies are needed to protect data.

For some, this could involve building new data protection offices to drive more repeatable security practices. For others with immature security disciplines, compliance will be more challenging and guaranteed only at a basic level. Perhaps that's enough for one new localized law relating to data retention, but not sustainable when you're a global operation and suddenly encounter a range of new regional regulations covering complex issues like personal information disclosure and customer profiling.

For cloud providers, aggregators, and brokers, new legislation around data sovereignty and cross-border data transfers will present thorny challenges. But it will also offer the opportunity to benefit from new service offerings -- "data location guaranteed" service levels, for example. Many SaaS providers will also rise to the challenge by offering complementary security services to their core offerings, while security software vendors and service providers could deliver tools addressing complex issues in areas like mobile content management, data leakage prevention, and security forensics.

Of course, great businesses won't wait for legislation. They're already working to understand new IT security risks and maintaining the trust of their customers through better people, process, and technology. The question: Are you doing the same?

WebRTC, wireless, video, unified communications, contact centers, SIP trunking, the cloud: All of these topics and more make up the focus for Enterprise Connect 2014, the leading conference and expo on enterprise communications and collaboration. Across four days, you'll meet thought- and market-leaders from across the industry and access the information you need to implement the right communications and collaboration products, services, software, and architecture for your enterprise. Find out more about Enterprise Connect and register now. It happens March 17-20.

Peter Waterhouse is a senior technical marketing advisor for CA Technologies' strategic alliance, service providers, cloud, and industry solutions businesses. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/9/2015 | 1:54:11 AM
Snowden,was a hero,as far as risking his own life,destroying his personel life to tell us what was going on inside the goverment.Big brother 84 is here.thank you MR Snowden for you bravery and you are my American hero! As for those who would doubt his motive,you are a shame a wimp! the real trators are those who say nothing,when wrong is being done.
User Rank: Apprentice
3/19/2014 | 1:13:03 PM
These ongoing events should be a wake-up call for organizations around the importance of a security first culture. Beyond simply integrating the best technologies fighting this fight means embracing an education-based strategy that improves awareness and ultimately helps bring costs back under control.  Some interesting stats that paint the full picture within the 2013 HP Ponemon Cost of Cyber Crime report available here: (http://www.hpenterprisesecurity.com/ponemon-study-2013).  


Peter Fretty (j.mp/pfrettyhp)
User Rank: Apprentice
3/13/2014 | 6:42:43 PM
Re: Variable-size teeth
Interesting - I quite like the idea of variable-sized teeth, though how easy it would be to administer and control I'm not so sure. IMO regulations have to be more prescriptive so that large organiztions can't manouvre their way around by achieving only the very basic levels of compliance -- tick-in-the-box approach.
User Rank: Apprentice
3/12/2014 | 7:25:59 PM
Re: Variable-size teeth
@Lorna that makes sense. For some companies the fines are a relative drop in the bucket. 
Lorna Garey
Lorna Garey,
User Rank: Ninja
3/12/2014 | 10:54:32 AM
Variable-size teeth
Here's what's smart: "fines of up to 5% of annual revenue are being proposed for noncompliance."

Part of the problem with HIPAA and some other regs is that for large institutions, it's less expensive to pay the fines than to do the work to comply. Yet if fines were high enough to really bite those orgs, they'd put small practices out of business. A sliding scale is needed.
User Rank: Apprentice
3/12/2014 | 9:30:54 AM
More regs?
Our own security expert Mathew Schwartz has argued more financial penalties are necessary in order to make some retailers bear down on security. Structuring those rules to ensure that both retailers and the major credit card companies make changes (changes that will require serious financial investment) will be no small feat. Do you agree readers?
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-21
Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.
PUBLISHED: 2019-11-21
The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference.
PUBLISHED: 2019-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567
PUBLISHED: 2019-11-21
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
PUBLISHED: 2019-11-21
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.