Data Privacy in the Age of Regulations
This past year was a big year for data breaches, new privacy laws and cracking down on existing regulations. British Airways faces a £183m fine after hackers stole credit card details from nearly 400,000 customers. Many other big names were hit too. Facebook. Equifax. Twitter. Marriott. Google. They’ve all been hacked.
The reason? Sometimes it was due to outdated security systems and other times it was the funny idea that big corporations can only fall victim to attacks from Mission Impossible-type massive spy operations.
Let me tell you something: ALL companies are susceptible to attacks – and the attacks don’t have to be very sophisticated in order to work. With the latest technology on the market, hackers with just a basic skill level can use commonly available tools to overcome the most expensive security measures. So now it’s no longer a question of “if I’m attacked” but “when”.
The world is changing, your network is changing and hackers are on a winning streak. But enterprises can limit the effects of these attacks through awareness and preparation.
To provide guidance on what businesses should be doing to protect themselves and their customers from data theft, several compliance mandates have sprung up in recent years. Compliance with these standards include strict cybersecurity measures, software and sometimes hardware requirements, together with regular vulnerability testing, storage policies, access management, data breach notification, installation of security patches and more.
It would be impossible to cover all privacy regulations here, but I’d like to point out some of the important ones below. These include the PCI-DSS, GDPR, CCPA HIPAA, ECPA, CDSA and NERC CIP. This may sound a bit like alphabet soup, but if you manage an enterprise or you are responsible for its IT security, at least one of these regulations probably applies to you.
Since Beyond Security was one of the first to achieve an Approved Scanning Vendor (ASV) status for the PCI DSS, let’s start with that.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements created by the major credit card companies to protect both consumers and businesses from credit card fraud.
The PCI DSS doesn’t have any legal authority, but if your business would like to process credit card transactions, then you must abide by their standards. Moreover, if you don’t, you could be fined or lose your right to accept credit cards.
These standards can be boiled down to 6 main points including:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
The General Data Protection Regulation (GDPR), which is an especially hot topic these days, was created about 3 years ago but implemented just last year in an attempt to reform data protection for European consumers.
GDPR compliance includes:
- Choosing a Data Protection Officer (DPO)
- Training staff on GDPR compliance
- Informing your customers how you intend to store, process and share data
- Conducting a Data Protection Impact Assessment (DPIA)
- Notifying authorities within 72 hours of a breach
Much like the PCI, if you do not comply with the GDPR, your company could take a large financial hit. Infringements can result in a €20m fine or 4% of the firm’s worldwide annual revenue.
Signed into law two years ago, and going into effect New Year’s Day, the California Consumer Privacy Act (CCPA) is California’s answer to the GDPR. But the bill, meant to protect consumer data, will likely spread to the rest of the United States due to the impact it will have on California’s many nation-wide industries.
In order to be CCPA compliant, businesses must:
- Comply with consumer requests regarding the handling of their personal data
- Disclose data collection policies
- Restrict how much personal data can be collected
- Offer the same level of service to customers who exercise their right to privacy
- Ensure third-party data sharing meets CCPA compliance
The CPA is not a set of guidelines; it will be the law. The California Attorney General could fine you up to $2,500 if you violate any of the CCPA’s rules.
The Health Insurance Portability and Accountability Act (HIPAA) was created to protect health insurance coverage in the event of a job loss or change as well as health data privacy, integrity and availability.
All businesses who have access to patient information must abide by administrative, physical and technical requirements including:
- Training staff on HIPAA compliance
- Choosing a HIPAA compliance officer
- Assigning unique identifiers for providers, patients and employees
- Conducting regular vulnerability scans
- Defining clear processes for handling data breaches
Non compliance could cost businesses $100 to $50,000 per violation (or per record) and penalties up to $1.5 million per year and imprisonment in severe cases.
The Electronic Communications Privacy Act (ECPA) was passed in 1986 in an effort to protect citizens from unnecessary surveillance and data theft by law enforcement and the government. There have been many provisions since, including the Wiretap Act, the Stored Communications Act, the Pen Register Act, the USA Patriot Act and the Email Privacy Act.
All amendments under the ECPA require providers to obtain a subpoena, warrant or court order before honoring government requests for user data; that’s right: Companies can and should tell government authorities “no” if they do not follow the proper procedures. This is a basic American right – to not have property seized without a proper warrant. Businesses who do not honor that right are subject to fines up to $500,000 and those held responsible for non-compliance may face lawsuits and imprisonment.
The ECPA protects wire, oral and electronic communications including:
- Telephone conversations
- Data stored electronically
- Browsing history
- Radio transmissions
The Content Delivery and Security Association (CDSA) was founded in 1970 as a non-profit to protect entertainment, software and information content. Earlier in the year, the CDSA updated its guidelines to include TV and film cybersecurity.
The CDSA’s Production Security Working Group (PSWG) published 5 documents detailing industry security standards for the TV and film industry.
These guidelines include:
- Security training
- Access management
- Defining assets and the perimeter
- Data monitoring
- Vulnerability assessment
It’s unclear what penalties will be incurred if productions or individuals on these productions are found to be non-compliant, but these standards are a great step in this evolving industry that suddenly found itself dealing with the same types of threats as software companies.
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of security standards meant to protect electronic systems from cyber threats.
Compliance with CIP standards includes:
- Cybersecurity training
- Asset identification
- Security management controls
- Systems security management
- Vulnerability assessment and management
- Critical infrastructure penetration testing
- Malware prevention
- Incident reporting and recovery
Non-compliance with NERC CIP may include fines, sanctions and penalties.
Data privacy and protection regulations provide businesses with checklists to manage the risks from both known and unknown vulnerabilities and a way to make sure they conform with the regulations. The end goal is security improvement and awareness.
Most businesses will be attacked, but if you comply with these data privacy standards and perform regular security testing, you can protect your business and your customers from loss of data. You can then rest assured, even in the event of an attack, knowing you did everything you could do to protect your business from fines, legal action and damaged reputation.
Written by Aviram Jenik
We had an impossible mission: transform the hackers brain into a machine. Mission accomplished. Using automated software, Beyond Security is dedicated to finding common vulnerabilities and zero-day exploits at a fraction of the cost of human-based penetration testing. Businesses around the world have been relying on Beyond Security's vulnerability and compliance solutions since 1999. Whether you need to accurately assess and manage security weaknesses in your networks, applications, industrial systems or networked software, we're here for you - one step ahead of the hackers.