Some potential buyers of security technologies may decline to purchase technologies that detect data breaches because if they don’t know of a breach, they believe they can avoid penalties under the recent regulations, GDPR and the new California Consumer Privacy Act. Such a strategy dooms companies to major breaches and potentially massive fines. Ostrich-minded security, an unintended consequence of GDPR and CCPA, increases cyber risk.
California’s new privacy law
The first step in GDPR-like policies impacting the U.S. is the California Consumer Privacy Act of 2018, which will undoubtedly have a huge impact on tech companies that must now adequately address consumer privacy concerns. Any business that transacts with people, online or offline, is now responsible for changing its relationship with customers, for the better. That act has three core pillars: anyone can opt out of having their data shared or sold, everyone has a fundamental right to know where their personal data is and with whom it is shared, and all have protection from companies who inadequately protect their data.
The act is clearly aimed at controlling businesses that gather Personally Identifiable Information (PII) (eg., data gathered when transacting or browsing on websites) giving consumers full control to opt out of the company’s data gathering activities, and to be fully informed of what data is gathered about them.
The fines under CCPA can scale to large financial losses
The loss of PII has real teeth, although it isn’t perhaps as severe as major GDPR violations:
Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
1. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
So what is a reasonable security procedure and practices to protect PII from being lost? Will we now see an end to the breach-a-day reporting of one or another successful cyberattack? For those companies who “opt out” of fielding “reasonable” security architectures, their cyber risk analysis must be updated to account for losses due to fines under both GDPR and CCPA. You can do the math by simply counting the number of customer records that are lost, and applying the damage estimate plainly stated in the letter of the law.
What is a reasonable security procedure and practice?
Most security professionals understand the complexity of a security architecture, and perhaps have excellent cyber risk analyses to back their decisions. It is evident that security, and now privacy, must be taken very seriously. But nothing is perfect and overworked and highly stressed professionals can do silly things. They do, however, have important moral, ethical and professional standards to uphold in the mission to secure their corporations.
Reading the fine print of GDPR and CCPA might lull a security professional to think it is unwise to field a new security technology so that they avoid knowing when a breach has occurred. Such information requires all of the reporting and hard work to comply with these new regulations, and security teams are already overworked. Don’t scoff that this ostrich strategy isn’t real. It is. And it is potentially very costly to the organization.
Some years ago, I was tasked by DARPA to deploy and test a new intrusion detection system I invented that focused entirely on sophisticated (very) low and slow attacks against military networks. The sensor operated magnificently well and revealed a startling number of very sophisticated activities no other deployment was able to detect. Success was met with consternation, and the staff on site immediately unplugged and removed the device. Why? Their response was “we weren’t ordered to detect those attacks.” Silly, but true. It was an eye opener. Not knowing was considered safer. There was a real “need not to know”.
The ostrich strategy to security is an expensive risk
Can the ostrich strategy still exist in today’s commercial world? Are tougher regulations encouraging a desire not to know?
A recent sales opportunity disappointingly confirmed that the ostrich strategy is alive and well. There are clear implications that the organization has missed the point and has substantial risk it may not have accounted for – its own security personnel purposely ignoring reasonable means of detecting breaches quickly. It’s bottom line may now be at risk.
I paraphrase the security personnel’s remarks when being briefed about a new technology that quickly detects data loss utilizing a new data tracking technology, beacons:
I wouldn’t want to know or be alerted every time I may have incurred a data loss because it would start the 72 hour window clock [as stated in GDPR]. A part of me would just rather not get alerted if a sensitive document was opened in Russia. I would be afraid that I would get a lot of alerts.
I am quick to admit that the overwhelming majority of serious security professionals would not utter such a comment, although they may have a fleeting moment in their mind to think about hiding their head. The systemic nature of the breach-a-day culture is no longer tolerable, and the new financial risk to the bottom line of a corporation under these new regulations is real and substantial.
For those companies whose security professionals opt out of fielding reasonable security architectures, the CFO and compliance committees and officers ought to reconsider their cyber risk analysis, updated to account for losses due to fines under GDPR and CCPA. The return on investment in new security technology should be evident: loss is frequent given today’s security standards, and fines will mount far more than the cost of investing in new data loss security controls.
The CCPA regulation requires “reasonable security procedures and practices,” as does GDPR. Ignorance of a serious security event is unreasonable, and just like ignorance of the law, it is no defense.
This article is published as part of the IDG Contributor Network. Want to Join?