Updated: Sep 23, 2020
For executives and directors to establish compliance with government regulations in securing data, 3 important concepts must be observed – good security, quality control and cost awareness.
Number 1: The Government Knows What "Good" Security Looks Like and You Don't
Government policy statements on security and privacy are written at a very high level. Your organization’s data privacy and confidential data policies are likely written at very high level. Policies are meant to be broad statements, such as “thou shalt protect personally identifiable information” or a similar decree. These policy statements are generic for a reason; technology changes and umbrella clauses prevent the need to keep up. It is difficult for the approving committees to find the time and resources to align underlying technical aspects with security compliance. The knowledge and effort required to define minimally acceptable levels of security is demoted to standards.
Many people stop here, thinking their interpretation of the policy statements gives them latitude on adopting security standards and applying security practices – it does, but to a much lesser degree than anticipated. Standards take a bit of effort and time for an organization to develop; some organizations do it well and have a mature security model. But, the government is already a step ahead of the private sector - and that extra step is for good reason. Recognizing that policy is far from definitive, the government has a standards body which provides clarity and direction - the National Institute of Standards and Technology, or NIST for short. NIST is part of the U.S. Department of Commerce and was founded on the principle of restoring the competitive advantage of the U.S. industrial complex by improving upon second-rate standards that were common in the early 1900s. This is a very interesting point because much of today’s internet is built on second-rate security practices – 72% of all cloud-based solutions have one or more significant security weaknesses that compromise the state of security within the solution. Fortunately, NIST developed and matured a set of security standards that define what “good” security look like. NIST security standards and guidelines have kept pace with technology deficiencies to minimize the potential of a data breach. Some organizations take advantage of NIST’s security standards to one degree or another; and, some organizations will employ a security model that lacks any semblance of “good”.
In recent data breach cases involving federal action – credit card data loss, patient data theft, child privacy breach, etc - NIST security standards have been cited by federal regulators as the measure as to why an organization has failed to protect sensitive information. In January 2018, the FTC fined VTech for children’s privacy violations. Organizations no longer have the excuse of ignorance or misunderstanding of what “good” security standards look like.
Let’s take a brief look at concepts that are generally omitted or ignored in an organization’s security standards. These security concepts are defined in NIST’s standards and are expected by federal regulators to be a part of a reasonably secure solution. These security concepts are, unfortunately, often overlooked components of what “good” security looks like.
Encrypts data as it is passed over a network
Ensures your organization’s data remains safe from eavesdropping
Encrypts data while it resides on disk or other storage device
Ensures no one can walk off with a copy of your files and gain access to your data
Encrypts one or more data elements in a database or storage account
Ensures database support team members cannot easily spy on your data
National standards are now being used as a reference in legal actions by federal regulators to demonstrate security compliance expectations. The government knows what “good” security looks like and now you do too.
Number 2: The Government Knows How to Avoid Compromising on Quality and You Don't
Beyond “good” is quality, or the degree of excellence around which your organization adheres to security standards. Here’s a quick question – how much encryption is too much? Let’s say one of your IT managers can save money on a database licensing purchase for a public-facing portal. But, the savings come at the expense of security; the lower-priced product lacks the security concepts required for “good” security. This person’s decision compromised the security and integrity of your organization’s data. If this line of thinking remains unchecked, suddenly, the organization no longer has the time, budget or resources to focus on security and protect the company’s best interests – protecting its customers and its data assets. Without the ability to measure a security decision to a standard and without compliance enforcement, these decisions will continue to permeate in an organization. Suddenly, at an individual’s discretion, the organization no longer has the time to fulfill its security obligations, some of which may exist in a client contract – the organization may no longer run regularly scheduled, quarterly vulnerability scans and may no longer have the time to remediate critical security issues reported by a vendor. Sound far-fetched? Equifax once thought along these lines. Equifax managers knew well and good that patches needed to be applied, yet postponed remediation work – two months after a critical patch was released, Equifax suffered one of the worst data breaches in U.S. history. In a December 2017 settlement, the Department of Health and Human Services fined 21st Century Oncology more than $2M and levied sanctions for a significant data breach. 21st Century Oncology, a Florida-based oncology services provider, was penalized for lack of quality security standards and failure to implement practices that would have protected patient data. 21st Century Oncology will now participate in a 2-year corrective action plan with government, hire a compliance officer to ensure quality is enforced and retain evidence of compliance for the next 6 years.
Let’s say your organization acquires three new clients along with competing projects. Business is great. Your sales reps committed to tight deadlines and one of the new clients has a very demanding compliance team that is applying pressure to meet product quality issues – items that have nothing to do with security. Your team is running out of time. Your developers voice their concerns about security risks that are destined for deployment in the public realm; but their concerns fall on deaf ears and never make their way to upper management. Your organization lacks process control that would otherwise ensure significant security risks are evaluated to a senior leader. Your organization lacks a quality control if it cannot prove it has taken sufficient measures to defend itself against a data breach. In the 21st Century Oncology case, the government concluded that the organization lacked sufficient compliance oversight to mitigate security risk and protect the safety of its patients.
Ignorance is common but in the world of security, ignorance is not bliss. Security is a compliance obligation – and it is a binary operation - you are either compliant or you are not. If your organization operates in a regulated environment, such as healthcare, life sciences, energy or financial, you cannot afford to be lax on security quality.
Security quality comes in the form of measuring security practices and configurations against a set of well-established standards and reporting those results to upper management to demonstrate compliance. Security quality is more than compliance – it is a way of life that empowers an organization to establish a competitive advantage. Now is the time for you to become a champion for security quality. The government knows what security quality looks like and now you do too.
Number 3: The Government Knows the True Cost of Security of a Breach and You Don't
The true cost of a security breach is defined in what Convergency calls Penance Projects – the expenses that an organization will face to settle fines, compensate victims, defend itself, restore its image and implement best practices.
What is the average federal government fine per record? About $1, give or take 20 cents. Multiply that $1 by the total number of breached records and suddenly you could be looking at hundreds of thousands of dollars to well over a million dollars in fines.
Are you in a regulated environment? Does your industry’s regulator issue Corrective Action Plans (CAP/CAPA) or enforcement actions for failing to adhere to regulations? If so, day-to-day business activities at your organization are about to become challenging. The cases of VTech and 21st Century Oncology are the beginning of a new wave - the government has connected security lapses with the ability to enforce corrective action – it is good business for the government, as it provides additional revenue. If you think that you are going to be able to escape the federal oversight within the original corrective action period, you better turn things around quickly and demonstrate you are in control of your environment. Your organization will be the focus of and pay for government audits. There will be plenty of required action imposed by the government – it is your organization’s remediation tax. Did your IT leader forgo routine vulnerability scans? You will be doing them now - on time and all the time. Were you thinking about prioritizing a client's needs above security patching? Think again. If you do this, the duration of your Corrective Action Plan extends along with its associated costs.
Beyond the fines, someone in the C-Suite who is directly responsible for security will lose his or her job. Blaming your service provider will not suffice. Shareholders insist there will be blood.
It is time to divert funds to goodwill campaigns – funds that had been earmarked for acquisitions, sales and cost-savings projects. These goodwill campaigns are costly and must routinely refocus the consumer’s mind on something other than sales.
Litigation expense starts to mount. California, Illinois, New York and 30+ other states will be suing your organization for privacy violations on their citizens. The large U.S. cities are going to join as the need for local revenue continues to be an issue.
While the U.S. is tough, Europe is tougher. Avoid losing European citizen data after May 25, 2018 when Europe’s General Data Protection Regulation (GDPR) law takes effect. GDPR is going to hit your organization with a 20M EUR fine, or 4% of global sales, whichever is higher. Did you catch that? 4% of $1B in sales is a $40M fine – paid to the EU. Guidance from Convergency’s ears in Brussels tells us that the EU is eager to fine a U.S.-based company – Brussels is eager to prosecute. Some U.S.-based organization will be the first to start contributing to Europe’s economic recovery. Forrester predicts that at least one CEO will lose their job in 2018 due to violations of the GDPR.
Litigation penalties continue in the form of Data Breach Notification. Under numerous laws, you are required to issue notification of the breach within 72 hours. Your customers and consumers are legally entitled to be notified about the loss of the personal information. In the U.S., breach notification has several flavors, thanks to the lack of uniformity of state laws. The variations alone get costly. Estimates for breach notification totals more than $250k. Knowing what to say, how often to provide updates and how to comply with notification laws is complicated.
What are your plans for a PR campaign? Have you prepared plans on how best to advertise this incident to your shareholders? How about your future shareholders? What will prevent investors from dumping or shorting your company's stock? Did you think about what to say at that JP Morgan Investor Conference you scheduled at the end of the month? This security incident is going to be a red-hot topic. Somebody needs to find solid footing to ensure the stock price stabilizes in a reasonable period - it will eventually stabilize, because the market is fickle, but in the interim, prepare for a slide.
Act with integrity. Even if you have experienced a significant data breach, report it immediately and respond with good ethics. The concerns of your customer come first. Do not think about dumping company stock like the folks at Equifax. Do not think about how to avoid reporting it, like the folks at Uber. This is a significant issue, which requires proper handling and proper planning.
You can reduce the likelihood of a security breach and in doing so avoid the financial impact.
The government knows the fair market value of a data breach and the value of government enforcement oversight within your organization. The government knows the true cost of a security breach and now you do too.
Convergency LLC is an IT consulting and advisory firm that specializes in cloud architecture, cloud migration, cloud audit and security risk management services.