In the face of 2017’s unprecedented, global ransomware attacks, the business community is approaching a new world of regulatory requirements, including the EU’s GDPR. Now, more local initiatives are beginning to crop up.
For example, the states of Delaware and Maryland both recently passed new laws requiring businesses to alert state residents affected by a data breach within a certain timeframe, and to notify the state attorney general if more than 500 residents are affected.
Now, many firms will probably opt for a less burdensome course of action: ignoring new regulations and installing legal safeguards against possible lawsuits. At the same time, the growing industry of cyberinsurance offers the additional hope of backstop financial protection against cyberattacks. However, neither of these options amount to a comprehensive data security posture, leaving firms wide open to attack, so cyberinsurance providers are likely to factor compliance risk into their premiums, which could amount to a spike in coverage costs for insured firms.
Kurt Long, CEO of the Florida-based data protection firm FairWarning, shared with Inside Counsel why law firms need to avoid the temptation of short-term thinking and simplistic solutions to take back control of their data.
“Government data regulations are sweeping the world in wake of the 2017 global ransomware attacks. When consumer and citizen data is breached, trust erodes in our healthcare, finance, and government institutions,” he said. “Without trust, general consumer spending declines. Government regulations and the cyberinsurance industry are components to a multi-layer data protection strategy. When used properly, they can provide a final safety net for consumers impacted by a breached business or government institution, and hopefully, rebuild trust.”
The 2017 ransomware attacks are among the first wide scale security breaches that impacted critical services including healthcare and finance around the globe. Combined with the Equifax data breach of September 2017, compromised personal and financial information of consumers has occurred at a massive scale. Disruption of services and the compromise of citizen information demonstrate the need for privacy, security and regulatory enforcement in the United States and around the World.
Today, most regulations that are local tend to be at a state level. Per Long, state regulators feel the need to protect the trust in the institutions that employ their citizens. Security breaches of financial, banking, health, and lending information ultimately erodes trust in the institutions and result in reduced revenue and job loss. State regulators are able to move more quickly than federal regulators who have a much longer negotiation path, balancing myriad initiatives across our country and locally.
“Cybersecurity insurance is a last stop, it’s not a replacement, it’s one more layer to multi-faceted security strategy to secure your data,” he said.
Legal safeguards and cyberinsurance do not amount to a comprehensive data security posture, according to Long. For instance, with the Equifax breach, the attackers exploited an apache Struts web-application. Once breached, the consumer data is out the door with the attackers to commit fraud and other crimes, whether you have cyber insurance or not. Up to date patches, network security, and applications security are just a few examples of the other layers of security organizations need to implement in addition to cyberinsurance.
“Data security is now an executive and board level concern,” he explained. “We are seeing companies who have been breached cite major financial issues following a breach, from a drop in stock value to bankruptcy. Creating a data security strategy will provide a foundation to build upon for long term success. Short term thinking and short term solutions will not result in a durable organization.”
Long shared best practices for deploying a full-spectrum response to the emerging environment of constant cyberthreats that integrates technology, people, and processes into a single unified strategy, including: Have a written security policy; adhere to the applicable regulations specific to your industry state and country using their framework; put in place an incident response plan; rehearse your incident response plan; have named officer for privacy security and compliance and; treat privacy security and compliance issues with board level support.