4 predictions for 2020: Looking into the regulatory crystal ball
Moving into the second month of 2020, data privacy and security is still headline news. At the end of January, the United Nations called for additional investigations into the Jeff Bezos iPhone breach. Meanwhile, Cisco Systems fixed a vulnerability in its Webex application that enabled remote attackers to gain access to meetings.
The first harbingers of the 2020 regulatory compliance landscape crawled out of the proverbial woodwork when the United States Senate proposed establishing a Cybersecurity State Coordinator. The National Institute of Standards in Technology (NIST) is considering a DevSecOps framework and the United Kingdom proposed an Internet of Things (IoT) cybersecurity law.
The short story: 2020 is going to be another year of sweeping information security compliance requirements. The bigger question is: What types of changes can we predict for 2020?
Data is the new currency
Malicious actors want data because it has financial value. According to the 2019 Data Breach Investigations Report, 71% of the data breaches perpetrated by malicious actors were motivated by money.
Data’s commodification makes it a new type of currency. Organizations collect it and share it for financial reasons.
Both the 2018 India Data Protection Regulation and the never-passed New York Privacy Act included a new term: “data fiduciary.” At first glance, this terminology may appear innocuous, but for organizations, it could be disastrous if it gains traction.
Legally speaking, a fiduciary duty is one of the highest standards of care. At its core, a fiduciary duty requires people or organizations with guardianship over something of value to act in the best interests of the “something’s” owner. For example, a Board of Directors owes shareholders a fiduciary duty, meaning it must conduct business in the best interests of the shareholders and company. Since the Board acts on behalf of the shareholders, it cannot do only what is in its own best interests; it must act against its own interests if that protects the interests of the shareholders. In other words, the Board can’t do something with the shareholders’ money that hurts those people while helping itself.
Similarly, if more laws incorporate the idea of a “data” fiduciary duty, organizations will need to think more carefully about how they use data. While the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) started the ball rolling, they do not place this level of scrutiny on companies. The term “data fiduciary” shows that governments recognize data’s financial value and understand that they need to set a more stringent duty of care over those who collect, transfer and store it.
Ignorance is not an excuse
Vendor risk management compliance requirements will continue to hold companies accountable for not managing the effectiveness of their vendors’ controls. Business partners such as SaaS vendors and other cloud-based service providers can be a weak link within the data security supply chain.
As companies move towards “zero trust” models, the old “Trust but verify” adage simply moves to “verify.” Ignorance does not protect from lawsuits and regulatory fines.
Although not new, the push to hold organizations accountable for the security failures of their business partners remains a primary regulatory push. Logically, this positioning makes sense. While a company may not feel that fines or breaches make data security a priority, they will look to losses within the revenue stream as a reason for focusing on information security.
Peer pressure, just as in middle school, is the primary carrot dangling off the regulatory stick. If a company isn’t meeting compliance requirements, it likely isn’t secure. If it isn’t secure, then customers will leave before they are willing to face the impending lawsuits and fines arising from noncompliance.
More technology, more monitoring
The bureaucratic red tape that limits legislation and industry standards organizations means that many compliance requirements are outdated before the ink dries. Recognizing that point-in-time compliance no longer effectively proves an organization’s security posture, compliance requirements increasingly incorporate continuous monitoring across the organization’s IT ecosystem.
More interestingly, more compliance standards and requirements focus on integrating technology to protect technology. For example, the 2019 version of the HITRUST Cybersecurity Framework (HITRUST CSF) consistently reiterates the importance of using “automated mechanisms” to support monitoring and control effectiveness.
Although compliance mandates continue to focus on assessing risk before implementing controls and monitoring, even mid-sized organizations may need to start investing in technology to manage security over their technology.
Privacy for the people
Both the GDPR and the CCPA paved the way for giving consumers greater control over their personally identifiable information (PII). With individual states and countries establishing extraterritorial privacy regulations, global organizations will continue to struggle to meet diverse and divergent compliance requirements.
On a small scale, the fragmented state-by-state privacy regulations in the United States create a compliance burden. However, even within geographic locations such as Asia and South America, organizations find themselves needing to meet multiple privacy standards. Brazil’s 2019 Lei Geral de Proteção de Dados Pessoais (LGDP) privacy regulation incorporates extraterritorial requirements that impact all business conducted with Brazilian residents regardless of the South American country in which they reside.
With every new regulation, organizations can expect stricter access controls for internal users, not just to mitigate the threats of external access. The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act shifted language away from “unauthorized acquisition” to “unauthorized access.” The shift indicates a move away from having an unauthorized user taking possession of information, such as downloading. The language shows a move toward improving authorized user access to resources and enforcing least privilege necessary best practices.
Conclusion: What’s the key takeaway?
Compliance is going to be the privacy and security stick of 2020. Governments and industry standards’ organizations no longer trust businesses to protect data on their own. As the media focused its attention on data breaches in 2019, voters, governments and industry standards organizations will continue to push companies to focus resources on protecting information.
- Jeff Bezos iPhone Hack: UN Experts Call for Investigation Into Saudi Crown Prince, inc.com
- Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings, Threatpost
- A BILL To require the Director of the Cybersecurity and Infrastructure Security Agency to establish a Cybersecurity State Coordinator in each State, and for other purposes., hassan.senate.gov
- Mandatory IoT Security in the Offing with U.K. Proposal, Threatpost
- Results and analysis, Verizon
- India: Data Protection 2019, ICLG.com
- AN ACT to amend the general business law, in relation to the management and oversight of personal data, legislation.nysenate.gov
- HITRUST CSF®, HITRUST Alliance