A recent hack affected the U.S. Department of Veterans Affairs (VA) and put the personal information of approximately 46,000 veterans at risk. Cybercriminals stole personal information of veterans and then tried tricking VA employees into processing fraudulent payments into offshore bank accounts.
The stolen information included social security numbers and forced the agency to take its payment system down for days until a security review could be completed. As this example shows, personal data and computer systems are often compromised in the same event. To respond to a cyberattack like this one, organizations need to learn to take a combined perspective that includes data protection and cybersecurity.
A ONE LANE HIGHWAY
To see why treating cybersecurity and data privacy as two different challenges is a mistake, consider the recent case of Warby Parker. The Office for Civil Rights announced it is investigating eyeglass maker Warby Parker for its handling of the 2018 cybersecurity attack on thousands of its customer accounts, which could result in a massive fine.
In other words, the company was the victim of a cyberattack but compounded the failure by mishandling the data privacy rights of its customers. Organizations can respond to a cybersecurity incident by resetting passwords for the impacted accounts and adding new security measures. But if they fail to address the HIPAA privacy, security and breach notification rules for affected users, a company can be exposed to regulatory fines and consumer backlash. In Warby Parker’s case, the failure to investigate the privacy violations of its users slowed down the company’s planned public offering on the New York Stock Exchange.
How can an organization learn to address both issues at the same time and avoid this mistake? First, let’s define what we mean by cybersecurity and data privacy. Cybersecurity focuses on specific technical implementations needed to protect your systems and networks. Compared to data protection that centers on information stored within a system, cybersecurity protects a system itself.
Data protection addresses data management, availability, unauthorized access prevention and application regulations like Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR). In other words, cybersecurity covers safety against cyberattacks, while data protection covers a set of issues related to data storage, management and access.
TWO WORLDS COMING TOGETHER
To face data breaches efficiently, organizations should adapt their daily workflow by combining cybersecurity and data protection. Here are some of the ways to do it:
- Unite data protection and cybersecurity skills. Skills are the foundation your specialists will require to ensure critical data safety from various threats. Your professionals should have sufficient skills to oversee each business process from both security and data protection perspectives.
- Create a clear set of rules and procedures. You need to ensure that your company’s daily workflow is carefully planned according to industry regulations and security best practices. Ideally, you need an all-reaching plan that includes the design of your systems, maintenance, data management and access, and incident response. For each part of the plan, there should be a responsible person.
- Implement an integrated risk assessment. Using separate tools and methods for every type of risk may not give you full visibility into the security of your data. That’s why it’s a good idea to use end-to-end solutions that address all types of business, security and compliance risks.
- Develop a shared attitude toward data safety. Every employee must understand that a data breach can start from a routine action like installing a software as a service (SaaS) app that may be fake.
In addition, your staff needs to understand the risk a company faces related to compliance with laws. If an organization doesn’t know what personal data it has, where that personal data resides, and who has access to that personal data, compliance with data privacy laws like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the new Colorado Privacy Act (CPA) becomes nearly impossible.
THE RULES OF THE GAME
While GDPR, CCPA, and CPA are some of the most recent examples of relatively new data privacy laws, more than 100 countries have implemented data privacy legislation and many of those laws offer similar data access rights. Here are the most important rules and regulations to understand:
- HIPAA The Health Insurance Portability and Accountability Act protects the privacy of patient health records. Title II, in particular, governs the secure storage, processing, transfer and access of electronic protected health information (ePHI). HIPAA imposes compliance requirements on health- care providers and related companies.
- GDPR The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of individuals’ personal information within the European Union (EU). Organizations must comply regardless of their physical location or presence in the EU if they process or store data of EU subjects.
- Gramm-Leach Bliley Act The Gramm-Leach Bliley Act (GLBA) requires financial institutions and other entities that provide financial products—including loans, insurance, and investment advice—to safeguard sensitive data and to explain their information-sharing practices to customers.
- PCI-DSS The Payment Card Industry Data Security Standard (PCI-DSS) was developed to protect credit, debit and cash card transactions and prevent misuse of cardholders’ personal information by any companies/ merchants that electronically handle cardholder data. PCI imposes compliance requirements on any company that processes customer payments.
- CMMC The Cybersecurity Maturity Model Certification is a training, certification and third party assessment program of cybersecurity. It is the next iteration of the NIST 800-171 compliance requirement and DoD suppliers are going to be required to get CMMC certified prior to bidding on any government contracts.
- Sarbanes-Oxley Act (SOX) Sarbanes-Oxley Act (SOX) are expanded regulatory requirements governing all U.S. public companies, foreign companies with securities registered with the Securities and Exchange Commission, and public accounting firms. The primary goal of SOX is to prevent fraudulent financial reporting and to protect investors.
Do these compliance and security requirements feel like swimming in an alphabet soup? We can help you untangle your cybersecurity and data protection requirements for your business. If you’d like assistance addressing cybersecurity and data privacy issues, reach out to us today for a cybersecurity risk assessment.