Hope everybody out there had a great Turkey Day!! It’s hard to believe that in just a few short
days, we will now be coming into the last month of the year. Many things have transpired this year, but I
won’t get into them.
Probably some of the better news has been that the Cyber
threat landscape, in my opinion, has not been nearly as volatile as the previous
year, of 2021. A lot of this fear was
initially triggered by the Russian invasion into the Ukraine, with people thinking
large scale Ransomware attacks would happen, but fortunately, nothing did.
One issue that has taken the back seat, as it seems so in the
Cyber news headlines, are the data privacy laws that were enacted just a few years
ago. These include the GDPR, the CCPA, HIPAA,
etc. Back in 2019, there was a lot of
fear amongst businesses in Corporate America that that they could fall victim
to an audit and possibly face steep financial penalties.
Under the GDPR, the fines can be punishing, up to 4% of
gross revenues. The CCPA is a few
thousand for a certain amount of PII records that have been stolen or leaked,
and I am not too sure what the HIPAA fines are, because they can vary widely
between healthcare organizations.
But once the COVID-19 pandemic hit, enforcement of these laws
came to a screeching halt. The big
catalyst in this one money and liquidity soon became a serious concern, with
everybody WFH and the global shutdown that took place.
So, from 2020 to 2021, all was silent with enforcement. But now, as the news of COVID-19 has pretty
much dissipated, the talk of them has started up once again. The audits and the
financial penalties have started to occur, as I see when I peruse the Cyber
news portals every day. But it seems
like that it happens sporadically, there is really no “rhythm” to it (perhaps
the regulators want to keep audits a surprise?).
But now, as we enter into 2023, the fear of the data privacy
laws coming down again will soon to become a big fear once again. Why is this so? Here are some reasons why:
*With the advancements of technology, especially with the Internet
of Things (IoT), people here in the United States now have a much greater
insight into how their PII data is being gathered and disseminated. The American population now more than ever before
has the right to have their data deleted from external third parties if they
wish to. If it is not reciprocated in
kind, then the consumer has the right to file a lawsuit against that company.
*There has been a mass migration to the Cloud by a lot of US
based business, either into the AWS or Microsoft Azure. Although the initial interests were either in
the private or public clouds, now it seems to be for the hybrid cloud. With this new trend, data leakages are now
almost becoming a de facto. In this
regard, it seems to be the AWS that is taking the brunt of this blow.
*Many companies have complained about the sheer high costs that
are involved with coming into compliance.
A lot of time and resources are spent with doing compliance checks and
trying to either upgrade existing controls or simply putting brand new ones in
place. Because of all this raucous, organizations
still have not yet come into full compliance, and thus are becoming a prime target
for the federal regulators.
But on the flip side, apart from complaining about how the high
the costs are, businesses do have one very valid point in mind: The data privacy laws are simply too
confusing to follow. Take for example the
GDPR. Technically, this law was meant
for EU based businesses, that fit a certain revenue size.
But keep in also that many US based businesses also have
offices in the US. So how does this law affect
them? Take the flip side: What if the US based company has no offices
in the US, but as a lot of customers that are from the EU. Are they still going to face audits and be penalized
even under this situation? There is a
lot of head scratching going on this one also.
The CCPA also has left the same confusion upon businesses
that have customers in the US, but have their headquarters in another
country. Will they still be audited in
their own country because the CCPA is a law that was originated and passed in
CA?
Again, another question that is yet to be answered. Another huge point of confusion is that many
of the states here are coming with their own version of the CCPA, or other type
of data privacy statutes.
There is no uniformity or a set of best practices and
standards that businesses can follow, so that everybody can be on the same playing
field. For example again, what if a
business is based in IN, and has offices all around most of the country. How would they even know where it get started
in the compliance game if each state has its own concoction of what comprises data
privacy?
Fueling more fire to this, is that there are more laws that have
been passed, such as the following:
*The American Data and Privacy Act;
*The Data Privacy Shield 2.0.
Adding even more to this “Land Of Confusion” is the fact that
many datasets are co-mingled with another in order to process paperwork. The best example of this is the insurance
industry. They need both the PII and PHI
datasets from a claimant in order to process a filed claim, so that some sort
of payout can be made.
My Thoughts On This:
It is expected that by 2023, 65% of the world’s population
will be under some sort of data privacy law.
Thus, before we hit 100%, the time to act is now. I have always been a strong advocate of a
Department of Cybersecurity, like the DHS.
The primary reason for this is that at least the bills that
are introduced into Congress and the Senate will be centralized, and at this
level, the states can have their input into them, thus eliminating the need for
each state to pass their own laws.
By having such an entity, there will be at least a set of
best practices and standards, so that US based businesses will not have to
guess anymore. Also, it will serve as a
point in which intelligence gathering and sharing can occur at a worldwide level,
in a quick and expedient fashion.
But to the business owner dealing with the world at the present
time – just stay the course and try to be compliant as much as you can.
No comments:
Post a Comment