Saturday, November 26, 2022

What Needs To Happen In 2023: The Launch Of The Department Of Cybersecurity

 


Hope everybody out there had a great Turkey Day!!  It’s hard to believe that in just a few short days, we will now be coming into the last month of the year.  Many things have transpired this year, but I won’t get into them. 

Probably some of the better news has been that the Cyber threat landscape, in my opinion, has not been nearly as volatile as the previous year, of 2021.  A lot of this fear was initially triggered by the Russian invasion into the Ukraine, with people thinking large scale Ransomware attacks would happen, but fortunately, nothing did.

One issue that has taken the back seat, as it seems so in the Cyber news headlines, are the data privacy laws that were enacted just a few years ago.  These include the GDPR, the CCPA, HIPAA, etc.  Back in 2019, there was a lot of fear amongst businesses in Corporate America that that they could fall victim to an audit and possibly face steep financial penalties.

Under the GDPR, the fines can be punishing, up to 4% of gross revenues.  The CCPA is a few thousand for a certain amount of PII records that have been stolen or leaked, and I am not too sure what the HIPAA fines are, because they can vary widely between healthcare organizations. 

But once the COVID-19 pandemic hit, enforcement of these laws came to a screeching halt.  The big catalyst in this one money and liquidity soon became a serious concern, with everybody WFH and the global shutdown that took place.

So, from 2020 to 2021, all was silent with enforcement.  But now, as the news of COVID-19 has pretty much dissipated, the talk of them has started up once again. The audits and the financial penalties have started to occur, as I see when I peruse the Cyber news portals every day.  But it seems like that it happens sporadically, there is really no “rhythm” to it (perhaps the regulators want to keep audits a surprise?). 

But now, as we enter into 2023, the fear of the data privacy laws coming down again will soon to become a big fear once again.  Why is this so?  Here are some reasons why:

*With the advancements of technology, especially with the Internet of Things (IoT), people here in the United States now have a much greater insight into how their PII data is being gathered and disseminated.  The American population now more than ever before has the right to have their data deleted from external third parties if they wish to.  If it is not reciprocated in kind, then the consumer has the right to file a lawsuit against that company.

*There has been a mass migration to the Cloud by a lot of US based business, either into the AWS or Microsoft Azure.  Although the initial interests were either in the private or public clouds, now it seems to be for the hybrid cloud.  With this new trend, data leakages are now almost becoming a de facto.  In this regard, it seems to be the AWS that is taking the brunt of this blow.

*Many companies have complained about the sheer high costs that are involved with coming into compliance.  A lot of time and resources are spent with doing compliance checks and trying to either upgrade existing controls or simply putting brand new ones in place.  Because of all this raucous, organizations still have not yet come into full compliance, and thus are becoming a prime target for the federal regulators. 

But on the flip side, apart from complaining about how the high the costs are, businesses do have one very valid point in mind:  The data privacy laws are simply too confusing to follow.  Take for example the GDPR.  Technically, this law was meant for EU based businesses, that fit a certain revenue size. 

But keep in also that many US based businesses also have offices in the US.  So how does this law affect them?  Take the flip side:  What if the US based company has no offices in the US, but as a lot of customers that are from the EU.  Are they still going to face audits and be penalized even under this situation?  There is a lot of head scratching going on this one also. 

The CCPA also has left the same confusion upon businesses that have customers in the US, but have their headquarters in another country.  Will they still be audited in their own country because the CCPA is a law that was originated and passed in CA? 

Again, another question that is yet to be answered.  Another huge point of confusion is that many of the states here are coming with their own version of the CCPA, or other type of data privacy statutes.

There is no uniformity or a set of best practices and standards that businesses can follow, so that everybody can be on the same playing field.  For example again, what if a business is based in IN, and has offices all around most of the country.  How would they even know where it get started in the compliance game if each state has its own concoction of what comprises data privacy?

Fueling more fire to this, is that there are more laws that have been passed, such as the following:

*The American Data and Privacy Act;

*The Data Privacy Shield 2.0.

Adding even more to this “Land Of Confusion” is the fact that many datasets are co-mingled with another in order to process paperwork.  The best example of this is the insurance industry.  They need both the PII and PHI datasets from a claimant in order to process a filed claim, so that some sort of payout can be made.

My Thoughts On This:

It is expected that by 2023, 65% of the world’s population will be under some sort of data privacy law.  Thus, before we hit 100%, the time to act is now.  I have always been a strong advocate of a Department of Cybersecurity, like the DHS. 

The primary reason for this is that at least the bills that are introduced into Congress and the Senate will be centralized, and at this level, the states can have their input into them, thus eliminating the need for each state to pass their own laws.

By having such an entity, there will be at least a set of best practices and standards, so that US based businesses will not have to guess anymore.  Also, it will serve as a point in which intelligence gathering and sharing can occur at a worldwide level, in a quick and expedient fashion.

But to the business owner dealing with the world at the present time – just stay the course and try to be compliant as much as you can.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...