[BreachExchange] The Stakes for Protecting Personally Identifiable Information Will Be Higher in 2018

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 5 14:05:06 EST 2018


https://blog.cloudsecurityalliance.org/2018/01/04/stakes-protecting-
personally-identifiable-information-will-higher-2018/

While it’s tough to predict what the most significant single threat of 2018
will be, it’s safe to say that 2017 was certainly a wake-up call for both
businesses and consumers when it comes to data breaches. From the rampant
misconfiguration of Amazon S3 data buckets to stolen email credentials, the
number of breaches and amount of personal data leaked to unauthorized
parties in 2017 was staggering. However, one case stands above the rest as
particularly damaging to all parties involved.

In July of this year Equifax, one of the leading U.S.-based credit bureaus,
reported that the personal information of more than 143 million U.S.
customers was accessed when an unauthorized party exploited an application
vulnerability at their organization. The data exposed in the Equifax
incident is more severe than other breaches because of the type of
information that was stolen. Once a criminal has your birth date, social
security number, etc., and has used it for illicit purposes, it is
incredibly difficult to recover your personally identifiable information
(PII).

It’s also naïve to assume that the data stolen from Equifax will not be
exploited in some way. Not only can that information be abused to commit
identity theft under the impacted parties’ names, and we certainly expect
to start seeing more of those incidents in 2018, but we also predict it
will be abused to access existing user accounts with other services. Much
of the ‘permanent data’ that was stolen during the July Equifax incident
also happens to be just the sort of information used as secondary
authentication for many of our everyday accounts. Think of how many times
the ‘last four of your social’ was used to identify you with your card
company or at your doctor’s office this year.

Rightfully, the breach was met with a flurry of media and consumer
attention and outrage. Equifax’s stock fell by 33 percent in the days
following their announcement, and they were a regular headline for several
news cycles. In the aftermath, the credit reporting firm found itself the
subject of numerous investigations, the resignation of many executive
leaders, and more than 240 class action lawsuits.

Evolving Data Regulations
Additionally, new global laws such as the EU’s General Data Protection
Regulation (GDPR), which goes into effect May 25, 2018, will further raise
the stakes and fines of future breaches. The law will enforce data
protection and cybersecurity with a new set of stringent regulations and
unprecedented penalties. If the Equifax breach occurred under GDPR, Equifax
would have faced additional legal claims and penalties.

With recent events and emerging regulations, organizations and IT security
teams who don’t prioritize data security on-premises or in the cloud will
find themselves writing some very expensive checks, or worse, closing their
doors altogether because of steep fines and liability.

In her recent article GDPR: True Cost of Compliance Far Less Than
Non-Compliance, Tara Seals from Infosecuritymagazine reported that the cost
of non-compliance, with EU GDPR and other data privacy regulations is
quickly rising, “…costs widely vary based on the amount of sensitive or
confidential information a particular industry handles and is required to
secure. That said, the average cost of compliance increased 43% from 2011,
and totals around $5.47 million annually.”

Unfortunately, simply sticking your head in the sand and hoping for the
best isn’t a good plan either. The EU GDPR requires organizations to notify
regulators of a breach promptly. Many industry leaders have speculated that
regulators are keen to make examples of both European and overseas
businesses for any instance of non-compliance.  So, watch out American
companies, you aren’t exempt.

In another InfoSecurity article, Matt Fisher provides a warning and some
very sound advice for those subject to the EU GDPR:

“The deadline of May 2018 is only the beginning, not the end. Policy makers
are already under monumental pressure to smoke out prosecutable cases in
the aftermath of the regulation’s implementation. As an organization, if
you cannot complete your GDPR project in time for the deadline, taking firm
steps to indicate ‘best efforts’ are vital to make your organization a far
less attractive target”

Don’t Forget About the Cloud
In a recent Forbes article summarizing Forrester’s 2018 cloud predictions,
it was estimated that “the total global public cloud market will be $178B
in 2018, up from $146B in 2017, and will continue to grow at a 22% compound
annual growth rate.”

It’s undeniable that this growth will mean more data flowing into
IT-sanctioned applications. Because of this, it’s critical for
organizations to take the necessary steps to ensure unified data security
and governance in their environment, both on-premises and in the cloud.

Increased government involvement and consumer awareness, combined with the
potential for financial and reputation damage Equifax and others have
suffered, will drive a renewed focus on data protection in the cloud
computing space during 2018.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180105/55f2ebab/attachment.html>


More information about the BreachExchange mailing list