Data governance is important in any organization, but organizations that protect the information of minors have a more critical role. Educational institutions have a responsibility to build out effective data governance frameworks, and to report to parents on how student data is being protected and used. Not only is this important for the privacy of the minors in question, but also because identity theft for children is both difficult to spot and difficult to overcome.
There is the growing realization that encryption is good, but it’s not good enough. Encryption is only a part of the picture because it, as with many data protection technologies, is not infallible. Technology alone will never give complete protection to data. Right now, as many as 90% of data security incidents can be tied back to people: to mistakes or intentional misbehaviour. Take encryption: if your employees disable it, how can it be effective? As many as 40% of executives admitted in a 2014 study to turning off laptop encryption.
Negotiators of the European Parliament, the Council and the Commission have agreed on the first EU-wide legislation on cybersecurity. The agreement, announced in early December, was reached in response to increasing concerns about cyberattacks. The proposed law would regulate essential services as well as network companies (from Internet providers to online marketplaces and cloud services providers) to ensure their infrastructure is secure and to report major security breaches.
Earlier this year, the Third Circuit re-affirmed the FTC’s authority to regulate data security standards of commercial entities. Specifically, this ruling came in the FTC v. Wyndham case, where the company argued that the FTC lacked the authority to regulate data security standards, particularly as such standards are not publicized. This argument was overruled, leading many to believe that the FTC, now on firmer ground, would step up its security enforcement.
The House Financial Services Committee voted this month, with a strong 46-9 margin, to advance the Data Security Act of 2015 (H.R. 2205), legislation introduced by Reps. Randy Neugebauer and John Carney. HR 2205, modelled on the Gramm-Leach-Bliley Act, would establish data security and breach notification standards for the financial and retail industries.
Europe is poised to roll out the final terms of the EU General Data Protection Regulation (EU GDPR) by the end of the year, and is expected to come into effect in 2017. The EU GDPR is set to drastically change data protection law, with a wide-reaching impact that even US CIOs and CISOs should be aware of. Unfortunately, it looks like awareness of the changes in the US is still low.
Recent data breaches have shown us that there are significant outcomes for public and private organizations alike: disruption, reputational damage and financial repercussions. These data breaches have also sparked discussions about the role that federal regulators should play in holding organizations accountable. Despite the absence of definitive, comprehensive data protection authority, the FTC has utilized its general power to combat unfair and deceptive commercial practices to impose corrective cybersecurity settlements on companies that do not adequately protect their customers’ identification information.
As we recently discussed, data breach legislation continues to be a moving target, with legislative changes pending in 32 States, not to mention Federal legislation and Global laws such as the EU GDPR, which have the potential to impact US organizations. Outside of this wave of legal requirements, there are industry-specific laws (HIPAA) and regulators who set standards and impose fines following a data breach, and these regulators are in flux as well. Within just the last year, we’ve seen the SEC and FTC both stepping up their game, and the same can be said for the Federal Communications Commission (FCC).