Earlier this year, the Third Circuit re-affirmed the FTC’s authority to regulate data security standards of commercial entities. Specifically, this ruling came in the FTC v. Wyndham case, where the company argued that the FTC lacked the authority to regulate data security standards, particularly as such standards are not publicized. This argument was overruled, leading many to believe that the FTC, now on firmer ground, would step up its security enforcement.
We recently took a look back at our Predictions for Mobile in 2015, looking at how our predictions panned out for the year. Overall, we saw a marked shift toward understanding the complexities of how people and endpoint devices put data at risk. As a new year approaches, we expect that organizations will continue to face data security challenges with the endpoint as one of the greatest threats to corporate data.
For the past several years, we have created Predictions for Mobile for the year ahead. Before we look forward to 2016, let’s first look back at 2015 and see where we stand. In late 2014, our Predictions for Mobile in 2015 projected a shifting perception of the need for data-based security, which indeed has intensified throughout the year with added pressures and risks now associated with endpoint devices.
The Health Information Trust Alliance (HITRUST) and Deloitte Advisory Cyber Risk Services, in coordination with the U.S. Department of Health and Human Services (HHS), recently conducted a cyberattack simulation in the healthcare industry to gauge the readiness of each organization’s cyber incident response plans. The results of the simulation reveal that current incident response plans in healthcare are inadequate in preventing data breaches. The simulation revealed a number of actions that can be taken to improve incident readiness and overall resilience.
The House Financial Services Committee voted this month, with a strong 46-9 margin, to advance the Data Security Act of 2015 (H.R. 2205), legislation introduced by Reps. Randy Neugebauer and John Carney. HR 2205, modelled on the Gramm-Leach-Bliley Act, would establish data security and breach notification standards for the financial and retail industries.
Last week, the reported 2015 data breach figures officially outstripped those of 2014. As of December 8, 2015 the ITRC reports 732 data breaches in the US, surpassing last year’s record for the same time period (726) and gaining on the 2014 year-end total of 761 data breaches. From the perspective of records breached, the 2015 figures long-ago outstripped those in 2014, with a total of 176,325,059 records exposed this year (compared to 83,176,279 in all of 2014).
The most secure organizations are ones where there is a culture of security that is embedded top-down, where every employee, from the board to the mail room, understands their role in protecting corporate data, with tools that both support, enable and protect data wherever it resides. We’ve seen various studies this year quantify the importance of top-down prioritization of data security, with indications that the top-performing organizations in terms of IT security are those with strong board and executive engagement on the topic.
Financial services organisations are entrusted with incredibly sensitive customer data and as a result, they allocate significant resources to maintain the trust of their customers. Despite their best efforts, financial services firms continue to be victims of data breaches. We’ve seen the headlines, such as the recent breach at Lloyds, proving that no industry is immune to data breaches. As the protectors of our most sensitive information, financial services organizations face increased criticism from regulators and customers alike following a data security incident.