- January 25, 2023
More Cybersecurity Safe Harbor Laws are Needed (to Encourage PII Security)
- Bill Tolson|
- August 26, 2021
Data breaches will happen, no matter the safeguards your organization employs. But proactively employing updated data security capabilities and practices could significantly mitigate the impact and lower your overall cost when the breach occurs.
Under the various data protection/privacy regulations such as GDPR and the CCPA/CPRA and some heavily regulated industry data protection requirements (HIPAA), companies that suffer a potential data breach will be subject to costly breach notification requirements – the notification of consumers affected by a data breach within a specified time, the purchase of credit protection services, and industry and governmental fines and penalties. Indirect costs of a breach include reduced profits, lower employee productivity, loss of current and future business, reduction in competitive market share, devalued corporate brand, the additional investment needed to recover the brand value, and the cost to shareholders in lower share price.
According to the 2021 IBM report titled the Cost of a Data Breach, the global average cost of a single data breach rose from $3.86 million in 2020 to $4.24 million in 2021 – and that figure does not include the fines or penalties levied by governmental agencies for the privacy breach.
Lost business is one of the most significant costs associated with a data breach. In the above-referenced report, lost business represented 38% of the overall average breach cost totaling an estimated $1.59 million in 2021. Lost business costs included increased customer turnover, lost revenue due to system downtime, and increased cost of acquiring new business due to diminished reputation.
The average cost of a ransomware attack is more than standard data breaches mentioned above, costing $4.62 million (versus an average of $4.24 million for a standard data breach). The additional costs associated with a ransomware attack include recovering (or recreating) the data that was encrypted during the attack and lost revenue due to data availability. However, the $4.62 million average cost of a ransomware attack does NOT include any ransom paid and any fines or penalties levied by the government agencies.
Punitive fines can shutdown companies
In fact, regulatory fines and penalties can dwarf all other breach costs depending on the state or foreign government whose breach laws have been affected. For example, fines for GDPR data breaches can reach 20 million euros. In contrast, the California CCPA fines can reach a maximum of $2500 for every unintentional violation and $7,500 for every intentional violation (a violation is defined as a single breached record containing a data subject's personal information). In this CCPA example, fines for a breach that exposed 1000 records containing PI could reach $7.5 million.
Interestingly, another recently passed data privacy law, the 2021 Colorado Privacy Act, does not include explicit guidance on possible fines but rather considers a violation of the Colorado law a deceptive trade practice (or fraud). So instead, the separate Colorado Consumer Protection Act governs privacy breach penalties permitting up to $20,000 per violation (breached record) or $20 million using the 1000 record breach example.
Safe harbor for active cybersecurity planning
As I mentioned in a recent blog, state regulatory laws have been somewhat neglectful in actually laying out specific security practices organizations must follow to meet the new state privacy laws. In many cases, the state privacy laws use the same vague requirement to secure sensitive data. Companies that meet the basic requirements to fall under the privacy laws include the duty to implement and maintain reasonable security procedures and practices – a wholly generalized security requirement. As one of my attorney friends told me, what attorney couldn't successfully argue their client had met the duty to implement and maintain reasonable security procedures and practices?
So, for many of these new state privacy laws, there is little governmental liability to nudge affected organizations towards actually adopting privacy/security best practices and procedures. However, three states, Utah, Connecticut, and Ohio have gone a step further by including a Safe Harbor provision into their laws that reduces their potential overall liability.
Utah: In March 2021, Utah Gov. Spencer Cox signed the Cybersecurity Affirmative Defense Act (HB80) into law, an amendment to Utah's data breach notification law, creating several affirmative defenses for persons/entities facing actions arising out of a breach of system security and establishing the requirements for asserting such a defense. The Utah law seeks to incentivize organizations to create and maintain reasonable security safeguards to protect personal information by creating a defense against giant punitive fines in the aftermath of a data breach. Specifically, an organization that creates, maintains, and reasonably complies with a well-thought-out and documented cybersecurity program at the time of the breach will be able to take advantage of an accepted defense of insufficient system data security claims and the associated punitive fines and penalties that could be assigned.
Ohio: On August 3, 2018, then Ohio Governor John Kasich signed Senate Bill 220, the Ohio Data Protection Act (Ohio DPA), which provides a safe harbor against data breach lawsuits for businesses that implement and maintain cybersecurity programs that meet certain industry-recognized standards. The Ohio DPA incentivizes businesses to implement and maintain an effective cybersecurity program by providing an affirmative defense to certain tort actions related to data breaches. The law does not require companies to comply with the Ohio DPA. Instead, a business that can demonstrate its cybersecurity program meets specific standards is eligible for the defense to liability for the breach.
Connecticut: In July 2021, the "Incentivizing the Adoption of Cybersecurity Standards for Businesses Act" was signed into law. The new law, similar to Utah and Ohio's safe harbor breach laws, provides an affirmative defense to actions in tort that assert a business failed to have reasonable cybersecurity protocols that allegedly caused the data security incident to occur. If companies create and document a program that would comply with industry frameworks (e.g., NIST or the ISO/IEC) or federal laws (e.g., HIPAA's Security Rule), their program could qualify for the safe harbor provision,
These safe harbor provisions tied to state cyber-breach/privacy laws are a much-needed incentive to help organizations realize the ROI of adopting new cybersecurity technology and processes. However, as I mentioned earlier in this blog and in my preceding one, state laws continue to be non-specific and steer away from actual technology recommendations such as bring your own encryption keys, encryption key storage locally (on-premises – not in the same cloud where the sensitive data is stored), PII encryption, strict and audited access controls, anonymization, pseudonymization, PII data masking, role-based redaction, secure multi-party computation, and zero-trust security. For more details on the above-referenced security technologies, please refer to my previous blog for more information. However, I think it's worth discussing the concept of “zero-trust” a bit more.
The zero-trust model for increased PII security
The zero-trust model is a framework that requires all enterprise users (internal and external) from the CEO to a warehouse worker, to any third party, be authenticated, authorized, and continuously validated for security configuration and access rights before being granted or keeping access to applications and data. Several organizations have defined the zero-trust framework, including Forrester's eXtended, Gartner's CARTA, and the NIST 800-207 standard.
Zero-trust is a significant departure from traditionally accepted network security, built around the "trust but verify" (TbV) method. The TbV method trusted users and endpoints within the organization's perimeter by default, putting the organization at risk from malicious internal actors and credential theft (as well as privilege escalation), allowing unauthorized and compromised accounts wide-reaching access once inside the enterprise. The TbV security was brought into question about the adoption of digital transformation and the corporate move to the cloud.
Contrary to the TvB model, zero-trust requires organizations to ensure that all access requests to all systems are scrutinized every time before allowing connection to any cloud repository or application.
Referring to the IBM "Cost of a Data Breach" report mentioned earlier, the average cost of a breach was $5.04 million for those organizations without zero-trust practices deployed. However, in the mature stage of zero-trust deployment, the average cost of a breach was $3.28 million, $1.76 million (35%) less than organizations not utilizing the zero-trust model.
The zero-trust model is one of the most effective ways for organizations to secure and control access to their networks, applications, and data, either on-premises or in the cloud. Zero-trust merges a range of defensive methods, including identity verification and behavioral analysis, endpoint security, and "least privilege" controls to deter would-be attackers and limit their access in the event of a breach.
*Note: The principle of Least Privilege states that a subject should be given only those privileges needed for them to complete a task.
Industry-leading data security from Archive360
Archive360 is the leader in secure cloud-based information management and archiving. Because Archive360 is the only cloud archiving solution provider to employ a native platform as a service (PaaS) solution, the Archive360 platform can offer a wide range of customizable data security capabilities (unlike SaaS-based providers that are limited to a one size fits all approach). One of the unique and essential security capabilities no other vendors can offer is the Security Gateway. This on-premises gateway works closely with the Archive360 Cloud Archive to create and store your encryption keys locally and encrypt sensitive data before moving into your cloud tenancy while still maintaining full search and management capability. This means that your sensitive data is encrypted while in transit, while at rest (stored), AND while in use. Archive360 is the only vendor to provide this critical security capability. It's Your Data, In Your Cloud, with Your Security, Under Your Control.
The Archive360 cloud archive has all the security capabilities to ensure your organization would be covered by the various state safe harbor laws in the event of a cyber breach.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.