Data breaches may have joined death and taxes as one of things you can be sure of in life. But 2018 will likely be remembered as the year that organizations finally started paying for their loose handling of sensitive data.
The adoption of important new regulations in the coming months will increase the cost and consequences for organizations who misplace consumer and government data: the EU’s General Data Protection Rule and the U.S. Department of Defense (DOD)’s requirement that federal contractors comply with the NIST 800-171 standard.
The long arm of GDPR
Although the EU General Data Protection Rule governs data belonging to EU residents, there is every reason to believe that it will have an outsized impact in the U.S., as well. As this blog has reported: GDPR applies not just to EU firms, but to any firm that owns or controls covered data. And that could include both customers and employees. Given the global nature of many firms, that list almost certainly includes most of the Fortune 500 - the largest corporations in the U.S. - and a long list of less prominent firms. Rather than assume you aren’t covered by GDPR, the smarter move may be to assume you are and then look for evidence to the contrary.
For U.S. firms accustomed to the spotty and often toothless data privacy laws that are common in the States, GDPR will be something akin to the Ice Bucket Challenge: a comprehensive data privacy law with real teeth. Fines for GDPR violations can range as high as $20 million each - or 4% of a company’s annual revenue for the year preceding the GDPR infraction whichever is greater.
We have already war gamed what that will look like for U.S. firms like Hilton, which shrugged off a $700,000 fine from the New York Attorney General for violations of that state’s data breach disclosure law. Using GDPR’s rubric, that same fine would have been $420,000,000 - a figure that is sure to get the attention of Hilton’s Board of Directors. And there’s every reason to believe that EU regulators will look at US and other foreign firms earlier rather than later once the go-live date of May 18th passes. Fines aside, GDPR data localization language and prohibitions on transferring data outside of the EU if “adequate levels of protection” are not afforded to the data will put the practices of US firms under the microscope.
Uncle Sam’s DFARS deadline sets high bar
Alas, there is no equivalent to GDPR in the U.S., where previous attempts to craft a federal standard for data security and data protection have fallen victim to partisan divisions and intense lobbying by business interests. However, there is reason for optimism that data security practices for companies working with the U.S. government will face scrutiny in the New Year.
As of December 31st, the U.S. Department of Defense (DOD) will require government contractors to fully implement the requirements of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171. The goal is to protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations.
While cybersecurity controls are often a component of federal contracting language, the Defense Federal Acquisition Regulation Supplement (DFARS) rule governing security for CUI has real teeth. Namely, contractors who fail to meet the requirements risk the loss of their federal contracts and the assignment of that contract to another (compliant) vendor. For vendors like Lockheed Martin or Raytheon, that could mean the loss of hundreds of millions of dollars in revenue.
In a conversation on The Security Ledger podcast, Thomas Jones, a senior systems engineer at the firm Bay Dynamics about NIST’s 800-171 standard (PDF) told me that the DOD’s new requirement, which was first laid down in 2015, addresses a gap in the US military’s security processes. Namely: loads of sensitive but not classified information resides on the networks of private contractors who work with the military. “We have standards around federal agencies and how they’re supposed to be managing the data in their systems, a lot of those contractors don’t have those standards in place.”
Jones said that the 800-171 standard is far reaching, covering 14 different security groups comprising 110 different metrics, from access control to configuration to risk management and training. And that the new standards correlate with initiatives underway by DHS and in the private sector. More important, Jones notes that the DFARS rules apply not just to prime contractors but to their subcontractors as well - the whole supply chain of hardware and software that flows into the U.S. DOD.
The question around both standards is enforcement. While May 18 is the go live date for GDPR, most experts don’t expect enforcement actions then. There may be a slow roll as the private sector wrestles with compliance and EU regulators determine where to focus their energies.
Enforcement is especially an issue for the DFARS rule in the US. As Jones of Bay Dynamics points out: the DOD doesn’t want to have to rebid contracts just for non compliant. On the other hand, Uncle Sam also wants to ensure that its vendors are securing the unclassified data it is in possession of. The result may be a bit of a balancing act, as the DOD seeks to hold contractors’ feet to the fire without actually burning them.