Stiffer Penalties for Security Failure
It’s strange how things work sometimes. Just as I’m writing about Game of Thrones last week, HBO gets hacked and several episode scripts leaked, among other content. Aside from what has already been posted online, it’s not known what was included in the 1.5 terabytes of data the hackers claim to have stolen. Even the precise attack method is fuzzy.
What is clear is that cyber crime offers stronger financial incentives to hackers than ever before. Big data is valuable, and it is this reality that is currently forcing CSOs and CISOs to adopt new roles and strategies to combat the new sophistication behind these breaches. These include communicating issues of company security across the organization, managing staff and budget under often reluctant boards, and sifting through ever expanding legal requirements that governments are beginning to enforce worldwide.
It would be wise for all entities to heed the advice of these multi-faceted officers, however. Governments are indeed looking to crack down on violations and negligence. Critical infrastructure organizations in the UK, for example, such as water, energy and healthcare, could be fined £17 million for failing to protect themselves against cyber attacks. This measure is currently being considered as part of the EU’s Network and Information Systems (NIS) Directive for May 2018; contrary to GDPR, NIS deals with services, rather than data loss. The new standards emphasize risk management strategies, employee training, and notification/remediation speed. Negligence in these cases would trigger the penalties.
The UK’s data protection laws are receiving another update, as well: one intended to facilitate data control for consumers. Under the new law, consent to process data should be easier to withdraw, as should asking for one’s data to be deleted. New offenses will also be established, such as re-identifying individuals from anonymized data. Unlimited fines would become an option in this scenario. In a statement, digital minister Matt Hancock said, “Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.”
Data protection agencies are being empowered, and it shows. If organizations aren’t proactive, they could find themselves facing more substantial penalties than in the past. Hopefully, they do what it takes to protect themselves.
And hopefully, HBO does the same, so some random Internet troll doesn’t spoil the next Thrones episode.