Scott Taylor, vice president and chief privacy officer at Hewlett-Packard
Think about the last time you flew. Chances are, you didn't give a lot of thought to the engine of the plane. Yet, if that engine had malfunctioned, if something had gone wrong, then you certainly would have known about it. The engine is the hidden core of the plane, and it requires constant maintenance, updates and oversight. When you step foot on that giant steel tube, you put your trust in the airline and the pilot. If something goes wrong, you’ll likely be in serious trouble.
Everything that is true about an airplane engine is true about data security, at least according to Scott Taylor, vice president and chief privacy officer at Hewlett-Packard. He fully understands that data security is more important than ever, and, especially in light of recent high-profile breaches, companies need to take data security compliance seriously.
Guarding the castle
One reason for the increased importance of data security is the nature of our connected world. With the advent of the “Internet of things,” more and more devices are connected to networks and infrastructure, which allows for more potential points of entry for hackers. Taylor imagines a castle. “If the castle has one door, you have one thing to protect,” he explains. “If it has 50 doors, you have multiplied the potential for vulnerability, especially when those gates are guarded by different people.”
In addition to the growing number of access points that hackers can exploit, there is also an increasing number of unscrupulous individuals, ready to take advantage of vulnerabilities.
“This is a growing concern for all companies,” says Chris Salsberry, senior director at Huron Consulting. “Due to a more global presence in business sectors, companies deal with competitors and corporate threats, new actors, aggressive actors and nation states trying to steal proprietary data.” This has resulted in a rise in global incidents of cyber-related threats. And in response to those threats, companies need to take action.
A series of recent, high profile data breaches has certainly shaken the confidence of consumers, and when consumers get concerned, the government tends to step in. Highly publicized breaches have led to regulation in California, which now requires that companies provide notifications when there has been a data breach. This, according to Taylor, led to major improvements across sectors.
Here and abroad
Unfortunately, while the California laws might be strong, there are no clear, consistent federal regulations to govern data security across sectors. While 48 states have data breach laws, and many of these laws have followed California's lead, the federal laws that exist are primarily sectoral, such as those that regulate the healthcare or payment card industries.
There have been attempts to create a federal omnibus law in the past, such as in 2007 with Barton and Stearns and 2011 with Kerry and McCain, but neither effort proved fruitful. Of course, large companies have more than just the United States to worry about. Now, with global communications, cloud computing and data storage, international businesses must gauge their data security compliance programs against frameworks from around the world.
Take Europe, for instance. While the continent may seem unified, Taylor explains that this is not necessarily the case. “Germany is different from France and Spain and Italy, etc. Each law is anchored to a directive, but there are individual interpretations,” he says.
Europe is similar to the United States in many ways, where there are many different standards to navigate. There are also a number of other international standards, with Latin American countries tending to emulate European standards and Asian countries creating new standards all the time.
While the variety of standards may be daunting, Salsberry points out that there are a few simple tips that businesses can keep in mind to at least ensure that they are on the right path, starting with considering the international companies that they do business with.
“What is the overall relationship with that entity? Look at it from a cyber intelligence perspective,” he recommends. “Take the regional perspective from around the globe, combine it with an understanding of the profile of that company, its cyber posture, the infrastructure of the company.” Ensuring that the company is using proper protocols and cyber chains will give you peace of mind that you are not giving guardianship of one of your castle doors to the wrong soldiers.
Dealing with the inevitable
As companies become more dependent on cloud and distributed environments, they are opening doors to vulnerability, and therefore the challenges of data security will only increase. This will lead to jurisdictional questions, cautions Taylor, as assigning responsibility for data that rests in the cloud is not always as clear-cut as it seems.
And, while the U.S. struggles with its patchwork of state and sectoral regulations, it's likely that companies are dealing with a matter of “when” rather than “if.” In that case, Taylor cautions general counsel to be prepared. This includes thinking through all aspects of a data breach, up to and including crisis planning and processes. He recommends getting the chief privacy officer involved, because, even though security and privacy are not the same thing, “Without security, you cannot protect privacy. Privacy is about the collection and appropriate use of data, while security is about ensuring the right people have access and the wrong people don't.”
In addition to the CPO and GC, Salsberry recommends the cybersecurity team include open lines of communication to the chief information officer and the chief financial officer as well.
“You need a comprehensive plan that includes a process to deal with the breach, a process to make sure there is a constant need for improvement in that plan, one that is driven by all the players involved at different levels. Corporate buy-in is key in making that happen.”
Without a doubt, breaches will continue, either due to unfortunate incidents like smart hackers or innocent accidents or due to insufficient controls. However, Taylor has seen the California regulation lead to improvements, with fines, actions levied by regulators and incentives for better control.
Taylor also sees the role that social responsibility will play in data security, as nations start to realize their laws are lagging and that accountability is called for. He sees more companies leveraging CPOs, as privacy will no longer be considered a part-time duty. With the challenges posed by Big Data combined with an increased focus on governance, companies need to develop comprehensive programs whether or not there are tight federal regulations. Taylor suspects such programs will be rooted in social responsibility initiatives.
While there are more and more gates to each castle, perhaps the solution is not to hire more guards, but rather to empower the residents of the castle to work together to protect it from attacks. Then, when data security breaches are handled at the edges, the core of the castle—its secret engine—can continue working as planned, keeping customer trust as secure as its data.