The Stakes for Protecting Personally Identifiable Information Will Be Higher in 2018
While it’s tough to predict what the most significant single threat of 2018 will be, it’s safe to say that 2017 was certainly a wake-up call for both businesses and consumers when it comes to data breaches. From the rampant misconfiguration of Amazon S3 data buckets to stolen email credentials, the number of breaches and amount of personal data leaked to unauthorized parties in 2017 was staggering. However, one case stands above the rest as particularly damaging to all parties involved.
In July of this year Equifax, one of the leading U.S.-based credit bureaus, reported that the personal information of more than 143 million U.S. customers was accessed when an unauthorized party exploited an application vulnerability at their organization. The data exposed in the Equifax incident is more severe than other breaches because of the type of information that was stolen. Once a criminal has your birth date, social security number, etc., and has used it for illicit purposes, it is incredibly difficult to recover your personally identifiable information (PII).
It’s also naïve to assume that the data stolen from Equifax will not be exploited in some way. Not only can that information be abused to commit identity theft under the impacted parties’ names, and we certainly expect to start seeing more of those incidents in 2018, but we also predict it will be abused to access existing user accounts with other services. Much of the ‘permanent data’ that was stolen during the July Equifax incident also happens to be just the sort of information used as secondary authentication for many of our everyday accounts. Think of how many times the ‘last four of your social’ was used to identify you with your card company or at your doctor’s office this year.
Rightfully, the breach was met with a flurry of media and consumer attention and outrage. Equifax’s stock fell by 33 percent in the days following their announcement, and they were a regular headline for several news cycles. In the aftermath, the credit reporting firm found itself the subject of numerous investigations, the resignation of many executive leaders, and more than 240 class action lawsuits.
Evolving Data Regulations
Additionally, new global laws such as the EU’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, will further raise the stakes and fines of future breaches. The law will enforce data protection and cybersecurity with a new set of stringent regulations and unprecedented penalties. If the Equifax breach occurred under GDPR, Equifax would have faced additional legal claims and penalties.
With recent events and emerging regulations, organizations and IT security teams who don’t prioritize data security on-premises or in the cloud will find themselves writing some very expensive checks, or worse, closing their doors altogether because of steep fines and liability.
In her recent article GDPR: True Cost of Compliance Far Less Than Non-Compliance, Tara Seals from Infosecurity magazine reported that the cost of non-compliance, with EU GDPR and other data privacy regulations is quickly rising, “…costs widely vary based on the amount of sensitive or confidential information a particular industry handles and is required to secure. That said, the average cost of compliance increased 43% from 2011, and totals around $5.47 million annually.”
Unfortunately, simply sticking your head in the sand and hoping for the best isn’t a good plan either. The EU GDPR requires organizations to notify regulators of a breach promptly. Many industry leaders have speculated that regulators are keen to make examples of both European and overseas businesses for any instance of non-compliance. So, watch out American companies, you aren’t exempt.
In another InfoSecurity article, Matt Fisher provides a warning and some very sound advice for those subject to the EU GDPR:
“The deadline of May 2018 is only the beginning, not the end. Policy makers are already under monumental pressure to smoke out prosecutable cases in the aftermath of the regulation’s implementation. As an organization, if you cannot complete your GDPR project in time for the deadline, taking firm steps to indicate ‘best efforts’ are vital to make your organization a far less attractive target”
Don’t Forget About Cloud
In a recent Forbes article summarizing Forrester’s 2018 cloud predictions, it was estimated that “the total global public cloud market will be $178B in 2018, up from $146B in 2017, and will continue to grow at a 22% compound annual growth rate.”
It’s undeniable that this growth will mean more data flowing into IT-sanctioned applications. Because of this, it’s critical for organizations to take the necessary steps to ensure unified data security and governance in their environment, both on-premises and in the cloud.
Increased government involvement and consumer awareness, combined with the potential for financial and reputation damage Equifax and others have suffered, will drive a renewed focus on data protection in the cloud computing space during 2018.