Humans like patterns. In fact, the careers of everyone reading this article can likely be linked to a simple pattern: an attacker finds a flaw; they exploit that flaw; cybersecurity professionals fix the flaw; outside parties react to the attack; new regulations or laws are written; we wait for the next attack. React. Rinse. Repeat.
The enactment of the California Consumer Privacy Act of 2018 on June 28 is the latest in a series of new laws and regulations around the world that represent a fundamental shift from the reactionary approach to security governance we’ve followed since the 1980s. Starting with the European Union’s General Data Protection Regulation (GDPR) and continuing with New York’s Department of Financial Services cybersecurity regulations, privacy and security are now inextricably linked in the U.S.
Like the GDPR before it, the CCPA is getting a lot of attention because of the rights California residents will have to access data held by companies, to have that data removed, and to prohibit the sale of personal data. The new law, which does not go into effect until 2020, also creates the potential for some eye-popping payments directly to consumers impacted by a breach.
The CCPA allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Under the current California law, only “customers” can sue a company, and only then if they can prove they were actually harmed as a result of a breach – a virtually impossible standard to meet.
Now, Californians whose data has been breached can seek between $100 up to $750 without having to prove they have been harmed by the data breach. Back-of-the-envelope math tells you a relatively modest breach of 1 million California residents could result in a company directly paying consumers no less than $100 million and up to $750 million. That makes the GDPR’s maximum fine of €20 million or 4% of global revenue – whichever is higher – pale in comparison.
While it may not be obvious yet, the CCPA, GDPR and the NY DFS regulations are driving a change in how businesses approach cybersecurity thanks to similar language found in all three policies: the duty to implement and maintain reasonable security procedures and practices. EU regulators have already signaled they believe a failure to maintain a robust patching program is a violation of the GDPR.
“Under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organizations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously,” noted the Information Commissioner’s Office of the United Kingdom earlier this year. When issuing the guidance, the ICO also issued a €400,000 fine to a retailer that had not patched its software in six years.
Similarly, the NY DFS regulations specifically require companies to maintain an application security program. That’s a dramatic change in a world where 451 Research notes that only 15% of the total cybersecurity spend is for application security solutions compared to 37% for network security.
Yet, the #1 target of cyberattacks these days are web applications, according to Verizon. Gartner says that 99% of the successful attacks against those apps involve vulnerabilities known for at least a year. One vulnerability management vendor reports that 88% of Java-based applications have at least one known flaw. Even Oracle acknowledges that that their customers run months, if not more than a year, behind in applying critical patch updates.
These new regulatory standards are exposing the difficulties DevOps and AppSec teams face in their tasks to keep consumer data safe. The need to comply is driving teams to evaluate new techniques and technologies that automate routine tasks so teams can focus on higher value activities. CIOs and CISOs are also looking to apply proven technologies used elsewhere in Information Technology for new ways to improve security.
The reality is, the traditional approaches to cybersecurity are no longer adequate to the task. The policymakers behind the CCPA, GDPR and NY DFS have recognized that and are creating regulatory schemes that force organizations to take action before a security event. Now it’s time for the cybersecurity community to seize the opportunity to dramatically improve how we protect the vital information entrusted to us.
John Adams, CEO, Waratek
This article first appeared in Security Magazine.