Security Shore-Up: The Evolution of Post-Breach Notifications

In cybersecurity, fall 2017 will be remembered for the uptick in scrutiny paid toward breach response efforts. This September, Equifax announced a breach, with the information of more than 145 million Americans compromised because of the company's failure to update a security patch. A month later, it was reported that Uber had experienced a breach in 2016, exposing data on 20 million people. Rather than inform authorities, the company reportedly paid hackers to keep quiet.

“These events have captured national attention for good reason,” said Kathleen McGee, the internet and technology bureau chief at the Office of the Attorney General of New York. “Many companies are still not adapting [strong] data security.”

McGee kicked off ALM's 2017 CyberSecure conference at the New York Hilton Midtown. Speaking at the Dec. 4 opening address, titled “The New Realities of Post-Breach Crisis Management,” she explained that “informing the C-suite of digital asset risk has become an integral part of the [CISO] role.”

“Knowing what data one collects, how it is stored, how it's shared, are the three assessments required for any entity,” she added.

Citing data compiled by the New York AG's office, McGee said that 2016 witnessed a “record number” of security notices, up 60 percent from the previous year. The information compromised consisted “overwhelmingly” of Social Security numbers and financial information.

And while hacking was one of the leading causes of breaches, the other was inadvertent disclosure. McGee said almost 30 percent of incidents were “caused by negligence,” such as the loss of a device. “Negligence, on its face, is preventable,” she added.

This March, New York's cybersecurity rules went into effect, requiring insurers and banks to inform regulators of breaches. Further, Section 899-aa under the state's General Business Law requires that “persons or businesses conducting business in New York must disclose any breaches of computerized data.”

Since then, the state has seen an uptick in breach notifications, a trend that McGee expects will continue. However, given the relative ubiquity of breaches, McGee said she expects the AG's office “to pick its enforcement battles carefully.”

“Our office is concerned with two elements of a data breach: failure to provide notice in a reasonable time and failure to adopt reasonable security measures,” she noted in her talk.

As an example of where the office would take enforcement action, McGee noted a Buffalo-based company that requested job applicants to upload their information to the company's website, including Social Security numbers. This, McGee said, was unnecessary, but it was also unfortunate: the company had recently hired an IT provider to redesign its website, and the website wasn't secure.

“The end result was applicants' forms, including their Social Security numbers, were cached online and exposed for periods of time,” she said. The data breach, she added, resulted from “deliberate internal decisions that had a real impact” on data security.

Further, McGee noted that this incident demonstrated how segregating IT and business departments increases risks, as does failing to follow an internal protocol.

Also discussed was the importance of keeping laws and regulations consistent with the changing data landscape. McGee pointed to New York's Shield Act, which expands the types of data in reporting requirements to passwords and biometric data. It also provides incentives for companies to get additional certification, granting safe harbor from state enforcement action if they do so.

From a state regulator perspective, “States will continue to push aggressively for companies to adopt reasonable data security measures that protect sensitive information,” McGee said. But, she added, “advances in technology will not be a substitute for data security practices.”

In McGee's view, data risk management begins with understanding the types of data being collected. However, in recent years, these types and amounts of data being collected have grown significantly.

“In the past several years, there has been an exponential growth in companies who rely on data as commodity,” she said, pointing to advertising, financial, agriculture and service sectors. “For some companies, data is the only commodity.”

These new data types are providing information in ways that were previously unthinkable, yet security measures and regulations haven't evolved in the same way. What's more, definitions over what qualifies as private or sensitive information shift with culture norms, further confusing reasons and methods for data collection and selling.

Still, McGee said, it's important to “educate people on the basic hygiene of cybersecurity”: what and how we collect information. Lastly, though importantly, the C-suite can work this information in the business model, keeping it front of mind from the start.