As cyber professionals, our job is to think about preventing
breaches. We have controls that have put in place. We measure the efficacy of
those controls. And we have a backlog of work that remains to be done.
During an incident, we work to respond to the incident. If that
incident rises to the level of a data breach, we work within the context of an
enterprise crisis action team to contain every aspect of that breach, technical
and non-technical.
But how often do you think about what happens post-breach
after the exhausted response team has gone home? By this, I mean the regulators. Depending on
your industry and location, you'll likely have state and/or federal regulators
knocking on your door.
A November 2019 FTC complaint against a Utah company, Infotrax,
provides a unique and valuable view into how regulators will view a security
program post-breach.
Regulators aren’t just going to look at the things that your
program has done right. They are also
going to look at the things that have been left undone. You know, the things that
are either sitting on your backlog right now, or worse yet, not there at
all.
Remember that the intent of this post is to not to comment
on the findings but have you understand how regulators think.
In Infotrax’s case, the FTC regulators
determined in paragraph 10 of the complaint that these included failing to:
inventory and
delete personal information it no longer needed;
conduct code
review of its software and testing of its network;
detect malicious
file uploads;
adequately segment
its network; and
implement
cybersecurity safeguards to detect unusual activity on its network.
In paragraph 11 of the complaint, the FTC regulators
determined that “respondents could have addressed each of the failures
described in paragraph 10 by implementing readily available and relatively low-cost
security measures.” I’ll leave it to the reader to determine the scope of work
for each of the above paragraph 10 line items in the context of the meaning of
low cost.
As part of the plea agreement, Infotax has a 20 year order
requiring them to take a number of certain actions. Each violation of that order
carries a $42,530 fine. Again, that's each violation.
The MySpace social network also had a similar 20 year order from the FTC. As FTC Commissioner Christine Wilson points out in her concurring statement, "[p]rior to the FTC action, MySpace was the most visited social networking site in the world, but it was subsequently overtaken by Facebook. At least one publication predicted this outcome – when reporting on the order, Forbes wryly titled its article, 'The FTC Has Faith That MySpace Will Be Around In 2032.' "
As Tripwire writes, "if the data breach doesn't kill your business, the fine might."
The MySpace social network also had a similar 20 year order from the FTC. As FTC Commissioner Christine Wilson points out in her concurring statement, "[p]rior to the FTC action, MySpace was the most visited social networking site in the world, but it was subsequently overtaken by Facebook. At least one publication predicted this outcome – when reporting on the order, Forbes wryly titled its article, 'The FTC Has Faith That MySpace Will Be Around In 2032.' "
As Tripwire writes, "if the data breach doesn't kill your business, the fine might."
A single breach might bring scrutiny from multiple regulators. If we are to assume breach, we’ll also need to assume “regulators”
and prepare for the optics that they bring on the things left undone.
Perhaps it’s time to go back and review that backlog as well as the current
program prioritizations with executives for “reasonableness” using the same optics as a potential regulator.
Early visibility and preparation around the optics now also might be a gift in the event of a future breach.
Early visibility and preparation around the optics now also might be a gift in the event of a future breach.
There may be some hard conversations on the horizon.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment