With each New Year, we always look back and review the significant events of the previous year. By all accounts, 2017 was a wild and woolly year! World and national politics, the stock market, terrorism and acts of mass violence, devastating hurricanes, and forest fires! The digital world saw big changes as well with the repeal of net-neutrality and some major cyber breaches. The Equifax breach effectively impacted half the population of the United States. Uber affected another 57 million people. Yahoo announced that 3 billion accounts had been impacted by breaches of their systems.
So, what will 2018 bring? I’ll wager a few dollars that we’ll see some spectacular breaches this year. However, I’m willing to guarantee that we’ll see more government regulations to address cybercrime. Not as a result of Equifax, Uber or any 2017 breach, but by regulations that have already been made into laws and will take effect in 2018. In fact, it has already happened. If you are a Department of Defense contractor, and your company has access to Confidential Unclassified Information (CUI), which covers about everything they do, you are subject to new Defense Federal Acquisition Regulations Supplement (DFARS) per NIST SP 800-171 effective January 1st. What all that means is if your company does business with the military, you are subject to a set of rules very similar to HIPAA that are designed to protect data important to our Nation’s defense.
Not far behind is GDPR. Although not well known in the US, it will have major impact on our businesses. GDPR is the European Union’s General Data Protection Regulation which goes into effect May 25th this year. Most companies doing business in Europe are subject to this law and it has far reaching implications. The focus of the law is the EU citizen’s rights to protection of their personal data. A person in the EU can make significant demands on a US based business with respect to their data. Any company selling products and services in the EU is affected.
Lastly, the finance and insurance industry are implementing a new Data Security law which is based on NIST standards and is also very similar to HIPAA. It is designed to protect our personal data as well. New York state has adopted the law and other states are following suit. It is expected to be adopted nationwide this year.
This trend of increased regulations to protect our personal data will continue as companies race to collect more data on each of us. Google, Amazon, Microsoft, Facebook all collect data about us to generate more revenue. All have suffered significant breaches in 2017. I never authorized Equifax to collect my most valuable data and yet I am affected by their incompetence and lack of regard for the welfare of the people whose data they collect. In 2018, I think we need all the help we can get to protect our data!
If your company collects, processes or stores people’s sensitive data you’ll probably be affected by new regulations that require you to protect that data from loss or theft. The first step to protecting data is to perform the appropriate security assessment in accordance with the compliance standard for that data.
Do you need help implementing and understanding these new regulations?
Email us at info@thirdrock.com or give us a call at 512.310.0020. We’d be more than happy to help!