This is the second in a series of three blog posts by Katabat’s Chief Information Security Officer, Arthur Haigh, examining the international data security regulatory environment. Read the other installments here and here.
Part of being a leader in information security is realizing that you aren’t going to prevent every attack. CISOs and CSOs advocate tirelessly for the resources needed to be prepared to protect their customers’ sensitive data when the inevitable happens and a breach occurs. Executives and boards face many pressures to devote budget resources in many directions, so this type of security infrastructure investment can be a hard sell. It’s like getting the flu shot, which protects against the strains of flu that are expected to be bad, but also having to stockpile medication in case you catch some other strain of flu that hasn’t emerged yet.
The current patchwork of US and international regulations on data protection means that there can be a wide range of responses to this long-term need. Some companies prepare very well and successfully ward off a range of attacks, while others disregard proper security measures and become news headlines. Individuals may not even know if their data has been compromised.
Improving individuals’ rights over their data privacy—knowing where data is stored and whether it has been accessed by hackers—is a central focus of the 2016 General Data Protection Regulation (GDPR). In it, the European Union requires anyone who is doing business in the EU and handling sensitive data to have appropriate data-security practices in place.
The regulation enhances data privacy and hands out stiff penalties if organizations don’t notify customers about hacks quickly. This is the part of the regulation that would have stung Equifax the most. Other recent breach targets should also sit up and take notice. Hilton was just fined $700,000 on October 31, 2017 by New York’s Attorney General Eric Schneiderman. That’s $2 per customer whose data was exposed, but only a tiny fraction of Hilton’s annual revenues of $11.2 billion. Under GDPR, the fine could have been as much as $420 million!
The GDPR also mandates a multi-tiered system of risk management, with data security practices built into new products from the ground up. At Katabat, this approach is in our DNA. We started with a highly secure platform, FlexCollectSM, that was the brainchild of my colleague Ye Zhang, our CTO and an expert in encryption technology. As our customers’ needs have evolved, we have strategically expanded our feature offerings so that now, with Katabat 8.0, a business can deploy a complete customer experience management (CXM) solution with a data protection mindset at its core. This approach hasn’t always been easy, but it has made our products popular in the UK and Australian markets, where regulatory compliance around data security is key.
Will American data protection regulations move in the same direction as the GDPR? Equifax probably hopes it doesn’t. According to the Wall Street Journal, the company was pushing for protections against being sued if it failed to safeguard sensitive data even before the breach. However, other signs suggest that things are moving toward regulation. Sectors that make up an increasing share of the US economy already implemented data privacy regulations (HIPAA in healthcare, FERPA in education), so vendors develop security solutions in tandem with electronic records systems in those sectors. Congressional leaders are also under pressure to protect Americans’ data privacy after the Equifax breach.
Another sign that businesses may be prepared to accept a stricter regulatory environment comes from the UK. British voters approved Brexit last year in the hope of escaping from EU regulations. However, all indications are that the GDPR is going to be implemented in the UK anyway. For one thing, compliance is not limited to EU-based companies: everyone who wishes to do business there must demonstrate their commitment to data privacy. Americans are going to be dealing with GDPR whether they like it or not. If we adopt something similar in the US, it may cost firms some money, but that money will at least be invested in systems that both protect their customers’ data and enhance their ability to do business worldwide.
Email me at firstname.lastname@example.org to learn more about how data security informs every part of the customer experience when you deploy Katabat solutions.