CT gets tough on cyber security requirements
John Farley
Organizations of all sizes continue to struggle to safeguard their sensitive data and ward off external threats to their network's security. These threats come from all sources, including organized crime groups, state-sponsored actors, “hacktivists” and rogue employees.
Their methods of attack constantly evolve and become more sophisticated by the day. Even those with enormous cyber-security budgets find themselves victims of data theft. It has become abundantly clear that cyber security efforts have failed to keep up.
In 2015, the issue became personal to one in four Americans. In February, Anthem announced that 80 million members' personal data, including social security numbers, may have been compromised by hackers.
In June, Connecticut state authorities responded with force as Gov. Malloy announced that he signed into law Public Act 15-142: An Act Improving Data Security and Agency Effectiveness. Effective Oct. 1, 2015, it requires:
• Free identity theft protection: Should an organization fall victim to a data breach involving social security numbers of Connecticut residents, they will be required to offer at least one year of free identity theft prevention services and identity theft restoration services if needed. In addition, it will require companies to instruct affected individuals how to place a credit freeze on their credit file.
• Notification deadlines: Companies will be required to notify the affected population no later than 90 days after discovering the incident. Notice will also be required to the attorney general.
• Expanded definition of personally identifiable information: In addition to common identifiers such as social security numbers, Connecticut includes biometrics, like finger prints, voice prints and iris scans in the definition of personally identifiable information.
• Cybersecurity standards: Specific industry groups, such as health insurance companies and state contractors will now need to maintain comprehensive data security and information security standards.
Connecticut is one of 47 states that has its own specific guidelines organizations must contend with in the aftermath of a data breach. If a data breach affects residents of multiple states, it will require a complex and time consuming effort to sort through all of the state notice requirements.
Nine states changed their requirements in 2015 alone, and many more are expected to make revisions in the coming months. This creates additional confusion for any entity that must comply with multiple state mandates, and could delay notice to affected individuals. This issue has spurred recent federal legislation aimed at streamlining notification and cybersecurity requirements into one unified standard that all states would follow.
Connecticut Senate Majority Leader Bob Duff (D-Norwalk) and Attorney General George Jepsen have taken issue with this legislation. While this might alleviate the complexities of sorting through the 46 different state statutes, it might also weaken compliance requirements made in states like Connecticut. In theory, it could eliminate the powers of an attorney general to investigate incidents, and limit state's ability to mandate cybersecurity standards and to punish organizations that are not compliant with cybersecurity best practices.
As state and federal legislation evolves, one thing is clear: Our sensitive data is under constant attack, and a coordinated effort between the public and private sector to protect it is critical. A consensus on how to approach the problem is needed sooner rather than later. Hackers have kept one step ahead, and appear to be winning the fight for our data.
John Farley is vice president and cyber risk practice leader for HUB International, a global insurance brokerage with offices throughout North America.
Read more
Most Recent
Most Recent
0 Comments