After an incredibly long hiatus, the blog is back in action.
Cybersecurity breaches, at least the public’s knowledge of them, has increased. The breaches have been happening for years, and the media spotlight has continued to increase, especially with high-profile cases involving millions of consumers’ personal data.
A couple of breaches in 2019 impacted numerous consumers:
- Over 500,000 affected (approx. fined $230 million)
- Over 100 million affected
Increasing regulation in the form of the General Data Protection Regulation (GDPR) has applied pressure far beyond previous regulations. Note that the last blog written here was published in 2013, and note that the landscape has significantly changed since then. The consequences of non-compliance can be very severe with up to 20M EUR or 4% of annual turnover, whichever is greater, being the penalty in the case of a GDPR violation. Also in force since January 1, 2020, the California Consumer Privacy Act (CCPA) can impact businesses, but it is important for any business or other organization to consider whether the activity they are carrying out even falls within the scope of these laws.
The UK ICO provides a guide on GDPR focused on UK businesses and organizations, but the principles are worth considering when controlling or processing personal data of citizens of European Economic Area (EEA) states. There will be differences that are applicable within different member states that should be considered, but for managing risk especially where a business or an organization is getting off the ground, this is a good start.
Regulations aside, attention must be focused on securing systems and eliminating any security risks that may affect the protection of personal or other data. The best deterrence to a cybersecurity breach is not operating at all, but being practical, the next best is implementing best practices in information security especially at the technical level. The administrative and organizational best practices are also incredibly important, but without the technical component, the data is at critical risk of exposure regardless of how a business or an organization is administered or operated.