Millions watched the season premiere episode of “Game of Thrones” on July 16, 2017, with another six million viewers watching it through their DVR or via streaming. It should come as no surprise, then, that HBO was a ripe target for hackers wanting to grab some of that hot commodity for themselves – for the right price. Reports that have trickled out over the past few weeks indicate that a group of anonymous hackers is basically holding the television network hostage, claiming to have access to HBO’s webmail server and more than 1.5 terabytes of data including scripts, episode summaries, marketing materials and entire episodes of shows. Demanding ransom for return of property is as bad as it sounds, but unfortunately, it is becoming more and more of a common scenario as we store most of our information online.
With such a great potential for risk exposure, businesses continue to ramp up their efforts to become more aware and accepting of security procedures for their archives. Gartner is projecting that worldwide spending on IT security products and services will continue its rapid growth spurt to reach a total of $86.4 billion in spending this year. This is likely because the general banality surrounding data breaches is that it’s no longer a question of if you get breached, but simply a question of when and to what degree. The question for you, then, isn’t really are you spending enough, but rather, are you directing your spend to the right tools?
If you are a company based in the United States, the National Institute of Standards and Technology addresses security and privacy controls for organizations. Depending on what type or product or service you offer will facilitate the guidance you need to follow to protect your company’s data, and what to do in the event of a breach. These standards and protocols need to be pervasive throughout an organization. Training, tools, and reinforcement mechanisms are just some of the ways to encourage institutional adoption of basic privacy practices, the first layer of defense to a cyberattack.
Lots of companies don’t solely operate in the US, meaning they must be aware of the specific cybersecurity obligations in regions where they operate. For example, European companies have impending regulations to prevent data loss that firms need to be aware of. Specifically, the EU’s incoming General Data Protection Regulation is due to come into force in May 2018, and Canada already has the Personal Information Protection and Electronic Documents Act (PIPEDA). If you do business outside of the US, you must stay up-to-date on both US and foreign policies.
Being prepared before a breach is only half the battle. In addition to the NIST standards for maintaining security, the Gramm-Leach-Billey Act (GLBA), Health Insurance Portability & Accountability Act (HIPAA) and certain other federal and state laws have their own rules about what companies operating in particular fields need to do in the event of a data breach.
Given the wide-reaching ramifications of data breaches, and the implications it can have on business operations and your consumer relationships, cyber security and data privacy aren’t ideas that you can just dabble in. Make sure that you are working with someone who has the right training and credentials. If you aren’t sure where to start, contact the International Association of Privacy Professionals (IAPP), a policy-neutral organization that certifies privacy professionals in all fields.
Seeking the appropriate guidance, utilizing best-in-class security protocols and ensuring that those operational controls are being followed daily must be paramount to facilitate information security governance within your organization.
Laura Rogal is a partner at Arizona-based Jaburg Wilk, and specializes in litigation, intellectual property, internet law and employment. She is also a member of the Law and Technology Committee and Startup and Entrepreneurship Committee, Arizona Technology Council.