Politicians are coming with new cybersecurity requirements — are you ready?
For the past two years I have predicted that if American businesses did not step up their game on protecting data security, then government would step in and force the issue. Consider how the Affordable Care Act came into being. Health care has been on the government’s agenda since the Clinton administration. The health-care industry spent more than a decade passing the ball to K Street lobbyists, hoping to keep the government at bay. Ultimately — whether right or wrong — the government took action.
Cyber data breaches have been on the radar for well over a decade, and there is no letup on hacking events. Every day new breaches are reported by companies of all sizes — from major financial institutions to local medical practices. Other than breach notification laws, to date, government has issued guidance to businesses. That soft touch appears to be ending. It is no surprise that now New York has stepped to the forefront and proposed actual regulations that will apply to financial institutions. While industry analysts already are panning the proposed regulations, like most government initiatives, there is likely little to stop implementation in some form.
Some of the regulations appear to make perfect sense. State-regulated banks and insurers must perform a self-evaluation of their cyber vulnerabilities on an annual basis. In response, these entities must develop updated cybersecurity plans, which include an immediate response plan for breaches. These institutions also must designate an employee to act as the chief security officer. Moreover, banks and insurers will have to notify the state of possible cyber breaches within 72 hours. In reality, many of these requirements are not totally out of bounds, and most experts advocate for this level of planning as part of a company’s cyber risk management efforts. The concern for the proposed regulations is that they appear to go much further, for example, requiring all email communications with customers to be encrypted.
If financial institutions had taken action and implemented realistic and state-of-the-art cybersecurity plans, it is unlikely the government would be proposing these regulations. When politicians perceive that business is not acting to protect constituents, they act to fill the void. If the current proposals are enacted in New York, it is likely that other states will be forced to implement similar regulations.
If anyone thinks financial institutions will be the first and last industry to be targeted for such regulations, think again. This is an easy topic for politicians as the constant news of breaches is on voters’ minds. In all likelihood, most voters have been impacted by a breach or identity theft in some form. Cyber regulations are the kind of laws that do not cost the government much, but look good to voters.
Where do we go from here? Businesses and their trade groups must wake up and take data security seriously. Providing limited discussion and guidance on the issue at annual conferences is not going to cut it any longer. Continue down that road, and you can be assured government will step in with regulations for your industry as well. Trade associations must take action now — demanding that their members take action and ensuring that their proactive efforts remain visible to lawmakers.
If the financial industry is first up, who is next? Almost surely one of the three Hs will be targeted for governmental oversight. Who are the three Hs? Health care, hospitality and higher education. For the last year, it has become apparent that these three industries are behind the eight ball when it comes to data security and cyber insurance. The three Hs have a lot in common that makes them high-value targets for cyber criminals: 1) all have access to substantial personal information for the customers; 2) all employ numerous people with a fairly high degree of turnover; 3) all allow employees a high degree of access throughout their information networks; and 4) all rely heavily on technology to achieve operational efficiency.
Politicians looking to implement new regulations that purportedly affect the most votes could not find three better industries to target. Of these, health care is likely first up for additional mandates. The personal identifying information owned by medical and health-care providers is the “gold standard” for cyber thieves. Plus, recent high-profile incidents are gaining national attention concerning the vulnerabilities of the industry. Earlier this year, Hollywood Presbyterian Hospital in Los Angeles was hit by ransomware. The hospital paid a $17,000 bitcoin ransom to get its network unlocked. More recently, MedStar Health System was hit by ransomware that created a nightmare for the provider. And the list goes on. When providers have to cancel surgeries and cannot access patient files, it garners peoples’ attention — including politicians.
Hospitality and higher education are not far behind. A number of high-profile breaches have hit the hospitality industry. The media have not paid as much attention as they did to retailers like Target or Home Depot, but it is only a matter of time. Higher ed’s problem is the manner in which colleges and universities are structured. It takes a lot of time and effort to get buy-in that they are exposed. But again, one high-profile event and possible legislation will be coming.
The health care, hospitality and higher education industries would be very wise to get ahead of the curve. Acting now to implement cybersecurity measures is not only prudent from an internal risk management standpoint, but it has the potential to move these industries off the legislative radar As 2016 winds down, these industries should make their New Year’s resolution to tackle cybersecurity in a serious and systemic manner. If not, be assured that legislators will likely step in to make them take action.
Collin Hite is the practice leader of the Insurance Recovery Group and the Data Privacy & Security Group in Hirschler Fleischer's Richmond office. He can be reached at 804-771-9595 or [email protected].