On September 10th, in this, our seventh of The Inevitable 2020 Series, Text IQ brought together three experts in data security and privacy with three distinct vantage points: Legal Counsel, Cyber Insurer, and large consumer-facing multinational organization.
The panelists providing their insights are:
- Matthew Meade, an Eckert Seamans Cherin & Mellott L.L.C. Member practicing in their Data Security & Privacy Program. Matthew has extensive experience in advising clients on security incident investigations, analysis, communications, and responding to regulatory inquiries and litigation.
- Global Chief Privacy Officer and head of the Privacy and Data Strategy group at U.S. Bank, Timothy Nagle. Tim has served as a member of the Research Advisory Board of the International Association of Privacy Professionals.
- Brad Gow, who became involved in the Cyber Insurance Industry in its infancy in the 1990s, is the Global Cyber Product Leader at Sompo International, a global specialty provider of property and casualty insurance and reinsurance.
The Frequency and Nature of the Threats Continue to Escalate
“The nature of ransomware attacks has stepped up significantly. A year ago, the threat actors were just encrypting data and demanding payment. Now...they're taking data and threatening to publish that data on the dark web unless you make the ransom payment.” ~Meade
Data breaches used to be about lost laptops. “We don’t have those anymore because nearly everyone encrypts their laptops, notes Brad Gow. Then in the early 2000s hackers were compromising payment systems and siphoning off hundreds of thousands of millions of credit cards. Now, it’s all about ransomware which is up by a factor of 5 year on year.
And the types of data at risk are not just PII. Consumer data (which are a core asset for an organization like U.S. Bank), as well as proprietary business information, intellectual property, contractual documents subject to confidentiality, and more is at risk. And the volume of those data continues to grow exponentially and proliferate across multiple internal and external systems, networks, third-party locations, in public and private clouds, and others.
Managing for Volume and Complexity
“We're having to fence off, protect, and account for more and more types of data, larger quantities, unstructured data. Things other than the social security number and account number that traditionally were not the concerns in a privacy event and now are going to have to be.” ~Nagle
If there is a data breach or any type of unauthorized disclosure, identifying what data were compromised is a necessary step. Is it sensitive? Does it concern consumer PII, proprietary business information, or theft of intellectual property? Does it concern confidential contractual information?
The answer to these questions will directly impact reporting requirements – requirements that have become increasingly complex.
As discussed by our panelists, reporting requirements go well beyond GDPR or CCPA. All 50 states have their own definition of what comprises PII, there is HIPPA at the Federal level, and more than 100 national privacy laws across the globe. There are also likely to be contractual agreements requiring the reporting of breaches to third parties.
It is really important to describe and classify your data notes Meade. “You need to know what you have, and a lot of clients don't know what they have and aren't able to make that assessment.”
How to Manage for this Volume and Complexity?
In a word: “preparation” says Gow. Whether the breach response concerns GDPR or CCPA and subsequent data subject access requests (“DSAR”), or a business-shuttering ransomware attack, the response absent pre-planning will be painful. As Gow puts it, you will be “buying aspirin in an airport. You're desperate for relief, and you're going to pay way too much.”
Preparation entails knowing who is in charge; what resources (internal and external) will be engaged; and developing the policies and procedures that will govern your organization’s response to a data breach or ransomware attack. But first and foremost you must have control of your data landscape.
This is simply not possible without the use of AI.
“The ability to crunch through large quantities of data and find relationships or contextual connections that might not otherwise have been seen. So we've done a proof of concept in the discovery space and found it to reveal some things we didn't know or couldn't have anticipated.” ~Mead
Looking forward, Tim suggests that the use of AI will “become expected rather than cutting edge.” He proffers that the question will not be should we use AI, but rather, “if you're not using artificial intelligence for combing through large quantities of data, like possibly after a breach, the question might be why not?”
Learn more about AI solutions for data breaches here.