As 2017 comes to a close, the Miller Johnson Privacy & Cybersecurity team takes a moment to reflect on the past year to help predict cybersecurity trends in 2018. In 2017, our clients experienced an unprecedented number of cyber-incidents and data breaches. Our small to medium-sized business clients were impacted most. These attacks coincided with the big headliners like the Equifax breach that affected 146 million Americans, and the WannaCry ransomware attack that spread through Europe and locked down businesses throughout the world. In fact, data breaches and other cyber-attacks became ubiquitous in 2017.
Given this threat landscape, our clients sought to create cybersecurity programs, increase the maturity of existing cybersecurity programs, evaluate vendor agreements related to the storage and processing of their data, address new regulatory requirements such as Privacy Shield and GDPR and analyze the scope of risk transfer provided under their cybersecurity insurance policies.
Based on the events of 2017, we expect to see the following privacy and cybersecurity trends remaining at the forefront during the next calendar year.
Like 2017, ransomware will continue to represent the most significant threat to businesses. The number of new ransomware strains will continue to increase with attackers focusing on mobile devices while continuing to implement new techniques making these attacks even more difficult to contain and eliminate. Indeed, attackers will have increased access to ransomware-as-a-service software on the dark web.
Payment and Transaction Security
Businesses concerned with payment and transaction security should be aware of the following trends:
- First, the best practices for securing payment card data introduced in PCI DSS version 3.2 will become binding February 2018. To learn more, click here for the PCI DSS 3.2 Resource Guide published by the Payment Card Industry Standards Security Council.
- Second, cryptocurrencies like Bitcoin and Ethereum will continue to go mainstream even as hackers utilize them for ransom in ransomware attacks. Trading in bitcoin futures opened last week, as the first major U.S. exchange offered a product pegged to the wildly fluctuating cryptocurrency.
- Third, like cryptocurrencies, blockchain will continue to become an integral part of how business secure payments. Blockchain is simply a distributed ledger technology that uses encryption to enable entities to share a common infrastructure to track financial transactions creating greater efficiencies and security. Harvard Business Review describes blockchain as a foundational technology that will have enormous impact on both our economic and social infrastructure akin.
A growing number of companies rely on cloud storage to handle all aspects of their data processing. Because of the treasure trove of information begin stored in the cloud, cloud infrastructures are prime targets for cyber-attacks. Given this threat landscape, in Q1 2018 companies should review their privacy and data security policies and procedures including their cloud vendor agreements to ensure adequate security and risk transfer measures are provided.
Internet of Things “IoT” Devices
Smart devices will proliferate homes and businesses in 2018. These devices collect, store, and transfer personal information of their users and share such information across networks as well as with the device manufacturers. The lack of security of by design and poor security settings make these devices target rich environments for hackers. Under GDPR these devices must be able to “forget” such information (e.g., Amazon echo users have the right to direct their device: “Alexa, please forget me.”) Although this is not the case in the U.S., IoT vendors are dedicating more resources to device security while looking to Europe for best privacy practices.
The cyber-insurance industry continues to grow and mature at a steady pace as organizations attempt to transfer risk associated with cyber-attacks. In their infancy cyber-policies typically mimicked the coverages provided under commercial general liability policies causing unintended gaps in coverage. As companies have gained a better understanding of the losses associated with cyber-attacks, more focus has been given to business interruption coverage, crisis management and ransom payment costs, as well as the costs associated with breach response and remediation. Companies must appreciate the limitations to coverage contained in these policies (e.g., sublimits and exceptions to coverage) to ensure that the insurance purchased is collectible and addresses their anticipated costs related to cyber-incidents. In so doing, companies will need to ensure that their internal privacy and cybersecurity policies are aligned with the requirements of coverage.
May 25, 2018 is the deadline for compliance with EU’s General Data Protection Regulation (GDPR). This regulation impacts any business that maintains the personal information of EU citizens. GDPR’s protection of personal information is sweeping in scope and is far broader than most current US or state privacy regimes. GDPR provides data owners’ transparency in how their data is collected and used. Additionally, any data breach impacting EU citizens needs to be reported within 72 hours. Whereas this year, Florida became the first state to require data breach notification within 30 days. Under GDPR, noncompliant companies face fines up to $20 million euros or 4% of global revenue, whichever is greater. Many U.S. companies are currently unprepared to meet GDPR’s compliance deadline and will need to do so or risk facing its significant non-compliance repercussions.
US Privacy Regulation
There has been slow yet steady progress toward a broad federal law governing privacy and cybersecurity. In May 2017, continuing the Obama Administration’s efforts, the Trump Administration issued an executive order on cybersecurity setting forth a series of investigations and reporting deadlines all seeking to increase the cybersecurity posture of the U.S. Then again, in the wake of the Equifax breach, the White House issued a statement reiterating the need for stringent federal privacy and data security regulations. On December 1, 2017, the Senate introduced a bill that would require jail time for corporate executives that do not notify consumers of a breach within 30 days. The bill also requires the Federal Trade Commission to enact strict standards that business will have to follow to protect personal and financial data. Given the current political climate, it remains to be seen whether these initiatives will become law. Nevertheless, these initiatives will bear watching during 2018.