A recent hack affected the U.S. Department of Veterans Affairs (VA) and put the personal information of approximately 46,000 veterans at risk. Cybercriminals stole personal information of veterans and then tried tricking VA employees into processing fraudulent payments into offshore bank accounts.
The stolen information included social security numbers and forced the agency to take its payment system down for days until a security review could be completed. As this example shows, personal data and computer systems are often compromised in the same event. To respond to a cyberattack like this one, organizations need to learn to take a combined perspective that includes data protection and cybersecurity.
To see why treating cybersecurity and data privacy as two different challenges is a mistake, consider the recent case of Warby Parker. The Office for Civil Rights announced it is investigating eyeglass maker Warby Parker for its handling of the 2018 cybersecurity attack on thousands of its customer accounts, which could result in a massive fine.
In other words, the company was the victim of a cyberattack but compounded the failure by mishandling the data privacy rights of its customers. Organizations can respond to a cybersecurity incident by resetting passwords for the impacted accounts and adding new security measures. But if they fail to address the HIPAA privacy, security and breach notification rules for affected users, a company can be exposed to regulatory fines and consumer backlash. In Warby Parker’s case, the failure to investigate the privacy violations of its users slowed down the company’s planned public offering on the New York Stock Exchange.
How can an organization learn to address both issues at the same time and avoid this mistake? First, let’s define what we mean by cybersecurity and data privacy. Cybersecurity focuses on specific technical implementations needed to protect your systems and networks. Compared to data protection that centers on information stored within a system, cybersecurity protects a system itself.
Data protection addresses data management, availability, unauthorized access prevention and application regulations like Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR). In other words, cybersecurity covers safety against cyberattacks, while data protection covers a set of issues related to data storage, management and access.
To face data breaches efficiently, organizations should adapt their daily workflow by combining cybersecurity and data protection. Here are some of the ways to do it:
In addition, your staff needs to understand the risk a company faces related to compliance with laws. If an organization doesn’t know what personal data it has, where that personal data resides, and who has access to that personal data, compliance with data privacy laws like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the new Colorado Privacy Act (CPA) becomes nearly impossible.
While GDPR, CCPA, and CPA are some of the most recent examples of relatively new data privacy laws, more than 100 countries have implemented data privacy legislation and many of those laws offer similar data access rights. Here are the most important rules and regulations to understand:
Do these compliance and security requirements feel like swimming in an alphabet soup? We can help you untangle your cybersecurity and data protection requirements for your business. If you’d like assistance addressing cybersecurity and data privacy issues, reach out to us today for a cybersecurity risk assessment.
