As a follow-up to my last blog post about key cybersecurity and data privacy events of 2016, in this blog post I’ll take a look ahead at what 2017 may have in store. Buckle up, because 2017 will be eventful.
The General Data Protection Regulation (GDPR):
The European Union’s General Data Protection Regulation (GDPR) is the biggest change in European privacy law in more than 20 years. Intended to give EU citizens greater power and control over their personal information, the GDPR will impose more restrictive rules on companies handling it. Although the GDPR doesn’t go into effect until May 25, 2018, its impact on the way businesses collect and use data of EU citizens means that businesses will need to focus on prepping for GDPR compliance in 2017.
Should businesses in the U.S. care about the GDPR? Yes, because (1) it will apply to every business offering goods or services to EU citizens, regardless of where the business is located, and regardless of where the EU citizen is located, and (2) the fines for non-compliance can be up to 20 million euros (about $21 million) or 4% of annual worldwide revenues – whichever is greater.
Aside from global reach and increased fines, the GDPR differs from current EU law (the EU Data Protection Directive) in several areas. These include:
- A new right of data portability, which will allow people to obtain personal information they provided to a data controller;
- The right to be “forgotten,” which allows individuals to request that their personal information be deleted;
- A requirement that businesses which process large quantities of EU personal information appoint a data protection officer (DPO); and
- Mandatory breach notification to regulators within 72 hours of the breach, and to consumers without undue delay.
At over 200 pages long, the GDPR deserves its own blog post (in fact, it probably deserves several). Stay tuned for upcoming blog posts about how businesses, particularly small and medium-sized businesses, can comply with the GDPR.
The Office of Civil Rights (OCR), which is responsible for HIPAA enforcement, is coming off a record-breaking year in which it had its biggest single settlement for a HIPAA violation ($5.5 million), as well as more settlements than ever before. Expect the OCR’s surge in activity to continue into 2017, and most likely expand.
In 2017, I expect the OCR to closely monitor cloud service providers, which in 2016 the OCR said are “business associates” and thus subject to HIPAA if they create, receive, maintain, or transmit electronically stored protected health information (PHI). Thus, it is imperative that businesses subject to HIPAA (“covered entities”) enter into appropriate business associate agreements with service providers and provide prompt notice of unauthorized access.
In addition, the OCR announced in August that it will increase investigatory and enforcement efforts related to smaller breaches of PHI, including those that affect fewer than 500 people— likely impacting small and medium-sized businesses. When the OCR looks at these breaches, it will take the following factors into consideration when deciding whether to move forward with an investigation:
- The size of the breach;
- Whether the breach involved theft of or improper disposal of unencrypted PHI;
- Whether the breach involved unwanted intrusion (for example, hacking) to information technology systems;
- The amount, nature, and sensitivity of the information involved; and
- Instances where numerous breach reports from the same entity raise similar issues, or, in contrast, instances where breaches have been underreported.
Judging by 2016’s historic settlements for HIPAA violations, as well as the OCR’s stated intention of investigating smaller breaches of health information, it is clear that the OCR will be even more active with investigations and enforcement actions in 2017. Businesses dealing with PHI can no longer hope that smaller breaches will simply not show up on the OCR’s radar, or get lost among the bigger breaches that make headlines.
In 2017, businesses subject to HIPAA will need to focus even more on breach prevention and reporting, and increase their efforts to make sure they’re following best practices. A few areas for businesses to concentrate on include reviewing risk analysis, employee training, current policies and procedures, and encryption.
Cyberspace is the new Wild West, and that is partly due to ransomware. Ransomware, a type of malware that blocks access to or encrypts computer files until a ransom is paid to a hacker, was the fastest growing cybersecurity risk of 2016, and will continue to be a major concern in 2017. One reason for this is simply because cybercriminals know that it works- businesses often pay the ransom.
Not only do I expect the frequency of these attacks to increase in 2017 (up from 4,000 per day in 2016), but I also expect, now that the hackers are realizing the value of the data, ransom amounts will dramatically increase (the average in 2016 was around $722—a little like Austin Powers nemesis Dr. Evil’s laughable demand for one million dollars). In addition, as larger businesses shore up their defenses against ransomware, I expect small and medium-sized businesses to be increasingly impacted by ransomware attacks.
Some key ways to protect your business from ransomware include implementing anti-phishing and cybersecurity training for employees, keeping anti-virus software up to date, and regularly backing up files (and making sure your vendors do the same).
Hacker interest in obtaining trade secrets, inside information, or political advantage:
When we think of the cybersecurity and data privacy needs of businesses, the first thoughts are often about protecting personally identifiable information (PII) of customers and employees (such as their usernames, passwords, financial account information, health information, etc.). And, there are several laws in place at the state, federal, and international levels aimed at ensuring that businesses protect PII from hackers who wish to steal it and sell it on the black market.
But what about other sensitive information that businesses want to protect? Hackers have a growing wish list of types of information they’d like to obtain in 2017. For example, financially motivated hackers are becoming increasingly interested in obtaining trade secrets, business plans, and even information that can be used for insider trading, such as merger and acquisition plans. Moreover, hackers are seeking this information not only directly from the source, but also indirectly from sources that may be less secure, such as a business’ third party vendors, or even law firms. More than ever, in 2017 businesses will need to keep a close eye on the cybersecurity practices of the third parties that have access to their sensitive information.
Of course, one of the lessons finally learned (I hope) in 2016 is that hackers are no longer motivated solely by financial gain. Hackers are now also acting on political motivations, and are more than willing to steal an organization’s private information (such as email content) and make it public to politically embarrass the victim.
This type of hacking by nation states has been on the rise, and will continue in 2017. The writing was on the wall when North Korea hacked Sony’s email in late 2014. And by now, we’ve all learned about Russia’s interest interfering with elections. In the 2016 US Presidential election, this was a lesson the Democratic party learned the hard way. Unfortunately, I don’t think Russia’s efforts will end there. The German election is in October of 2017, and Russia is not a fan of Angel Merkel.
The laws aimed at protecting an organization’s customer and employee PII are unlikely to apply to hacks of an organization’s other sensitive information, such as trade secrets and email. However, there are other laws that come into play, such as the Defend Trade Secrets Act (which, in addition to prohibiting theft of trade secrets, includes seizure provisions a business can use to recover and prevent dissemination of trade secrets) and the Computer Fraud and Abuse Act.
Businesses already had sufficient reason to have good cybersecurity practices when the primary concern was protecting PII (loss of customers and revenue, class action lawsuits, regulatory scrutiny, etc.). In 2017, organizations can add protecting their own trade secrets, plans, and reputations to the list. Fortunately, many of the same cybersecurity practices that should be followed to comply with the law and protect PII will also help organizations protect their other valuable information and reputations.
2017 will be an interesting, eventful, and busy year for cybersecurity and data privacy, and I look forward to helping my clients through it.