By Margaret Rutter Foltz
Faculty Member, School of STEM at American Public University
What will we read in the news today? Which bank, government or private entity was recently breached? How many individual identities were stolen? Were medical records compromised? How are we protected?
Digital infrastructure across all sectors (government, communications, education, health care, finance, transportation, etc.) gets adopted at a rapid pace, producing “big data” – a universal term expressing the exponential growth and availability of all kinds of data. An example of such adoption is the general use of networked devices. According to Forrester.com, the number of broadband subscriptions is expected to reach 3.5 billion by 2017, smartphone users are predicted to reach 2.51 billion by 2017 and general networked devices will outnumber the world’s population by 6 to 1. These statistics demonstrate that all types of data will likely either be stored or will move through the Internet.
The exponential growth of data naturally produces privacy issues. Unfortunately there is no holistic, all-inclusive privacy law in the United States. Instead, we have an approach based on the protection of industry sectors. As a result, when personal information is collected, used, shared andor retained by an entity (public or private), they must comply with various federal and state privacy laws. Examples of federal privacy laws are:
- Privacy Act of 1974
- Health Insurance Portability and Accountability Act (HIPAA)
- Children’s Online Privacy Protection Act (COPPA)
- E-Government Act of 2002 (specific to federal government)
- Gramm-Leach-Bliley Act, Sarbanes-Oxley Act of 2002
- Family Education Rights and Privacy Act (FERPA)
Federal laws resulted in the creation of specific security policies and industry mandates that entities are required to follow, depending on the type of data collected, including Internal Revenue Service Publication 1075, Criminal Justice Information Security Policy, OMB M-10-23 (protecting PII) and Payment Card Industry (PCI). In addition to the current federal laws, states are passing legislation for data privacy requiring disclosure and sometimes credit and identity monitoring when personal information is compromised.
To date, these industry-specific mandates and federal security policies have proven to be ineffective. A prime example is the Target breach. Target was “certified” as PCI compliant – before, during and after the highly-publicized incident, which demonstrated that it is simply not enough to be “compliant” with any one or collection of laws, security policies or mandates.
The current federal privacy model is in need of reform. Legislation should give individuals the right to know what information is collected, how the information is used, and confidence that appropriate security controls are in place, and that entities are accountable should they be negligent. Additionally, industry-specific mandates and federal information security policies must be updated with robust controls and regulation. Entities should be required in the future to follow frameworks like SANS 20, Critical Controls for Effective Cyber Defense, NIST framework as standard baseline and ISO27002:2013 (for private sector organizations engaging in international business) as industry mandates. Regulations and mandates must require accountability and punishment for non-compliance and lack of due diligence.
The absolute future of cyber privacy is difficult to accurately forecast, depending on whom you ask. Some experts state that the type of legislative reform that is needed will be a challenge for organizations to uphold, while others predict that there will be additional consequences for entities who do not protect data. The final extreme is that no additional privacy legislation will be passed because of lobbying by interested parties. The most likely outcome appears to be additional regulation in the form of national cybersecurity standards, federal information security policies, industry mandates and individual state law. Additionally, using credit monitoring as a solution for all data breaches is not necessarily useful to the victim. New strategies should be developed for privacy breaches that are not financial or PII in nature (i.e., medical identity theft, criminal impersonation, tax fraud, etc.).
What can we do to protect ourselves now? The Internet offers some great educational resources, including those noted below, and I encourage you to read and share them to help get the word out.
About the Author
Margaret Rutter Foltz has worked in the field of Information Technology for more than 20 years. She has achieved a Master of Science in Information Technology as well as multiple technical and security certifications (CISSP, ISSMP, CISA, ITIL, MCSE). Margaret has successfully managed technical staff and offshore resources and has a solid combination of both IT Security and IT Management experience that has spanned across the Financial, health care, IT Services and Distribution sectors. Her true passion is IT Security and all of its related components.