With 2018 now in the rear view mirror, many of us approach the new year looking to reassess and focus on ways to improve ourselves. The same can be said for businesses, which could certainly benefit by bolstering their cybersecurity and data privacy practices. With that said, here are a few cybersecurity tips to focus on in 2019:
- Certify Past Compliance
For individuals and entities licensed by the New York Department of Financial Services, February 15, 2019 is the deadline for certifying last year’s compliance with the DFS cybersecurity regulations. This is the second year that DFS is requiring such compliance, and if this year is anything like last, licensees failing to file their certifications timely can expect a not-so-friendly reminder from the DFS in late February or early March.
- Address New Compliance Requirements
For DFS licensees, hopefully you have already received the December 21, 2018 memorandum from DFS Superintendent Maria Vullo, confirming that the final effective date for the last set of cybersecurity regulations is March 1, 2019. By then, organizations must have their written cybersecurity policies, risk assessments, vulnerability assessments, penetration tests, and other security controls (including audit trails, multi-factor authentication, and encryption) in full effect.
Insurance licensees in Ohio should also be aware that the Buckeye State has become the second state (after South Carolina) to adopt the NAIC’s Data Security Model Law, which will become effective within 91 days after the act is filed with the Secretary of State.
While its effective date has been delayed to January 2020, businesses should also consider the ramifications of the California Consumer Privacy Act (sometimes characterized as "GDPR-lite"). This new law will substantially affect the way that companies collect, store, and manage data from California residents, including the types of information and disclosures required on their websites. Rather than panicking in November or December, it is advisable to develop a game plan now for achieving compliance before year-end.
- Multi-Factor Authentication
With all of the high-profile data compromises we saw in 2018, securing accounts with only passwords is a recipe for future disasters – disasters that can be prevented by way of multi-factor authentication. Today, most employees carry smartphones (often to access work email, etc.), so implementing multi-factor authentication is becoming easier than ever. Admittedly, the trickiest part is creating policies that secure networks without constantly harassing users to authenticate through their devices. However, in this age of password reuse (see below), multi-factor authentication is critical to keeping bad guys from leveraging a single compromise into every account your employees use.
- Password Managers
According to SplashData (a developer of password manager applications), we still tend to use abhorrently bad passwords (with "123456" and "password" still holding the No. 1 and 2 most popular spots, respectively). Considering all of the accounts we create to manage our day-to-day lives, many of which are linked to work email, it is nearly impossible for us to remember the unique passwords for each of them. This inevitably leads to the use of the same password (typically bad ones) across multiple sites. And what happens when one of those accounts is compromised? An attacker (now in possession of an email address and password) begins exploring how many other websites those credentials correspond to (including your company’s). While multi-factor authentication could mitigate this threat, a less secure alternative is the utilization of a password management application, which requires an employee to remember just one master password (the application does the heavy lifting by creating unique passwords for each account). There are multiple password management solutions available for free or at a relatively low cost, which can be a valuable takeaway during your next security training session.
Speaking of training, many companies have implemented some form of it, whether during an employee’s initial onboarding process or regularly throughout the year. While security training is critical to preparing employees to resist phishing and other cyberattacks, stagnant "don’t click on attachments" training sessions may become an opportunity for attendees to take an afternoon nap. To avoid this, liven up training sessions with employee interaction and active demonstrations. Ensure engaging training by presenting security scenarios and asking employees to spot problematic issues. Doing so will instill critical skills that will benefit them (and you) for months and years to come.
- Data Diet
The New Year’s diet resolution is something of a trope, but when it comes to data privacy, it is definitely something to commit to. Many new data privacy laws (such as the GDPR and California’s Consumer Privacy Act) require businesses to change how they collect and share customer and employee data. Too often, companies store more data than needed to deliver products or services to customers, then face substantial and unnecessary legal liability when that information is exposed in a breach. Instead of hoarding customer data with the prospect that it may someday become valuable, a responsible approach is to purge old, possibly outdated and incorrect information and streamline data collection practices, tying each data set to an immediate business use. Companies may also want to review their customer consent policies, replacing older implied consent programs and verbiage with newer customer opt-in opportunities.
As with most all promises made on January 1 each year, the key to sticking to your resolutions is commitment to effecting change, either within yourself or your organization. When it comes to cybersecurity, the start of the year is the ideal time to define your objectives and priorities and build a roadmap to achieve compliance throughout the year. Should you need help at any stage of the process, the cybersecurity and data privacy professionals at Michelman & Robinson, LLP are available any time. Feel free to contact Scott Lyon at (714) 557-7990 or [email protected]
This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.