Can Security Be Forced Upon Companies
This week saw executives of hotel chain Marriott and credit rating agency Equifax appear at a hearing before the US senate to answer questions concerning the data breaches both companies endured. In this briefing we will take a look at where legislation and regulation may be heading in the coming decade.
What happened during the Senate Hearing?
As can be expected from any official hearing, the discussed contents were largely non-technical and abstract. Both companies were reprimanded for failing to take information security serious enough and being too lenient with the auditing and upgrading of their infrastructure. These charges are doubtlessly accurate and equally doubtlessly contributed to the breaches affecting millions of customers.
What are the consequences?
At the same time, the charges are also largely meaningless for practical purposes. From this writer’s perspective, one would be hard-pressed to find any large corporation outside of the IT sector (and even within it to some extent) that does not have at least some unaudited systems left over from a hasty merger, or security updates unapplied due to administrative overload. The reality on the ground is significantly more grim than the Senate appears to assume - the average company does not even have a list of all of its public facing servers, let alone a database to show what software is running on them.
Increased spending - which both Equifax and Marriott claim to have invested since their breaches - is only a partial fix. While some information security issues are caused by lack of funds, just as many are caused by ignorance, obstinence, technical complications and a lack of intra-company political will.
What about regulations?
Any time a hearing such as this one takes place, there are calls for regulating information security. To an extent these calls are justified. As personal information becomes more and more valuable, breaches have ever more dire consequences. Thus the logic goes, information security should be regulated similarly to workplace security or food safety.
In a way, it already is for many companies. When working with credit cards, you are governed by PCI-DSS, when working with US health data, you must abide HIPPA and if a company desires to work with the US government then they’d better be following NIST CSF. Still, large-scale standardized regulations across industries are lacking and for good reason. When dealing with e.g. food safety, it is reasonable to regulate that anyone handling raw food must wash their hands. This rule makes sense no matter if we’re dealing with an industrial scale abattoir or a community bake sale.
However the amount of effort that should be - and has to be - invested to protect a user’s email address differs widely between e.g. a multinational e-commerce giant and a PTA meeting. Both handle personal information and both should doubtlessly take steps to safeguard it. But the scale, attack surface and responsibility of these two entities is so different that an all-encompassing framework is hard to create. The length, complexity and number of exemptions in the EU’s recent GDPR regulations are a great illustration for this issue.
Regulation of information security is very likely to increase across the globe in the coming decade. However the complexity of the topic and the wide range of applications mean that comprehensive general regulations will be hard to create. Governments will need to find a middle-ground between overly-general and thus useless and overly specific and thus suffocating regulatory frameworks.