by David Lam | This article originally appeared in The Los Angeles Business Journal.
Pioneers of the information security field have known for decades how important it is—and forever will be—to protect one’s data. When my business partners started our practice in 2001, large companies were already well aware of this fact, so our mission was to start educating small and medium-sized businesses about the risks of not reasonably securing your information systems. What, to some, may have seemed optional at the time is now a business-critical priority as the information security tsunami washes over all of us. There is no escaping this information security wave of destruction if you use any information systems to run your business or organization. It is no longer a risk to be ignored; is now risk to be managed through planning, implementation and continual improvement.
How do we know that the tsunami has arrived? We know it in three ways:
- Your systems can be destroyed and systems are actively being destroyed every day.
- A breach can break the law, regulations or your contracts.
- Your customers and clients are either already demanding or beginning to require that you prove you are protecting the data in your possession.
As I reflect over my last 20 years of information security experience, the trend has moved slowly but surely to where we are right now, today.
At the dawn of network computing, way back in the 1980s, hackers were not necessarily looking for money. They were looking for glory. Now, depending on their motivation, whether a nation state or for profit, destruction of your systems is on the table.
A fact sheet released this year (https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf) by the FBI details a nearly 70% increase in ransomware from the previous year. Ransomware seeks to destroy your data and your backups so that unless you pay the ransom, which may be illegal in itself, you have to rebuild your systems and restore from your backups.
Breaking the Law
The legal landscape has gotten increasingly complicated over the last couple of years. California has the nation’s first privacy law, strengthened by a voter approved California Privacy Rights Act. Colorado and Vermont have just passed their own privacy laws, and there are 50 different state breach laws. The Department of Labor has released their best practices for covered entities, and the FTC now has additional teeth in their enforcement powers.
Add to this that the American Bar Association has introduced new guidelines for attorneys, and the Sedona Conference has provided new legal definitions for what commercially reasonable information security means. On top of that, if you take credit cards, you are contractually obligated to follow PCI rules and at a minimum file a self-assessment questionnaire.
Almost more importantly, more and more of our clients’ clients are insisting that their vendors meet a commercially reasonable bar for information security. We have seen many Information Security due diligence inquiries based on the Department of Labor guidance, and many more based on other requirements. A good deal of our time now goes to making sure our clients are meeting the requests being made of them. Whether your clients are banks, insurance companies, or labor unions, the demand for information security is here. If you aren’t concerned about having your systems destroyed or going against the law, your clients definitely are.
Now is the Time
I’ve written repeatedly about the need for implementing an information security management system by which you can, at a reasonable pace and at a reasonable cost, appropriately protect your information assets. Just as it is no longer legal or morally acceptable to drive your car without insurance, it’s now time to accept that the information security tsunami is here. You can prevent its damage and impact by taking action now.
We highly recommend you confer with your Miller Kaplan advisor to understand your specific situation and how this may impact you.