Privacy and cyber regulations is a fast-growing area – the big hitters like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) may grab the headlines but, since the GDPR was finalized in 2016, literally dozens of other national and state-level laws have been passed or drafted around the world. The drivers for this are obvious. Growing public concern around the use of data and a threat landscape that means that, since 2013, there have been more than 14 billion data breaches (and counting) – that we know of.
So with lawmakers going into overdrive to regulate the use and protection of data, it’s perhaps not surprising that our new Risk:Value Report has revealed that 13% of companies don’t have a clear understanding of the regulations that apply. The finding that 87% think they do have a handle on it is perhaps more surprising – though understanding should not necessarily be conflated with saying that they know how to comply with them.
Throw into this mix that around 70% of companies do not believe they have GDPR liability – a view I can vouch for from many conversations with down-stream vendors and even some prospective clients. The reasons for this range from not understanding the scope of the law or data involved, misunderstanding cross-border transfer requirements, or even simply relying on ‘someone’ up the food-chain – either the customer or a parent company – to be doing the work for you.
A misunderstanding of requirements and variable use of terms, combined with fundamentally different starting points (some view privacy as a human right, others as a fungible commodity, others as a consumer issue) make many businesses wish the whole thing would just go away. Far from bringing clarity, the unintended consequence of these regulations has been to confuse and even to startle some into complete inertia.
Which is perhaps why over a third of businesses would, apparently, rather pay a ransom to a hacker than risk a fine for non-compliance. This is a statistic that at once shows the fear of the new regulations, and also betrays a very alarming absence of understanding of how most of the regulations actually work.
The idea that you would not have to inform a regulator because you had paid off a criminal – hardly a trusted party – is off the mark to say the least. It shows a serious lack of confidence in dealing with regulators; and potentially creates a far bigger issue in failing to report a notifiable breach – which would be considered an aggravating factor by jurisdictions with breach reporting rules, and would likely to lead to a much larger fine.
So surely better to try and avoid the scenario entirely? Investment in cyber and privacy compliance is growing, but not as fast as arguably they should be. Meanwhile, 40% of business that have paid for cyber insurance are concerned that their current capabilities would leave them without valid cover in the event of a breach.
The answer here has to be more and better targeted investment – that is to understand your risks and understand your data through better governance, risk and compliance (GRC) practices, and then invest in appropriate expertise and technology to drive a compliance programme and bed it fully into your business. Surely it’s better to pay upfront to mitigate the risk – financial, regulatory and reputational. And if you do get breached anyway, effective GRC should also mean that you have a defined and tested incident response plan – and that you will at least then be able to demonstrate to regulators the steps you took – short, of course, of paying off the hacker…