Asaf Kochan, President & Co-Founder of Sentra.
Businesses face numerous challenges when trying to keep track of all of their data. One of the biggest obstacles is staying up-to-date with changes in the security compliance landscape. Ironically, these changes add to the complexity of data protection because many of the new regulations are working at cross-purposes, especially for businesses that have a national or international footprint.
In the past several months, we’ve seen a new executive order from President Biden to create stricter data access rules from foreign sources, along with numerous state-level data privacy regulations being enacted. Meanwhile, the latest round of breach reporting regulations from the Securities and Exchange Commission (SEC) took effect late last year, after drafts were circulated during 2023. This increased scrutiny and disclosure requirements by regulators are creating a complex governance and compliance problem for businesses.
There are several issues at play here. First is for a business to effectively navigate when and what to disclose when they suffer a data breach. In this article, I will look at three particular dimensions of disclosure: timing, breach definition and the type of business subject to the regulations.
Timing
Timing is critical, both in terms of discovering a potential threat and also providing transparency to customers, stakeholders and regulators on what happened. However, the amount of time that is required for material breach notification varies—they can be as little as two to four days after a breach has happened or is first detected. This depends on the jurisdiction and agency responsible.
Not recognizing the breach in this time period could result in substantial fines, as we’ve seen happen to businesses over the past several years. According to data from enforcementtracker.com, approximately €2.1 billion in fines were imposed in 2023, as a result of violations of the General Data Protection Regulation (GDPR). In that one year, more fines were incurred than in 2019, 2020 and 2021 combined.
These tight periods make it essential for businesses to track when a breach occurs and understand the amount and sensitivity of data that’s been compromised.
This means security teams must implement robust data security risk assessment and controls that can scale in alignment with the ever-changing business landscape. These controls should involve incident response practices and ensure the integrity of data catalogs so that teams have full visibility across all data estates to identify and monitor sensitive data both in the cloud and on-premises.
Breach Definition And Different Business Types
That said, the two other dimensions—breach definition and applicable business types—can also vary widely, depending on regulations and their locale.
Breaches are defined differently by each jurisdiction, which means a close working relationship between a company’s legal and security teams. More confusing is that not every business is subject to these compliance rules. For example, only public companies have to file with the SEC, while many non-profits or smaller businesses may not have to file with certain state regulatory agencies. Some states also have a revenue residency requirement which states that if a business has few customers in-state, they aren’t required to file.
Part of the problem here is that various federal and state agencies could be at odds with each other in how they interpret the newly minted regulations. For example, patient data stored by a medical practice could fall under various rules from the Food and Drug Administration, Health and Human Services the Cybersecurity and Infrastructure Security Agency and the Justice Department. And that is just considering the federal agencies.
Even if a breach is quickly identified, another issue is understanding its root cause. This could range from particular defenses that were insufficient, a failure of security policy, a bug in the protective measures, misconfigured accounts, improperly protected large language models (LLMs) or a successful phishing scam.
Part of the challenge is that often businesses have multiple security and management tools that track their data usage and offer differing protective capabilities that don’t properly reflect the current state of their systems. These tools don’t typically have a holistic framework, meaning they aren’t necessarily automated, properly integrated with each other, easily auditable to find missed coverage or connected to provide complete risk management assessments, which can slow down discovery and breach reporting.
Once the cause is established, there is still the question of scope and scale. There have been numerous cases where a breach was identified, but its impact was inaccurately assessed and minimized because a company didn’t have appropriate mechanisms in place to understand the scope and nature of the attack. The Change Healthcare breach this year is a good case in point: American Hospital Association spokesperson Ben Teicher said that the early estimates of the damage from the attack were underreported, and so it’s still unclear what the long-term impacts and risks to other businesses will be.
The Solution
Against this backdrop, there are tools that businesses can use to better prepare themselves for potential security threats and data breaches.
One of these tools is better governance planning by adopting best practices and oversight of policies and procedures for handling customer data. The U.S. National Institute of Standards and Technology recently released an updated draft of its Cybersecurity Framework that includes governance suggestions around the ways companies can identify data assets and calculate potential risks and mitigation measures.
Another available tool to ensure that your organization has an updated and accurate data catalog that tracks where sensitive data resides—including if shadow data exists—who has access to it and how it’s protected. Tools like data security posture management (DSPM) can be an affordable option while continuously and effectively monitoring for data exposures and potential attacks.
Summary
Unfortunately, breaches are a fact of the modern connected business. While the newest regulations can be complex and confounding, one element is clear: Bolstering data security is crucial, especially when considering the potential legal consequences, reputational risks and disruptions to business operations. New tools are emerging that can address many of the issues our multi-cloud world has created.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?