Proposed Jail Time for CEO's and CISO's That Do Not Protect Your Data

Did you ever have a time when you saw a little news blurb and thought, "That’s great news!  Wait…maybe that’s not so good for me?"  I had one of those moments today. Keeping up with the day’s news, I came across a blurb about U.S. Senator Ron Wyden proposing a bill to correct what he called “corporations’ lax cybersecurity and poor oversight of commercial data-sharing partnerships…”. Being that my team and I provide Virtual Chief Information Security Officer services for many organizations, I can attest that corporations DO have very lax cybersecurity (often that is why they hire us to make it better).  But even so, I personally have been a victim of other's lax cybersecurity many times.  For many of us, It has just become an expected thing in our lives that we have to deal with replacing credit cards from some sort of breaches on a regular basis.

It just happened to me again recently while I was on a trip for work.  During the trip, I received notification of one of my credit cards being used in many different places that were not me and so it had to be turned off and a new card shipped.  It happens, we have all been there where our cards seem to be skimmed somewhere.  As usual, I went on with my day with the expectation that a new card would be there when I got home.  But then the next day there was a report of a data breach turned in and two more of my cards from the same bank (including my main debit card) were deactivated.  This left me with only one more card in my wallet to finish out my trip!  Now I was getting concerned.  But, fortunately, that last card was good throughout the trip and actually years beyond.

But aside from credit card information, corporations do store a significant amount of information about their customers.  This data is very valuable to them for business processes or marketing and communicating with their customers.  If I happen to do a search on for a room next month in Minneapolis and I do not book right then, I will be hit at least a dozen more times about booking that room.  This is fresh in my mind since it is happening to me today when I’m about to leave for a visit with my family for the holidays.  I checked to see what hotels might cost nearby but I found I had enough points through one of my programs to book a room for the whole week (one of the perks of traveling all the time is that I get to collect up points that allow me to redeem them for more…travel).  But they do not know that I have a room from some other source.  So they continue emailing me constantly, even today when my stay actually starts tomorrow.  But that is really a good idea for them as they will probably see a real percentage of conversions to purchases that happen with that.  But, for me, not only can it be annoying, it means they have my travel information stored and potentially exposed when there is a breach.  They know where I want to go, when I want to check in, and when I will check out.  This information could be very valuable to someone who wants to attempt a spear phishing attack.

And I say “when” a breach happens versus “if.”  As I tell my clients all the time, when we are playing defense, we have to be right 100% of the time.  The offense only has to be right once.  Therefore, getting a little less lax about cybersecurity is a good thing.

You can check out a summary of the core tenets of the proposed act if you would like to read what he is looking to do for yourself.  Of note within the plan are to:

  1. Establish minimum privacy and cybersecurity standard
  2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.

Number 2 is what caught my eye when I saw that.  Essentially, what I think that is saying is that the CEO and CISO could face jail time for not managing to keep consumer’s data secure.  This is now highly relevant to my interests from the other side of the equation.  I’m a consumer who is always having my data stolen, but now I’m a vCISO who could face jail time for not doing my job well enough!  And I’m sure my CEOs that I work for are also just as concerned about their own fates as well.

My hope is that, as an industry, we get our acts together and start working on putting together the comprehensive security programs that our industry needs.  If we can resolve the issues and not have such lax cybersecurity, then such legislated measures will not need to be put into place.  If your credit union is not yet even at the baseline for cybersecurity or if you are a part of the industry that is looking to really become innovative with your cybersecurity program, contact us at Pure IT Credit Union Services and let us help you get there. or 281-378-7777