Credit: SWKStock / Shutterstock
Business leaders are tasked with increasing the value of their organization’s data — and they play an important role in protecting that data, too.
This means data officers, executives, employees, and board members need to be on top of best practices and legal requirements for data protection. With cybercrime continuing to rise, government agencies are enacting more legislation designed to safeguard personal and corporate data, said MIT Sloan professor the co-founder and co-director of Cybersecurity at MIT Sloan. Over the past two years, more than 170 new regulations have been drafted or passed, he said.
“Almost all of these regulations have some impact on the chief data officer,” Madnick said at the MIT Chief Data Officer and Information Quality Symposium, held in July. “They’re responsible for creating value. Now they have to worry about protecting that value they’ve created.”
Madnick discussed five key regulations that should be top of mind for those managing the organizational impact of new cybersecurity mandates.
1. Mandatory software and data bills of materials
Software bills of materials and data bills of materials are detailed inventories that outline the elements underlying software applications and data processes, respectively.
The purpose of a software bill of materials is to provide organizations with transparency about the third-party components, dependencies, and potential vulnerabilities within their software. For example, a software bill of materials would have helped hundreds of thousands of companies determine whether their software was affected by the 2021 Log4j vulnerability, Madnick said. Some government organizations are now requiring clients to provide them as part of their contracts.
“If someone says there’s a problem in a piece of software and you have no idea if you have it or not, it’s like saying there’s a certain poison in the meal you had last night, but you don’t remember what you ate,” Madnick said.
More than 170 data protection regulations have been drafted or passed over the past two years.
Similarly, a data bill of materials supports the transparency and traceability of data to facilitate data governance, ensure compliance with data protection regulations, and manage data quality and security. Some of the data that organizations use is created internally while other data is acquired from outside the organization, Madnick said. Data purchased from a third party may have been gathered from various organizations, so it can be difficult to know where different pieces of data came from, he said. A data bill of materials makes this information clear, which is especially important in the era of AI, when models must be trained on data sets.
2. “Secure by design” requirements
“Secure by design” is a software development and engineering principle that emphasizes integrating security considerations into the design phase of an application or product from the start rather than adding it later in the development process.
“A lot of people are in a hurry to get the software up and running, and worrying about security can slow things down a little bit,” Madnick said. “The trouble is, adding security afterward can be very difficult, and it some cases, it won’t work — things just don’t fit together. The idea is, on Day 1, to have security as part of your design principles.”
Certain industries and states are now requiring manufacturers to implement secure-by-design principles. In California, for example, manufacturers of connected devices are required to equip them with reasonable security features.
3. The prohibition of ransomware payments
In 2019, the city of Baltimore was hit with a ransomware attack in which the attackers demanded $76,000 to decrypt files. Baltimore city officials refused to pay the ransom, opting instead to rebuild the affected infrastructure. The total cost of the restoration, cybersecurity improvements, and lost revenue from disrupted services was estimated at around $18 million.
Given the economics, it can be tempting to pay ransoms. Yet the FBI advises organizations not to do so because it encourages attackers to continue their criminal activities, Madnick said. In some cases, ransomware payments could be prohibited: A proposed federal act would ban U.S. financial institutions from paying ransoms over $100,000 unless they receive permission from the Department of the Treasury.
“There are a lot of issues on the emotional side, investment side, and legal side regarding whether to [pay a ransom],” Madnick said. “But the feeling is very strongly that we want to discourage it as much as possible to discourage the increase in ransomware.”
4. Data localization requirements
In some areas, laws and regulations mandate that data must be stored, processed, and managed within the geographical boundaries of a specific country or region to ensure that data generated within a country remains under its jurisdiction and is subject to local laws. This might require a company to have multiple data centers around the world.
Related Articles
“For your Indonesian customers, that data must reside in Indonesia. For your Indian customers, it must reside in India,” Madnick said. “There are laws being passed that add constraints or requirements on how you manage and how you govern data in your organization. You may have your own desires, but you have to make sure your desires fit within the regulations.”
Meta was fined more than 1 billion euros for transferring data collected in Europe to the U.S., Madnick noted.
5. Mandatory incident reporting
It isn’t always clear what an organization needs to do after sustaining a cyberattack. In fact, Madnick said, lawyers might advise an organization to do nothing, fearing reputational damage, copycat attacks, and other legal ramifications. But new acts and regulations are requiring organizations in some industries to report cyber incidents.
Public companies, for example, must report incidents within four days, while all organizations that are part of the critical infrastructure must report all cyber incidents. (Madnick acknowledged that there is some variation in what people consider to be a cyber incident, and there is still room for interpretation in a lot of these regulations.)
But incident reporting provides valuable information that can help all companies prevent and respond to cyberattacks. “Why is incident reporting so important? I often say it’s because we don’t know what we don’t know,” Madnick said. “If you don’t know about attacks, you’re not prepared. Basically, you’re flying blind.”
