{"id":68970,"date":"2023-01-24T09:56:39","date_gmt":"2023-01-24T09:56:39","guid":{"rendered":"https:\/\/www.commvault.com\/?p=68970"},"modified":"2023-11-13T15:17:27","modified_gmt":"2023-11-13T20:17:27","slug":"privsec-enforcement-problem","status":"publish","type":"post","link":"https:\/\/www.commvault.com\/blogs\/privsec-enforcement-problem","title":{"rendered":"Wake Up Call: The Privsec Enforcement Problem"},"content":{"rendered":"\n

As part of a set of three articles to mark Data Privacy Day 2023 (see accompanying articles by Jakub Lewandowski<\/a> and Thomas Bryant<\/a> ), Bill Mew argues that there is a real enforcement problem – it\u2019s like the \u2018Wild West\u2019 out there.<\/p>\n\n\n\n

Policies, frameworks, and rules are only helpful if adhered to, just as regulations and laws are meaningless without enforcement. The problem with the data privacy and cybersecurity arena is that where rules should be applied, they are frequently ignored, and where laws have been introduced, there needs to be more enforcement.<\/p>\n\n\n\n

CISOs (Chief Information Security Officers) have a thankless task. Staff is usually reluctant to abide by the cyber hygiene measures that a CISO seeks to enforce, but when their lack of discipline results in a breach, these colleagues are too quick to pin the blame on the CISO. On top of this, while there are costly and complex regulations to abide by and strict rules on breach reporting, the authorities, far from helping to deal with any incident or catch the actual criminals, simply use the reporting to assess the allocation of fines.<\/p>\n\n\n\n

Functional, Cultural Mismatch<\/strong><\/h3>\n\n\n\n

If asked, most staff would agree that cyber threats are a significant issue, but in their day job, they focus on revenue or profit-centric ROI (return on investment) metrics. These are the metrics on which their individual and unit performance are measured and what company-wide incentive policies are structured to support.<\/p>\n\n\n\n

The CISO is instead focused on return on risk (ROR). Based on the allocated budget and the organisation\u2019s risk appetite, the CISO focuses on maximising security and minimising risk.<\/p>\n\n\n\n

The mismatch between the CISO\u2019s ROR orientation and just about everyone else\u2019s ROI orientation can put the CISO at odds with the rest of the management team. They may not only become isolated (what I term\u00a0CISOlation) but can also be a scapegoat when things go wrong \u2013 even when warnings are ignored.<\/p>\n\n\n\n

Perverse regulatory incentives<\/strong><\/h3>\n\n\n\n

In an accompanying article, Jakub Lewandowski [LINK] has explored the raft of new privacy and cybersecurity laws expected to add to a considerable regulatory burden. The problem is that regulation without enforcement is not just pointless but counter-productive<\/a>. After all, only responsible companies will comply with these regulations, and for them, it represents a cost or compliance tax. Meanwhile, irresponsible ones often choose not to abide by the rules. If they believe that there is little or no risk of enforcement, then this is a cost-saving and risk-free source of competitive advantage.<\/p>\n\n\n\n

Lack of compliance is widespread and comes from the top, with frequent headlines about BigTech suffering data incidents or incurring fines. Such fines appear not to be working as a deterrent but are instead being viewed as an additional cost of business by BigTech firms and many others unfortunate enough to have suffered a data incident.<\/p>\n\n\n\n

Again, responsible firms that did their best to take reasonable measures but were unfortunately unable to prevent mistakes or attacks run the risk of being fined once they notify the local regulator. Meanwhile, irresponsible ones who choose not to comply will simply avoid reporting incidents and attempt to cover them up instead to avoid fines. Fines have, therefore, become more of a lagging indicator of misfortune for responsible firms<\/a> rather than of misbehaviour by irresponsible ones.<\/p>\n\n\n\n

Record of Regulatory Inaction<\/strong><\/h3>\n\n\n\n

Most BigTech firms, attracted by a favourable tax regime, have opted to base their European headquarters in Ireland. The local regulator, DPC Ireland, is therefore responsible for ensuring that they comply with GDPR and other such regulations. Whether down to inadequate funding, reluctance to rock the boat, or simply out-gunned and out-lobbied by the BigTech firms, DPC Ireland has been seen as ineffective in holding them to account.<\/p>\n\n\n\n

In one notable case, measures it failed to take against Facebook were eventually resolved in the European High Court under the Schrems I and Schrems II rulings. When it still failed to take action and apply these rulings, DPC Ireland was sanctioned by the European Parliament in a vote of 451 to 1<\/a>. When further lobbying by regulators across the rest of Europe forced it to take action after a two-year delay eventually, the fine that it levied against Facebook was so low that it had to be increased (tenfold) at the insistence of the other regulators.<\/p>\n\n\n\n

The EU Ombudsman Emily O\u2019Reilly eventually opened an inquiry<\/a> into the European Commission\u2019s monitoring of how data protection rules are applied in Ireland. Eight months later, the Irish Council of Civil Liberties (ICCL) criticised the EU<\/a> for its continued failure to properly monitor Ireland\u2019s GDPR enforcement while \u201cthe fundamental rights of all Europeans hang in the balance.\u201d There are now moves afoot to strip Ireland of its responsibility for regulating the BigTech firms and centralise such enforcement instead.<\/p>\n\n\n\n

Ineffective Global Policing<\/strong><\/h3>\n\n\n\n

Meanwhile, the number and sophistication of cyber-attacks are increasing exponentially, as is the cost of remediation. The World Economic Forum (WEF) has recently not only called for more widespread use of cybersecurity ‘fire drills’<\/a> to test cybersecurity and incident response capabilities but is also championing the need for global rules<\/a> to crack down on cybercrime.<\/p>\n\n\n\n

The damages incurred by all forms of cybercrime, including the cost of recovery and remediation, are thought to have totaled $3 trillion in 2015 and $6 trillion in 2021 and could reach as much as $10.5 trillion annually by 2025.<\/p>\n\n\n\n

Cyber insurance isn\u2019t the answer<\/a>. Rapidly increasing premiums mean that it is out of reach to most buyers, but even those who can afford it often find it\u2019s not worth it.<\/a> At the same time, cyber insurance cannot be expected to cover systemic problems, and in any case, it has the perverse effect of potentially making bad problems even worse<\/a>.<\/p>\n\n\n\n

While almost all nations have signed up for United Nations agreements on combatting crime, including cybercrime<\/a>, some nations turn a blind eye and instead provide safe havens for cybercriminals to operate from. While most cybercrime originates from countries like Russia, Iran, or North Korea, such activities are not confined to these rogue nations and continue closer to home. In addition, countries like China have significant espionage operations, and the United States is responsible for a great deal of global mass surveillance – all of which contravenes GDPR and a host of other laws.<\/p>\n\n\n\n

We need to start with mandatory data breaches and cyber theft reporting. This has begun in the US with 2022\u2019s Cyber Incident Reporting for Critical Infrastructure Act<\/a> and in the EU with 2018\u2019s Directive on Security Network and Information Systems<\/a>. Still, there are also a host of other regulations<\/a> that mandate telecom payment services, medical device manufacturers, and critical infrastructure providers to report breaches.<\/p>\n\n\n\n

Once we have better data on the problem, we can focus on improving international investigation, prosecution, and adjudication efficiency and effectiveness. The United Nations Office on Drugs and Crime<\/a> is promoting a Cybercrime Programme which has the following aims:<\/p>\n\n\n\n