Blog / The Legal Realities of Cyber Security Non-Compliance
When it comes to cyber security practices and why customers “can’t” do the things they should be doing, I’ve pretty much heard it all.
“Isn’t there a cheaper alternative?”
“We’ve been doing it this way since forever.”
“Nothing’s gone wrong before.”
“That seems too complicated.”
I’ve heard plenty of other “reasons” for avoiding cyber security best practices, but those are probably the most common and the most infuriating. I mean, you could use the all the same reasons to put off maintenance on your car brakes. Sure you’ll avoid the immediate cost and disruption to your life, and your brakes will probably keep working fine. Until they don’t. Then something bad, probably expensive, and possibly even fatal, happens. That’s why it’s generally understood that maintenance is an important part of vehicle ownership, even when your brakes are still working and the expense is not strictly necessary. It’s cheaper and safer to regularly service a vehicle than pay for repairs when you rear-end someone during your morning commute, to say nothing of the hiked insurance premiums, court costs, and potential medical and civil liabilities you could wind up paying for.
Of course, the digital and real world are two different environments, but the principle is the same. Consider things like minimum passwords lengths, password change intervals, and other cyber security measures. Are you implementing them properly for the purposes they’re designed, or do you keep putting them off for “higher priority” projects? Because, like some aspects of vehicle maintenance (must be in good-repair and road worthy), there are areas of cyber security that, depending on the nature of your organization, aren’t just good ideas but legislated regulations you’re legally obliged to follow. Your 10-year old password policy means nothing if it doesn’t meet the requirements of recent legislation.
I’ve talked about different legal obligations and regulations before, but it’s a broad area of cyber security so let’s dig into some of the specifics.
We’ll start with the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal act that applies to all government employees. The language and wording of the act is non-specific band includes statements like taking “appropriate and secure safeguards” in order to make sure that your networks and data are protected. Now, “appropriate” and “secure” are vague terms and subject to interpretation, but the idea is that you should be paying attention to your overall security and doing your best to ensure that everything is protected, not taking a haphazard approach. Using industry established best practices as a baseline for things like user passwords and device configuration is a good place to start if you are a government organization of any kind. As an aside, the current industry recommended minimum password length is 14 characters.
Next, let’s talk about Alberta’s Personal Information Protection Act. Also known as PIPA, this provincial act takes the rules set down by PIPEDA and extends them to the private sector. PIPA’s rules are fundamentally the same as PIPEDA, the major difference being who they affect. Within Alberta, any organization that collects personal data is legally required to protect it. Unlike PIPEDA, PIPA rules are much more specific. There’s very little ambiguity about what is “appropriate” because it’s all been defined and spelled out and the Office of the Information and Privacy Commissioner offers a yes/no self-assessment form (you only pass when every response is “yes”) to help ensure you’re compliant. Also, don’t think you can get away with avoiding these obligations in other jurisdictions. PIPA may be an Alberta-made piece of legislation, but every province has a version of it. Fortunately, due to their similarity, you can reliably use the PIPA assessment to gauge your PIPEDA compliance. The assessment includes questions like:
- Is there a policy that prohibits the use of unauthorized software?
- Is there a privacy and security incident management policy in place?
- Is there a formal Incident Response Plan for your organization?
These are just a few of the legal obligations that government organizations and private companies collecting personal data have to protect data. Like posting a speed limit on a highway, you must have a policy in place to ensure employees are aware of their obligations and don’t go downloading unauthorized applications. That means you also need a list of allowed software and other practices. Finally, to enforce these policies, you need to regularly keep tabs on what’s installed on all your organization’s computers. Thankfully, even if this sounds difficult and/or expensive, in reality it’s not. There’s plenty of reputable software applications that can automagically audit your machines. Depending on the size of your organization and the application you choose, it might even be free!
The final set of regulations I’d like to mention is the Payment Card Industry Data Security Standard (PCI-DSS). This is a set of regulations that applies to every organization that accepts online debit and credit payments. While it’s not a legal requirement like PIPA and PIPEDA, if your business fails to follow the rules and there’s a problem, you’re likely facing some hefty fines. Penalties can reach up to $50,000 per month for non-certified (that is, if you’re a “low volume” (i.e: small) customer) in addition to the direct costs of becoming compliant, having that compliance officially verified by a certified authority (those services start at around $10,000 and go up), and all of this on top of any litigation costs incurred if the flaw was discovered due to a breach. PCI-DSS also contains specific rules like a minimum password length (12 characters) and locking user accounts for 30 minutes if they fail authentication 10 times in a row.
PIPA and PIPEDA also have consequences for non-compliance. Violations get reported to and handled by the Office of the Information and privacy commission (OIPC) for PIPA and the Office of the Privacy Commissioner of Canada (OPC) for PIPEDA. These organizations have the authority to levy fines and otherwise enforce compliance, with violation penalties starting at $10,000. Again, there may also be the costs of litigation if non-compliance was discovered due to a breach. Both the OIPC and OPC websites to allow anyone to report possible violations, as well as phone numbers and email addresses.
As you can see, ignoring the rules can get very expensive very quickly, and don’t fall for the comforting thought that cyber insurance may save you. Insurance is intended to step in when an accident or unavoidable disaster strikes. If you decide to shoot yourself in the foot because changing your password too often is annoying and that leads to a breach, your insurer is almost certain to deny your claim, and will likely hike your premiums as well.
All this can feel rather grim, so I’ll end todays writing with a reminder that no matter how bad things are, they can usually get worse, so there’s always time to get ahead of problems. The line comes from King Lear when Edgar remarks: “The worst is not, So long as we can say, ‘This is the worst.’”
If you’d like help developing, auditing, and improving your legal compliance with cyber security legislation, contact a TRINUS cyber security expert for yourself today.
Be kind, courtesy your friendly neighbourhood cyber-man.