An inconvenient truth: New customer data regulations coming

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/an-inconvenient-truth-new-customer-data-regulations-coming/article/457940/

Fourteen times a year. That's how often UK organisations were being
breached last year on average. Some 90 percent of large organisations
suffered at least one data breach in 2014. According to Lloyds Risk Index,
cyber-crime is now up to number three, yet only 30 percent of companies are
using the UK government's 10 Steps to Cyber-security, and worse still, 30
percent of businesses are not completing annual security training for their
staff.

Organisations can no longer ignore these figures, especially when the
average cost of a data breach is now well over £3 million, and
card-not-present fraud is at the highest level to date in Europe at 71
percent. It's this sobering reality that's driving the European government
to introduce new regulations over the coming year to protect customer data:
European Banking Authority 'Securing Internet Payments'; European
Commission Payment Services Directive 2; and European Commission General
Data Protection Regulation.

The new European Payment Services Directive 2 along with the European
Banking Authorities Guidelines for Securing Internet Payments have clear
and detailed requirements for organisations in protecting cardholder data.
Add to that the soon-to-be released General Data Protection Regulation
which covers all data security, and you have a massive increase in data
security which, when implemented, will impact all organisations in Europe
and beyond. Especially interesting in the Data Protection Regulation are
the requirements for breach notification, and potential fines. The fines
are staggering- the maximum being either two percent or five percent of
global annual turnover. That would see potential fines in the UK rise from
a current maximum of £500K to 10's if not 100's of millions depending on
the size of your organisation. Criminals always want to monetise the data
they steal. Obviously cardholder data is the easiest to montenise and that
is why PCI always says, if you don't need it don't store it, and if you
must store it then encrypt it.”

Taking data security seriously is now front and centre. The inconvenient
truth is that these regulations are coming. The clock is ticking. Whether
organisations have tried to avoid PCI DSS or not, now they have to start
protecting ALL of their customer data, not just payment data, and there
will be significant penalties for companies that fail to do this.

Here are three key questions organisations need to be asking:

1. Do you have a person in your organisation with overall responsibility
for data security, other than the IT director? Cyber-crime is so much more
than just an IT issue as it affects everyone.

2. Have you implemented and had externally assessed a data security
programme? There are programmes and standards available for organisations.
The PCI DSS is an excellent data security standard that can be applied
across the board. There is also ISO 27001 or UK Government Cyber Essentials.

3.  Do you have an incident response plan in place, and has this been
tested this year? Recent breaches have clearly highlighted the critical
importance of having such a plan so that everyone, but especially board
level staff are fully prepared when the breach occurs. Also this will be an
on-going requirement from the new regulations.

These regulations will force organisations to take data security seriously,
and PCI provides the most complete set of data security standards available
globally. Although these regulations are not likely to be implemented until
the end of 2017 early 2018, the time to act is now. Establishing good data
security takes time and effort. Reducing risk and making data security
business-as-usual is critical.

Organisations need to know these regulations are coming and put a plan in
place now for ongoing security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!