Advertisement

Header Utility Menu

  • Subscribe
  • Advertise
  • Contact Us
  • Events

LinkedIn Facebook Twitter Instagram Get Our App

  • Login

Virginia Business

Mobile Menu

  • Issues
  • Industries
    • Banking/Finances
    • Business Law
    • Commercial Real Estate
    • Economic Development
    • Education
    • Energy/Green
    • Federal Contracting
    • Government
    • Healthcare
    • Hotels/Tourism
    • Insurance
    • Ports/Trade
    • Small Business
    • Technology
    • Transportation
  • Regions
    • Central Virginia
    • Eastern Virginia
    • Northern Virginia
    • Roanoke/New River Valley
    • Shenandoah Valley
    • Southern Virginia
    • Southwest Virginia
  • Reports
    • Best Places to Work
    • Business Person of the Year
    • CEO Pay
    • Coronavirus 2020
    • Generous Virginians Project
    • Legal Elite
    • Most Influential Virginians
    • Maritime Guide
    • Site Locator
    • The Big Book
    • Virginia CFO Awards
  • Company News
    • For the Record
    • People
  • Opinion
  • Lists
  • Awards/Events
    • Diversity Leadership Series
    • Vote Now for Women in Leadership
    • Virginia 500
    • Legal Elite
    • CFO Awards
    • Big Book of Lists
    • 100 People To Meet
    • Best Places To Work
  • Virginia 500
    • Read the issue
    • Order a copy
    • Buy an award plaque
    • Nominate execs for 2021

Advertisement

Header Primary Menu

  • virginiabusiness.com
  • Subscribe
  • Advertise
  • About Us
  • Contact Us

Home Opinion Politicians are coming with new cybersecurity requirements — are you ready?

Politicians are coming with new cybersecurity requirements — are you ready?

Published September 26, 2016 by Collin Hite

For the past two years I have predicted that if American businesses did not step up their game on protecting data security, then government would step in and force the issue. Consider how the Affordable Care Act came into being. Health care has been on the government’s agenda since the Clinton administration. The health-care industry spent more than a decade passing the ball to K Street lobbyists, hoping to keep the government at bay. Ultimately — whether right or wrong — the government took action.

Cyber data breaches have been on the radar for well over a decade, and there is no letup on hacking events. Every day new breaches are reported by companies of all sizes — from major financial institutions to local medical practices. Other than breach notification laws, to date, government has issued guidance to businesses. That soft touch appears to be ending. It is no surprise that now New York has stepped to the forefront and proposed actual regulations that will apply to financial institutions. While industry analysts already are panning the proposed regulations, like most government initiatives, there is likely little to stop implementation in some form. 

Some of the regulations appear to make perfect sense. State-regulated banks and insurers must perform a self-evaluation of their cyber vulnerabilities on an annual basis. In response, these entities must develop updated cybersecurity plans, which include an immediate response plan for breaches. These institutions also must designate an employee to act as the chief security officer. Moreover, banks and insurers will have to notify the state of possible cyber breaches within 72 hours. In reality, many of these requirements are not totally out of bounds, and most experts advocate for this level of planning as part of a company’s cyber risk management efforts. The concern for the proposed regulations is that they appear to go much further, for example, requiring all email communications with customers to be encrypted.

If financial institutions had taken action and implemented realistic and state-of-the-art cybersecurity plans, it is unlikely the government would be proposing these regulations. When politicians perceive that business is not acting to protect constituents, they act to fill the void. If the current proposals are enacted in New York, it is likely that other states will be forced to implement similar regulations.

If anyone thinks financial institutions will be the first and last industry to be targeted for such regulations, think again. This is an easy topic for politicians as the constant news of breaches is on voters’ minds. In all likelihood, most voters have been impacted by a breach or identity theft in some form. Cyber regulations are the kind of laws that do not cost the government much, but look good to voters.

Where do we go from here? Businesses and their trade groups must wake up and take data security seriously. Providing limited discussion and guidance on the issue at annual conferences is not going to cut it any longer. Continue down that road, and you can be assured government will step in with regulations for your industry as well. Trade associations must take action now — demanding that their members take action and ensuring that their proactive efforts remain visible to lawmakers. 

If the financial industry is first up, who is next? Almost surely one of the three Hs will be targeted for governmental oversight.  Who are the three Hs? Health care, hospitality and higher education. For the last year, it has become apparent that these three industries are behind the eight ball when it comes to data security and cyber insurance. The three Hs have a lot in common that makes them high-value targets for cyber criminals: 1) all have access to substantial personal information for the customers; 2) all employ numerous people with a fairly high degree of turnover; 3) all allow employees a high degree of access throughout their information networks; and 4) all rely heavily on technology to achieve operational efficiency.

Politicians looking to implement new regulations that purportedly affect the most votes could not find three better industries to target. Of these, health care is likely first up for additional mandates. The personal identifying information owned by medical and health-care providers is the “gold standard” for cyber thieves. Plus, recent high-profile incidents are gaining national attention concerning the vulnerabilities of the industry. Earlier this year, Hollywood Presbyterian Hospital in Los Angeles was hit by ransomware. The hospital paid a $17,000 bitcoin ransom to get its network unlocked. More recently, MedStar Health System was hit by ransomware that created a nightmare for the provider. And the list goes on. When providers have to cancel surgeries and cannot access patient files, it garners peoples’ attention — including politicians.

Hospitality and higher education are not far behind. A number of high-profile breaches have hit the hospitality industry. The media have not paid as much attention as they did to retailers like Target or Home Depot, but it is only a matter of time. Higher ed’s problem is the manner in which colleges and universities are structured. It takes a lot of time and effort to get buy-in that they are exposed. But again, one high-profile event and possible legislation will be coming.

The health care, hospitality and higher education industries would be very wise to get ahead of the curve. Acting now to implement cybersecurity measures is not only prudent from an internal risk management standpoint, but it has the potential to move these industries off the legislative radar As 2016 winds down, these industries should make their New Year’s resolution to tackle cybersecurity in a serious and systemic manner. If not, be assured that legislators will likely step in to make them take action.

Collin Hite is the practice leader of the Insurance Recovery Group and the Data Privacy & Security Group in Hirschler Fleischer's Richmond office. He can be reached at 804-771-9595 or [email protected]

 


8239678-1  088888.00900

Related Stories

No related posts.

Trending

Finance/Insurance: STEPHAN Q. CASSADAY

Finance/Insurance: PAUL B. MANNING

Federal Contractors/Technology: JASON PROVIDAKES

Education: ANNE M. KRESS

Artemis I to launch with help from Va. contractors

Sponsored Stories

Why is my Less Than Truckload (LTL) freight pricing going up and my service level going down?  

Beyond Juneteenth – How Capital One is Commemorating and Implementing Change

How We Help Your Business Operate Better

Before the Breach: Get Serious About Cyber Resilience

Professionals are Discovering What it Means to Live Uniquely in the Alleghany Highlands of Virginia

Riverside Logistics Celebrates 25th Anniversary!

Girls for a Change Empowers Black Youth for the Future Workforce

The Jackson Ward Collective is equipping Black-owned small businesses with the tools for success

Advertisement

Advertisement

Trending

Finance/Insurance: STEPHAN Q. CASSADAY

Finance/Insurance: PAUL B. MANNING

Federal Contractors/Technology: JASON PROVIDAKES

Education: ANNE M. KRESS

Artemis I to launch with help from Va. contractors

Sponsored Stories

Why is my Less Than Truckload (LTL) freight pricing going up and my service level going down?  

Beyond Juneteenth – How Capital One is Commemorating and Implementing Change

How We Help Your Business Operate Better

Before the Breach: Get Serious About Cyber Resilience

Professionals are Discovering What it Means to Live Uniquely in the Alleghany Highlands of Virginia

Riverside Logistics Celebrates 25th Anniversary!

Girls for a Change Empowers Black Youth for the Future Workforce

The Jackson Ward Collective is equipping Black-owned small businesses with the tools for success

Get Virginia Business directly on your tablet or in your mailbox!

Subscribe to Virginia Business

Advertisement

Advertisement

Footer Primary Menu

  • virginiabusiness.com
  • Subscribe
  • Advertise
  • About Us
  • Contact Us

Footer Secondary Menu

  • Industries
  • Regions
  • Reports
  • Company News
  • Events

Sign Up For Our Newsletter

Sign Up

LinkedIn Facebook Twitter Instagram Get Our App

Privacy Policy Cookie Policy

Footer Utility Menu

Copyright © 2023 Virginia Business. All rights reserved.

Site Maintained by TechArk