During the last few months, as I have met with prospects and others both at networking events and even individually, I sometimes keep getting asked what the new big buzzwords in Cybersecurity are.  Well, to be honest, Artificial Intelligence (AI) happens to be on the very top of the list. 

There is not a doubt in my mind that everybody is at least talking about it, not even just in the realms of the Cybersecurity Industry itself, but even in others as well.

The next big up item is Cybersecurity Insurance, which I elaborated upon in quite some detail in yesterday’s post.  Now, the next hot ticket item that is coming about in our world is that of Data Privacy Legislation.  Yes, most of us have heard at the least acronym of HIPAA, and of late, the GDPR, which actually stands for “General Data Protection Regulation”. 

This Legislation was actually founded and passed in the European Union (EU), but it also strongly impacts US businesses, especially if they have offices or conduct transactions in Europe.  Then there is the Internet of Things (IoT) law that was passed in California in January (it was actually introduced as a bill last summer). 

The next up and coming piece of Legislation that is up for public scrutiny is called the “Mind Your Own Business Act”.

It has been introduced by U.S. Senator Ron Wyden, a Democrat from the state of Oregon.  It has been carefully designed to go many more steps beyond that of the GDPR, while giving consumers the maximum protection they can get for data privacy, while imposing severe sanctions on the C-Suite for any violations of this bill.  Essentially, it consists of three key parts:

*Consumers will be able to have 100% control their own Private Identifiable Information (PII);

*Corporate America must 100% transparent as well as to how they go about sharing and disseminating the PII;

*Holding the C-Suite personally accountable for any violation of customer data privacy.

In this regard, the Federal Trade Commission (FTC) will have ultimate superpowers in terms of this bill’s enforcement, if it ever gets passed.  In other words, it will act as judge, jury, and executioner when it comes to the following:

*Come up with what is deemed to be the minimum standards for data privacy and protection under this proposed bill;

*Impose financial fines of up to 4% of gross company revenue for every infraction of the bill, and even 10-20 years of jail time for those members of the C-Suite that directly lie to the FTC;

*Similar to the Do Not Call List, a new roster will be created and enforced that is called the “Do Not Track” system.  From this, the American consumer can  stop businesses from locating them on the Internet (primarily via the use of cookies in the Web Browser), the selling or sharing of their respective PII, and sending out specifically crafted marketing messages based from the PII;

*Give the American consumer first-hand knowledge and access as to how their PII is being used or even sold, and will even be given the opportunity to correct and inaccuracies in it if requested by the customer;

*Hire more law enforcement officials (175 to be exact);

*Corporate America must constantly assess the robustness and accuracy of the mathematical and statistical algorithms that are used to collect and process consumer related PII.

But given just how sensitive the issue of data privacy is, this bill received more hypothetical powers if it were to be passed, based upon feedback from other law makers.  These are as follows:

*The coverages of the “Do Not Track” option will be extended (for the consumer) to even those companies that harness and analyze the PII for other companies;

*There will be no discriminations whatsoever in terms of the financial condition of the consumer when it comes to the protection provisions that are offered by this bill.  In other words, a very low-income earner will be afforded the same rights and privileges as would a high-income earner;

*Although this bill will be federal in nature if passed, the Attorney General (AG) from each state will be given their own set of powers as well in order to enforce it at the local levels as well;

*It will give privacy and advocacy groups much more power to file lawsuits against companies on behalf of the consumer that feel their PII has been violated in any way shape or fashion;

*If members of the C-Suite are found guilty for any violations of this bill, they would even have a tax penalty imposed as well.

My Thoughts On This

Honestly, I think this bill is a good idea.  It’s about time that the American consumer has rights afforded to them in which now they will have more or less complete control over their own PII.  It’s also about time that the C-Suite is held more responsible, not just from the corporate perspective, but even from the personal one as well.  But this is my view on a general level.

If one were to do a deeper dive into it, it sort of goes to extremes.  For example, I full support fining a company for any violations of consumer PII.  In the age we live in, most in Corporate America know about this hot button topic and should have taken initiative by now to take greater steps in protecting it. 

While I still think the C-Suite should be held ultimately accountable for any violations, I don’t think that there should be an immediate rush to judgement.

For example, if a company has been found by the FTC under this bill to have violated a consumer’s PII, there should be a comprehensive forensics examination done first to see what truly happened, and who really is responsible for it. 

Then from there, the appropriate actions for recourse should take place.  I personally feel that this bill is casting too much of a rush to judgment onto the C-Suite, when they may not be entirely at fault.

This brings up another issue.  From what I have been reading in the headlines, the average tenure for a CIO or even a CISO is just now right around the 12-18-month mark.  Obviously, this is due to a lot of reasons, especially that of pure burn out and just the fear and anxiety of being held personally liable for any data violations under these new bills. 

In my view, it is absolutely imperative that the time frame of this needs to be lengthened.  The primary reason for this is that it takes time for the CIO or the CISO to get acclimated to their new environment, and to introduce their visions and plans as to how to make their organization more secure, both from the perspective of being attacked by a Cyberthreat and potential data loss, whether it is intentional or not. 

And, it takes even that much longer for his or her plans to be implemented into full force.  In other words, this constant recycling of the CIOs and CISOs is not good from any standpoint.  For instance, organizations will not have any clear leadership as to how to fortify their respective lines of defense, which will make them even more prone to a Cyberattack. 

Secondly, employees learn by example from the top.  If their IT Leaders keep getting the boot, how in the heck do you expect them to actually care what happens to the company and to maintain optimal levels of “Cyber Hygiene”?  Thus, this is why the rush to judgement and punishment should be avoided.  After all, we are a country in which the accused are presumed innocent until proven guilty by a court of law.