Monthly Cloud Security Roundup: NIST’s New Privacy Framework, Salesforce’s Call for a National Data Privacy Law, and More
Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the new NIST Privacy Framework, one of the top causes of data breaches in 2019, Salesforce’s call for a national privacy law, and more.
A companion to the Cybersecurity Framework released in 2014, NIST published the first version of its new NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. The framework is designed to help organizations manage privacy risks associated with the processing of individuals’ data for business purposes. There currently exists a patchwork of privacy laws around the world, particularly in the United States. And instead of creating a checklist that doesn’t necessarily work for every organization’s needs, the NIST Privacy Framework helps align cybersecurity and privacy efforts in a flexible way so organizations can achieve compliance and meet privacy goals that they can custom-tailor to their needs.
The Tampa Bay Times, which is one of the largest newspaper presses in Florida, suffered a ransomware attack last month, shutting down systems until they were able to recover and prevent further infiltration. The Times was affected by the Ryuk strain of ransomware – hackers use the malicious code to encrypt computers and servers before holding them for ransom, only releasing the compromised systems once an organization has paid the cost. While it’s reportedly unclear how the attack at the Times occurred, ransomware often infects networks through emails that contain malware or software vulnerabilities. Chief Digital Officer Conan Gallaty said that no data was breached and sensitive information like customer names, addresses, and payment card details are secure because they’re stored outside the affected network. After detecting the attack, the Times refused to pay the ransom or even respond to the attackers.
“The focus for us is to fully recover and then work on further preventative measures.”
– Conan Gallaty, Chief Digital Officer at Tampa Bay Times
During a World Economic Forum panel discussion, Salesforce co-CEO Keith Block called for a U.S. national data privacy law similar to the EU’s GDPR. “You have to applaud, for example, the European Union for coming up with GDPR,” said Block. “And hopefully there will be a GDPR 2.0.” The United States doesn’t have a single, all-encompassing federal privacy regulation that protects citizens’ personal data privacy. Instead, individual states have laws – such as California’s CCPA – but the extent of their coverage varies dramatically. In comparison, GDPR is a sweeping law that protects the data privacy of all European Union residents.
“There is no question there needs to be some sort of regulation in the United States. It would be terrific if we had a national data privacy law; instead we have privacy by zip code, which is not a good outcome.”
– Keith Block, Co-CEO of Salesforce
In response to a 2011 executive order by President Barack Obama to monitor insider threats, the U.S. Air Force is considering sourcing commercially available online data to capture public information and thereby stay up to date on insider threats. The “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information” order mandates that the Defense Department and other agencies use classified computer networks to establish insider threat detection and prevention programs. By identifying Public Persona Cyber Data Sources, the Air Force hopes to use publicly available information on the internet to legally gather a wide range of accurate data on particular individuals, informing their insider threat monitoring detection efforts.
According to the Request for Information, “early industry involvement to identify legally available public data sources is critical to the success of this mission.”
After the release of the California Consumer Privacy Act in early 2020, California – home to tech giants like Google and Facebook – is set to be the primary arena for privacy discussions this year. Other states are involved in their own legislation as well, with advocates watching New York, Washington, and Illinois closely as they take major leaps in developing their own privacy regulations. Whether Congress will accelerate progress on a federal privacy law may rely heavily on how California fares in the aftermath of CCPA. While they observe the outcome from the monumental law, more states are likely to develop their own legislation as well. As we see more movement among individual states, Congress will be pressured even further to support a federal privacy bill.
“Everybody is interested in a federal solution. We’re hoping we can get a national law that gives everyone in the U.S. the same rights.” – Kevin McKinley, Director of Government Affairs for the State of California at Internet Association
The last decade saw numerous trends in the tech world, but many of them weren’t so positive. Adding to the lineup of the 2010s was an increase in data breaches – particularly those caused by insiders. While most people think of foreign hackers as having the most access to sensitive data in applications like Salesforce, it’s often company employees – the Sales leader, a cubicle neighbor in customer success, the Salesforce Admin, etc. An insider threat can be anyone, and in 2019, 34% of all breaches were the result of insider threat actors. There is a plethora of reasons why an employee might steal data – revenge, selling the information for profit, enabling a competitor – but regardless of the motivation, bad actors must be stopped before they can exfiltrate data you’ve worked hard to obtain. Buck the trend in the new decade with user activity monitoring that identifies when suspicious user behavior occurs and sends you detailed alerts, empowering you to prevent breaches.
At the State of the Net conference in Washington, DC, key lawmakers reassured the public that they’re continuing to make progress on a bill that would introduce a comprehensive, federal online privacy law after it has been stalled in Congress. The committee encountered obstacles when Democrats and Republicans released different versions of a privacy bill in 2019, but recently maintained they’re still intent on bipartisan discussions. “I’m continuing to work with my colleagues on both sides of the aisle to get a bill that will get us across the finish line,” said Senate Commerce Committee Chairman Roger Wicker during his keynote speech. While the future of consumer privacy protections in the United States is unclear, the topic is at least making the rounds on Capitol Hill.
“There’s always room for conciliation and compromise. Clearly, there’s going to have to be some give-and-take. I think everyone wants a good, strong protection for consumers.”
– Roger Wicker, Senate Commerce Committee Chairman (R-Miss.)