Sensitive data is everywhere. With attacks becoming more frequent and intricate, and organizations becoming more mobile, the need for advanced data privacy and security solutions has reached – nay – surpassed critical. 

Regulators in France recently cited GDPR in fining Google $57 million, and the U.K.’s Information Commissioner’s Office is seeking a $230 million fine against British Airways and seeking $124 million from Marriott. Facebook is setting aside $3 billion to cover the costs of a privacy investigation launched by U.S. regulators.

Taking into consideration some of the new guidelines, standards and compliance laws, either already in place or soon to be put into effect, what are the implications for organizations, and what you can to protect yourself and your customer’s data?

Cyxtera’s Tina Gravel

Channel Futures and the MSP 501 initiative recently launched a new program, the 501er Community. This community is designed to engage MSPs in a dialogue about best practices stemming from the MSP 501 data, as well as provide networking events and educational opportunities.

As part of this program, we have engaged more than a dozen industry leaders as MSPmentors. These influencers include analysts, channel chiefs and renowned consultants. In this series, we present questions posed in the 501er Community discussion group and ask our Mentors to provide detailed answers.

In this “Ask the MSPmentor” Q&A, we get thought leadership from Tina Gravel, global senior vice predient of channels at IT infrastructure provider Cyxtera.

501er Community: We got called into a prospect who had a ransomware attack take them down a few weeks back. Of course the current provider didn’t have a solid continuity plan in place. After conversation, it came out that the attack had launched through the current providers’ system (likely one of the recent attacks utilizing unsecured RMM platform). This is a small shop, a one-man band. What’s the opinion on some sort of regulation coming down as a result of rampant issues like this forcing some sort of best practices — aka CFR45-type regulation? Likely? Not likely?

Tina Gravel: There are privacy laws in place, such as the California Consumer Protection Act (CCPA) that just went into effect, to protect personal data much like the General Data Protection Regulation (GDPR), which was created to protect the privacy of individuals within the European Union. 

Do these types of laws work? I think they do, to a point. Will legislation encourage firms to be more careful of how they store, transmit and access personal information? Yes, we have seen how CFR 45 Part 164 Subpart D (more commonly known as HIPAA law) has done that for manual processes in hospitals and physician offices. Thankfully, no longer do you hear, “Paging Mr. Jones for his bunion surgery!”  

But, as with any law, the devil is in the details. Will there be whole groups that do not qualify for the regulations? Here are some of the provisions for the California law, per the Proskauer privacy law blog:

The (CCPA) Act will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information. The Act also draws in corporate affiliates of such businesses that share their branding. That means that not-for-profits, small companies, and/or those that do not traffic in large amounts of personal information, and do not share a brand with an affiliate who is covered by the Act, will not have to comply with the Act.

Many firms will not be required to comply. My other concern is that …

… regardless of the steps you take to protect yourself, one can never forget that human element and error is almost always a factor in attacks. 

501er: How can you engineer around human error? Is it even possible?

TG: You cannot completely. Human error may never be fully eliminated as a risk. The very best you can do is implement the best tools and processes available at a cost you can afford, then add insurance to further protect yourself. 

I see organizations like CompTIA and SANS as places where standards can be documented, employees of firms can be trained on how to perform said standards and uphold them, and certify that a person or company has obtained such certification. The best certifications are those that require firms to, not only document and perform the way you document, but then have a third party review what you have done and be willing to certify that you are doing what you say you are. Many of the certifications my firm has obtained require this sort of inspection.

So do what you can to protect yourself and your customer’s data? If you can, put protections in place, get yourself adequately insured and then continually monitor either with an outside firm (best way) or internally how well you are doing. You still won’t be completely out of the woods but you will be much further along in protecting your firm and your customers from devastation.