Compliance Risks in 2020

2020 promises to be a pivotal year for compliance, privacy, and security. 2020 faces continued growth in ransomware costs, new privacy laws (CCPA), a new Cybersecurity Model (CMMC), and end-of-life technology upgrades. Lack of compliance poses significant operational and financial risks; proper management reduces your compliance and actual risks.

Businesses need to stay abreast of current compliance, privacy, and security trends. It is becoming more than a matter of convenience and legal requirements in 2020. As recent research by Vanderbilt University uncovered, cybersecurity issues have caused an uptick of deaths from heart attacks in hospitals because of the time spent dealing with ransomware attacks and how it affected patient care. Whatever your industry, information security compliance in 2020 is something you need to think carefully about.

The following are significant compliance risks prevalent in 2020, based on the trends and changes already in place in 2019.

Windows End of Support – Update Your Software

This is perhaps the most fundamental principle of modern cybersecurity: don’t use technology that has been discontinued. Upgrade it or replace it. In the cloud economy, businesses should not have old software; modern SaaS providers reduce the costs of upgrading systems. Businesses who cannot manage their own software need to move to a cloud-based software system. This will prevent their vulnerability from discontinued software.

Microsoft’s end of support this year includes some major products. Windows 7, Windows Server 2008, SQL Server 2008, Hyper V Server 2008, and Windows Storage Server 2008 hit EOS in January. And, Office 2010 products and Office 2016 for Mac will both hit EOS by the end of 20202.

Windows 10, Azure Web Services, and Office 365 are all managed under Microsoft’s newer modern product lifecycle. If your business is currently running on one of Microsoft’s products that are being discontinued, consider upgrading to one of the products on Microsoft’s Modern Policy.

CMMC – New Department of Defense Standards

If you are a DOD contractor, CMMC (Cybersecurity Maturity Model Certification) is a game-changer. Absorbing the complicated mix of ITAR, DFARS, NIST 800-171 and 800-52, is CMMC. This multi-level certification for cybersecurity compliance will require a third-party certification rather than simple self-attestation. Although it may seem more complicated, CMMC helps you ensure that you are following the best principles of security. And, it reduces the need for audits to check a business’s attestation.

The CMMC standards are on schedule for publishing in January and going into effect in July for RFIs and September. The 3rd party compliance companies will not reduce a company’s need to maintain the best practices of data security and privacy. Businesses who want to achieve CMMC certifications at any of the levels can use the Compliance Manager to check their compliance status.

CCPA – State Compliance Setting Standards?

We have discussed how CCPA compliance (California Consumer Privacy Act) is expected to be the framework for future federal privacy laws. In some ways, the CCPA is stronger than GDPR, but we can’t judge legal and financial impacts of compliancy until violations hit the courts. But, there is an estimated $55b impact for companies to reach these new compliance requirements.

CCPA includes a broader definition of PII (Personal Identifying Information) than many similar laws including the European Union’s GDPR. The CCPA’s definition of personal information states: “‘Personal information’ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. The law explains the 11 areas that include personal information. However, the definition is not limited to them. See Section 1798.140 of the CCPA for the full definitions.

California is one of 11 states that have produced their own state privacy laws. While the 11 states producing their own data privacy laws, none are the 3 largest states. Anytime California, Texas, and New York produce similar laws, you can expect Federal legislation to be in the works. However, whether the US national privacy laws are updated (besides the updates to DOD and HIPAA requirements that we are talking about in this article) or not, businesses need to plan on investing more into privacy and security this year to maintain compliance with more stringent American and European data standards.

HIPAA – The Medical Industry Faces Significant Threats

Although HIPAA compliance is established, enforcement of the law is increasing and numerous states are passing individual legislation. Both state laws and civil lawsuits resulting from HIPAA violations increase violators’ liability to impacted patients and consumers.

HIPAA violating data breaches impacted more people in 2019 than any other year previously, according to a report from only halfway through the year at Health IT News. Many healthcare organizations suffered unacceptably long breaches and many healthcare organizations did not report a data breach within the 60 days required for HIPAA compliance.

Notable breaches from 2019 include the American Medical Collection Agency. AMCA was reportedly breached for 8 months. Also, it impacted at least 6 other corporations. This data breach led to AMCA’s parent organization’s bankruptcy that impacted an untold number of patients.

Although the AMCA breach was the largest, two more breaches (Dominion National and Inmediata Health Group) broke 1 million records affected. When you consider the costs of additional cyberattacks where HIPAA might not have been breached like from ransomware events, you will see that the costs of security issues in the medical industry are significant.

All told, the top 10 data breaches all impacted over 250,000 people resulting in tens of millions of people affected by healthcare data breaches in 2019 alone.

Big Data – Compliance in 2020 Is Absolutely Necessary

When 1 in 4 people on the planet is an active user on Facebook. Organizations around the globe are using that data to improve services, speed up business processes, and get better insights. Big data is here to stay. Big data is changing the way we do business, but it also opens us up to new threats for breaches and data exfiltration.

The recent ElasticSearch data breach exposed records for over 1.2 billion people including identifying information. This dataset was placed on an open-source search server and not protected via passwords or encrypted, and the researchers looking at it identified several other large data sets on similar servers.

Big data security compliance is about more than the need for businesses to fulfill cybersecurity and privacy laws. A significant data breach, like the one at AMCA often end up bankrupting the company it happens to. As more businesses are creating and using larger data sets in their daily operations, compliance for big data and for cloud computing is incredibly important.

Shadow IT – What You Don’t Know Can Hurt You

Shadow IT is the term for software, hardware, apps, and other tools that access your systems without the IT team’s knowledge. There is now an endless flow of new software tools for every function. Indeed, many of them are free or cheap.

Well-meaning employees and managers may install software or other tools that actually cause possible data loss. Even IT team members can often forget to do due diligence on 3rd party vendors: the software they use, the underlying code, and the connections they make to your business.

Has HR uploaded all of your employee social security numbers to an unsecure HR platform? Is marketing processing subscriber and customer data in a poorly configured marketing automation platform?

As we discussed in a recent blog article, even if your employee, like Megan Bowen, caused the leak, it’s your company that is liable.

Businesses who want to be compliant in managing big data, large teams, and a plethora of devices need to plan out how to manage their team compliance.

How to Maintain Compliance in 2020

Businesses who want to stay compliant need to commit to the work before a major event. You need to invest in software and infrastructure that is up to date and equipped for threats. Threats multiply in a matter of hours otherwise. However, patches and fixes are released before or simultaneously with the threat.

Businesses have to integrate IT solutions that are compliant and continually updated. A data leak or breach can cause irreparable damage.

Avoid These Compliance Risks

Businesses need to keep abreast of changing laws to ensure they maintain compliance. Thus, reducing the risk of litigation and governmental fees.

Finally, businesses can use modern software like Office 365. Office 365 has a full suite of built-in compliance tools and controls. To find out how you can simplify your compliance journey, request a quote today.