YOU ARE AT:Opinion2015 Predictions: Data security compliance tightens within telecom

2015 Predictions: Data security compliance tightens within telecom

Editor’s Note: With 2015 now upon us, RCR Wireless News has gathered predictions from leading industry analysts and executives on what they expect to see in the new year.

The Fifth Amendment of the U.S. Constitution includes a clause commonly referred to as the “double jeopardy” clause. Its intention is to ensure that no person is penalized more than once for a single infraction.

With data breaches, however, there is no such assurance. Recently imposed fines demonstrate the overlapping jurisdiction of regulatory bodies, where multiple fines can be levied against an organization for the same infringement.

Having to adhere to more than one regulatory body is no phenomenon. Health care organizations have been subject to actions for noncompliance from numerous sources including the Health Insurance Portability and Accountability Act, the Federal Trade Commission, state data breach laws and even state attorneys general.

New oversight and penalties in 2015

In November 2014, the Securities and Exchange Commission announced it would begin issuing fines to organizations for not properly reporting breaches whenever there are financial implications. Likely this is due in part to a higher level of awareness among all consumers, so it’s inevitable that similar jurisdiction will be introduced to enforce privacy protection within the telecom industry.

It has, in fact, already started. The Federal Communications Commission announced its intention to fine two telecom companies $10 million for data security violations. This was the first case in which the FCC wielded such power with imposed fines, a task typically reserved for the FTC.

Current regulations support fines for noncompliance

It’s important to note that the FCC action was not based on any new set of concrete regulations, but rather on the existing Communications Act of 1934, which makes no mention of cybersecurity.

The FCC claims that the statute covers “private information that customers have an interest in protecting from public exposure,” and in the absence of solid federal regulations dedicated to electronic data protection, states may experiment with imposing data breach fines until such legislation exists.

Until this happens, the expanded definition of personal data will trigger noncompliance notices more frequently.

The number of data breach response plans by telecom companies will rise in 2015

To avoid the financial impact of a data breach penalty, telecom companies will begin to create data breach response plans in 2015. The necessary steps to remain compliant are as follows:

• Maintain a comprehensive, regularly updated data breach response plan to ensure you’re able to meet existing/new requirements and standards.
• Review how you store your customer information and meet with your IT leaders to determine what protective measures are in place – compare your reality to the expectations of the FCC.
• Review the details of the organizations that have already been penalized so you learn from these examples.

A more layered approach to security will be applied in 2015

One of the most vulnerable entry points for attack is through mobile devices that connect to your corporate network. Encryption is an important front line of defense, but there are many scenarios in which encryption can be bypassed – inside jobs, password complacency and third-party network access, to name a few.

Persistence technology that is built into the firmware of a device can provide a constant connection to your organization’s mobile device ecosystem. Even if a sophisticated attack attempts to subvert the technology, the connection will sustain, allowing IT to remotely invoke security commands including data recovery and deletion to gain insight into whether any data was accessed.

This helps mitigate the risk of any potential data breach and is incredibly powerful when dealing with auditors and regulatory bodies. The ability to prove definitively that data was not accessed on a lost or stolen device can often defuse a potentially significant security incident.

The FCC’s debut into the realm of data security regulation underscores the lack of established authority, or laws capable of providing organizations with a minimum bar for data protection. Doing the bare minimum is no longer acceptable, effective or compliant. With deeper regulatory oversight from multiple disciplinary agencies, telecommunication organizations must ensure they are performing regular risk analysis and taking steps to protect consumer data, wherever it may be stored.

Ryan St Hilaire altered

As VP of product management at Absolute Software, Ryan St Hilaire is responsible for the strategy, roadmap and requirements of Absolute’s products. St Hilaire has more than 11 years of product management experience and 15 years of technology experience. With his pragmatic approach to developing products, he is skilled at growing and scaling product management teams. Prior to his role at Absolute, he was VP product management at Vision Critical where he and his team of product managers oversaw Vision Critical’s next-generation customer intelligence platform. St Hilaire has a Bachelor of Science, majoring in computer science, from the University of British Columbia in Vancouver, Canada.

ABOUT AUTHOR