The Better Business Bureau reports that as of June 30 there have already been 2,227 data breaches this year resulting in the theft of more than 6 billion records — exceeding the number for all of 2016. In response to the skyrocketing numbers of breaches, state legislatures around the country are amending breach notification statutes. Delaware became the latest to do so on Aug. 17 when Gov. John Carney approved legislation that provides new consumer protections.
Delaware’s new requirements broaden the types of protected personal information to include personal health information, biometric data, passport and taxpayer identification numbers, and online account credentials. The law creates a clear timeline (60 days) for notifying affected individuals of a data breach, and establishes legal definitions for concepts such as “encryption” and “breach of security” to ensure that the new requirements are meaningful and enforceable.
Companies doing business in the state must be in compliance with the new law by spring 2018. To achieve compliancy and maximize data protection, organizations should implement a range of operational and technical best practices. These include:
Encrypt data at rest and in transit. You should use strong encryption and make sure the cryptographic keys are properly managed. Review the encryption controls of all devices, including PCs, tablets, smartphones and servers.
Implement multifactor authentication. Use a combination of verification factors, such as something the user knows (a password or PIN), something the user has (a security token or mobile app) and something the user is (a biometric identifier). Two-factor authentication has been required in many industries for years, but there is growing support for systems requiring all three factors.
Use strong passwords. A significant majority of all confirmed data breaches involve weak, default or stolen passwords. Establish policies for regularly updating passwords, with requirements that make them hard to crack. Consider requiring employees to use a password manager to generate and store passwords.
Implement identity-based network access. Allow users to access only the files and accounts they need to use for their particular jobs.
Use next-generation firewalls (NGFW). Along with traditional firewall capabilities such as packet filtering, network address translation and URL blocking, NGFWs integrate more robust features such as intrusion prevention, deep-packet inspection and reputation-based malware detection.
Employ unified threat management. These solutions include intrusion protection and detection, antivirus, anti-spam and automated patch management.
Manage mobile devices and apps. Implement processes and software to enforce security policies for mobile devices. These should address issues surrounding network access, application download and usage, service usage, and device-level security features such as remote lock and wipe capabilities.
Permit only authorized wireless devices to connect to your network. Encrypt communications with devices such as routers, printers, point-of-sale terminals and credit card devices. Keep “guest” network access on separate servers.
Develop a breach response plan. Your plan should include internal escalation guidelines, a communications checklist, a plan to isolate affected areas and steps for gathering evidence. You should also plan for how to engage with law enforcement, legal counsel, outside partners and public relations.
Conduct regular assessments. Run regular penetration tests and vulnerability scans to identify and mitigate vulnerabilities. Also scan sites and services of cloud providers and third-party partners to identify potential problem areas.
These are just a few elements of a thorough data protection plan. While it isn’t possible to totally prevent cybercrime, proper planning can limit your exposure and help you manage the impact of an incident. Give us a call if you’d like to discuss your current security posture and assess what updates you may need to ensure compliance with Delaware’s new law.