Companies in the UK are being fined by the government for not properly securing their data. Is this a model the U.S. and other countries should adopt?
News broke recently that there would be fines of up to £17m in the UK for companies that have inadequate or poor cyber security measures in place. Specifically, if a company fails to effectively protect themselves from a cyber security attack, they could be subject to a large fine from the government as a “last resort” according to Digital Minister Matt Hancock. The U.K. also placed industry-specific regulations on essential services. Essential services industries such as water, health, energy, and transportation are expected to have stronger safeguards against cyber attacks.
Cyber Security Inspections to Take Place
In order to keep companies compliant with cyber security regulations, the UK government will now have regulators inspect cyber security efforts in place. Essential services (think water, healthcare, electricity, transportation, financial) will face more scrutiny than other companies. If a regulator finds a company does not have security safeguards in place, the company will have to come up with a plan for beefing up cyber security. Fines will be brought down on companies that continue to fail at implementing the proper securities.
Cyber Attacks Becoming More Dangerous
The essential services people use every day are being targeted by cyber attacks at an increasingly high rate. This can make for extremely dangerous situations, such as the WannaCry attack that hit several National Health Service (NHS) facilities and impacted several hospitals’ abilities to admit patients. It was later found that this attack could have been prevented with proper cyber security efforts in place. It also means that services people depend on every day — from electricity, to water, to industrial safety systems — could all be at risk.
This makes it clear why the UK government has chosen to regulate cyber security, particularly among companies who provide services they deem essential to the public. It also begs the question as to if the United States should follow suit. U.S. companies have fallen victim to their fair share of cyber attacks. These attacks have disrupted the lives of Americans who depend on the services affected or who are having sensitive information accessed by the attackers.
What Safeguards are Currently in Place?
While it is obviously in a company’s best interest to have cyber security precautions in place rather than cleaning up the mess of an attack afterward, that doesn’t mean everyone invests as much as they should in cyber security. In the U.S. there are a few federal regulations in place to establish a bare minimum for cyber security in certain essential industries.
- HIPAA (1996): HIPPA introduced provisions for data privacy and data security of medical information. All companies and establishments dealing with medical information must have specific cyber security measures in place.
- Gramm-Leach-Bliley Act (1999): The Gramm-Leach-Bliley Act states that financial institutions in the U.S. must share what they do with customer data and information and what protections they have in place to protect customer data. Noncompliance means hefty fines for financial institutions and could lead to customers taking their business elsewhere.
- FISMA (2002): FISMA was introduced under the Homeland Security Act as an introduction to improving electronic government services and processes. This act ultimately established guidelines for federal agencies on security standards.
Critics state that these three regulations are good for establishing minimum security, but do not go far enough. Compliance with all of these regulations has not been robust enough to safeguard against advanced cyber attacks in recent years. There have been clear breaches of cyber security measures that have occurred in the medical, financial and government sectors over the past years. While some state governments have put additional regulations in place, the general consensus is that individual companies should be responsible for beefing up cyber security as they see fit.
Cyber Security Investments Should be Increased
At the end of the day, U.S. companies will need to make the decisions that are best for their businesses and customers about what level of cyber security protection is necessary. Marcus Turner, Chief Architect at Enola Labs Software, often discusses cyber security measures with his clients, stating:
“Ultimately, high levels of cyber security are a necessary and worthwhile investment for businesses that care about protecting their customers and safeguarding their businesses. I often tell businesses that they can pay an upfront cost now to protect their data, or wait until a cyber security attack and pay an even bigger price later to clean up the mess. Waiting may very well cost you your business”.
This year we are expecting a much higher investment in cyber security, so it will be interesting to see if this is enough to hinder government intervention or if additional U.S. government regulation of cyber security becomes necessary.