Editor’s note: Wired for Safety is a weekly column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer College. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[J]ust over a month ago, I found out that Sen. Patrick Leahy, D-Vt., proposed a bill in Congress called the Consumer Privacy Protection Act of 2017. It would require private companies, not just federal or state agencies, to implement minimum data security controls and routinely assess those controls. It happens that students in a course I teach at Champlain College were instrumental in influencing that bill due to an assignment they worked on over the course of the semester. The summation of what they learned was a letter sent to Sen. Leahy to propose this type of bill.
As discussed in a previous article, those minimum security controls could help mitigate the most common types of data breaches. The Privacy Rights Clearinghouse maintains a database of publicly known breaches. It is worth reviewing to see how often these occur and the number of records breached. Go to the maps tab and zoom in on Vermont.
What could businesses do if this bill becomes law? Two Champlain College students are developing hands-on tutorials for small businesses. Their work will be publicly available (and you’ll know about it on VTDigger). Their focus is on mom and pop shops, grass-roots organizations and any business with one to 10 people. However, the tutorials can be used by any business. They are basing their work on the Center for Internet Security guide for small businesses.
The security recommendations in the CIS guide are an example of the types of controls the Consumer Privacy Protection Act would require private companies to implement. The methods to secure systems are not esoteric and not very expensive, either. They are well-known and freely available. Also, the tools to assist with the implementation are sometimes free or require only a minimum investment (this is dependent on the technology employed and how many systems need protection).
Implementing the CIS’ top 20 security controls mitigates the most common threats and puts your organization in a much stronger defensive position against cyber threats. However, it’s essential to routinely monitor and assess those controls to ensure they haven’t changed and are working as expected. That’s another part of the tutorials the students are developing: how to routinely assess the controls to ensure they are doing their job.
The Consumer Privacy Protection Act is a step in the right direction to have federal requirements for implementing and routinely assessing security controls. Now we need to work on educating organizations on how to achieve the goals of the proposed law.
