Is it Time to Develop a Data Loss Certificate?
Every day someone is getting compromised. Data is taken. One of the key selling points of SSL certificates was the transaction the consumer was about to partake in was backed up by a certifying entity. The company could rest assured, the consumer could rest assured that the sensitive data they were entering was secure and could be trusted.
That’s where the chain stopped. No one guarantees the data once it’s transmitted with how it’s stored.
Privacy laws have come a long way with trying to legally mandate certain aspects of the data that is collected, stored and processed.
But they fall short. No law will be enforceable until an incident happens and if the details are released. Thus it’s a deterrent but after the fact.
Companies are increasingly investing in cyber insurance. Which in many ways moves the responsibility further left in the chain. It’s still a deterrent but there are some pros and cons.
Pro's - if you follow the insurance companies methodologies they will assume the financial risk of your incident.
Con's - you have to follow their methodologies, they have to be educated enough on technology and controls to know what to require and how to validate it.
Next on our journey is a program that needs implemented. A seal of insurance to a consumer and an entity. Ultimately they are the ones who will force a large portion of consumers to vote with their money before a transaction. Thus shifting to preventative. A seal or certificate that tells a consumer a couple of things:
- The site and Company haven’t had a data breach, or haven’t had one in X days.
- They have implemented key controls, MFA, login lockouts, breach password cross checking at times of signup and stuffing attacks.
- The insurance company and controller who will be paying you and what you will get if your data is compromised. Would you be willing to give up your information for another 6 months of credit monitoring?
- The company has implemented and passed tier 1 audit controls as defined by NIST, see 800-53.