Litigation against corporate board members and C-level executives over data privacy and security claims is on the rise. Specifically, the number of lawsuits stemming from data breaches and other cybersecurity incidents has increased as such breaches and incidents have become more common. Recently, plaintiffs have targeted corporate board members and C-level executives alleging that their data privacy-related claims are the result of a breach of fiduciary duties. For example, plaintiffs may allege that the board’s or C-suite’s breach of fiduciary duties caused or contributed to the data breach due to a failure to implement an effective system of internal controls or a lack of care to the red flags associated with cyber security. Even if a leak doesn’t lead to litigation or enforcement action against board members or C-level executives, data leaks can tarnish a corporation’s name and draw increased scrutiny from regulators. This year alone, the Office for Civil Rights of the US Department of Health and Human Services. Recorded over 100 breaches of unsecured electronic protected health information, or ePHI. The department noted that most cyberattacks could be prevented or substantially mitigated by implementing adequate security measures.
Given the increase in regulatory scrutiny and lawsuits stemming from data breaches, board members and C-level executives should educate themselves on steps corporations can take to mitigate their cybersecurity risk. Implementing effective cybersecurity is not a one-time exercise, and companies and their boards must continually monitor advances in technology that warrant modifications or enhancements to their cybersecurity defenses. In this article, we explore some key developments that corporations should be aware of: quantum computing and quantum-resistant encryption, zero-trust security, and zero-knowledge proofs. While far from an exhaustive list, these emerging technologies and tools can play an important role in preventing bad actors from penetrating a company’s cybersecurity defenses.
Quantum computing has the potential to revolutionize computing in its current state, creating both cybersecurity opportunities and risks for businesses. Quantum computing can generate truly random numbers for encryption keys compared to the traditional random generators used by traditional encryption systems, which can only approximate randomness. As a result, an attacker could reverse engineer these traditional random number generators and thereby crack a company’s encryption. Rather, scientists posit that there is no way to predict the random numbers produced using the principles of quantum physics, which improves the strength of the resulting encryption.
These quantum random number generators are commercially available, but until the wide-scale adoption of these new technologies, many companies continue to rely on traditional encryption as a cornerstone of their cybersecurity strategy. Quantum computing could “break” many of the public-key cryptosystems in use today.
Many data privacy laws incentivize encryption, but also incentivize regular testing, evaluation, and evaluation of the effectiveness of technical and organizational security measures to ensure the security of processing. Currently, the European Union’s General Data Protection Regulation (GDPR) considers encryption to be “adequate protection” for the personal data of European individuals. Additionally, under the California Consumer Privacy Act (CCPA), companies that fail to encrypt personal information and experience a data breach can be sued directly by consumers whose personal information has been exposed. Damages can range from $100 to $750 per consumer per incident, so in the event of a data breach, this price could add up quickly.
Given the regulatory risk of not keeping up with seismic evolutions in technology such as quantum computing, a wide range of private and public players are preparing for the advent of quantum computing and investing in related encryption technology. Experts estimate that widespread adoption of quantum computing is likely a decade away. However, interest and development in space will continue to expand as quantum computing transforms from a technology of the future to one of the present.
Quantum-resistant encryption in particular has drawn a lot of attention. Since 2016, the National Institute of Standards and Technology (NIST) has been overseeing several rounds of competition to develop new quantum-resistant cryptography and encryption standards, with initial results expected later this year. Based on the latest available data from the competition participants, lattice-based crypto seems to be the favorite. Lattice-based cryptography is an encryption method that relies on grids with billions of individual points, as opposed to public-key encryption, which leverages traditional math to protect data. Lattice-based cryptography is considered the most promising technology to combat potential cyber threats that could stem from quantum computers.
Board members and C-level executives are encouraged to pay attention to the potential opportunities and threats presented by quantum computers, as well as technologies that can mitigate such risk.
Zero Trust Security
Zero trust security is a security method used by organizations to mitigate cyber risks posed by an “insider” threat. Traditional network security is designed to prevent outside actors from breaching a network. However, this leaves organizations susceptible to insider threats from users who have already authenticated and gained access to a network. In fact, some statistics suggest that more than half of data breaches occur within an organization. Zero-trust security helps counter this risk by employing a “zero-trust” approach. In other words, zero-trust security requires that all users and devices verify their identity when trying to access network resources, even when those users or devices have already entered the network.
NIST has published extensive information on best practices for organizations that choose to follow a zero trust security strategy, including Special Publication 800-207 on Zero Trust Architecture. The NIST guidelines focus on authentication and authorization as core pillars of zero-trust security. This requires organizations to focus on “reducing implicit trust zones” by reducing those areas within the network where users and devices can exist without being verified again. When internal and external bad guys gain authorized or unauthorized access to an organization’s network, a zero-trust security strategy prevents those actors from existing and operating within the network without control, making the strategy a valuable tool. in an organization’s cyber defense arsenal.
Zero Knowledge Proofs
Although highly dependent on the architecture of the blockchain itself, blockchain technology in general is based on the principles of data obfuscation, decentralization, and cryptography. However, the immutability of the blockchain and reliance on a potentially large group of network participants to validate data may make users reluctant to share sensitive data with a large network and may also raise other security-related concerns. and data privacy.
Zero-Knowledge Proofs (ZKPs) form the basis of a cryptography protocol that can improve the functionality and usability of the blockchain as a method of exchanging data, although ZKPs can also be useful as a cybersecurity tool outside of the crypto space. the chain of blocks.
ZKP cryptography involves proving that something is true without revealing the underlying data, for example proving that a person seeking to enter a bar is over the minimum drinking age without revealing the person’s full date of birth. ZKPs use algorithms that allow users to verify the authenticity of a data set through mathematical methods rather than revealing the underlying data. This offers the potential for businesses to minimize the amount of data they collect and reduce the risk of a data breach, as they can process transactions without owning or accessing certain data that is not needed. For example, a financial services company could verify that a customer’s income level reaches certain predetermined thresholds without having to access the customer’s financial information. In this example, the financial services company would have greater confidence that a customer meets the company’s income eligibility criteria, and the customer would have confidence that sensitive personal financial data is subject to this additional layer of privacy. and protection.
Whether or not a business uses blockchain, board members and C-level executives are encouraged to consider employing ZKP to provide additional security to their organizations and reduce the amount of data they need to collect to transact.
While no cybersecurity tool is ever enough, this article offers insight into some emerging technologies that C-level executives and board members need to be aware of in the ever-evolving data security landscape. Quantum computing, quantum-resistant encryption, zero-trust security, and ZKPs offer powerful tools to protect user data from harmful internal and external actors and can mitigate a corporation’s exposure to potential financial and legal liabilities. arise from a data breach or other security incident.