As 2016 draws to a close, predictions for 2017 regarding cyber security have already been made (some are discussed below). However, the Privacy Risk Report will take a safer route and predict, even guarantee, that there will definitely be changes to a number of laws addressing cyber security in 2017.
In looking at some of the 2017 predictions, the common themes appear to be: (1) ransomware will continue to cause trouble; (2) the Internet of Things (IoT) will give rise to new security risks; and (3) cloud computing may not be completely safe. These predictions, even if they are proven to be wrong, are worth considering for risk assessment and to forecast possible damage.
Prediction: Ransomware Incidents Will Increase
In Symantec’s report entitled “Ransomware: A Growing Menace,” ransomware is described as “a category of malicious software which, when run, disables the functionality of a computer in some way.” McAfee Labs, in its “2017 Threats Predictions,” predicts that ransomware will peak in the middle of 2017, “but then begin to recede.” McAfee’s report states its prediction is based on the increase in ransomware giving rise to “decisive actions” by the cyber security industry.
Experian’s “Fourth Annual 2017 Data Breach Industry Forecast,” predicts that ransomware will go from being a mere nuisance to potentially having a “catastrophic” impact on healthcare facilities. Based on ransomware attacks on hospitals in 2016, Experian predicts “big healthcare hacks will make the headlines, but small breaches will cause the most damage.” In order to avoid an incident where ransomware limits or precludes access to lifesaving medical equipment, Experian recommends medical facilities invest in proper security measures and employee training.
Prediction: Internet of Things (IoT) Incidents Will Increase
IoT is the network of household appliances, vehicles, industrial machines, medical equipment and a number of other familiar devices connected through the internet. McAfee states the current threat involving IoT is driven by two main forces: “[t]hey are a potential source of data or metadata” and they provide “a potential attack vector to cause damage.” McAfee tempers the concern related to IoT based on the fact that there are few ways to currently profit off hacking IoT devices.
McAfee also sees a scenario combining ransomware and the IoT in its prediction that we may see interconnected devices held hostage until a ransom is paid to the hacker.
The McAfee Report also addresses the risk created by “hacktivists” attempting to disrupt a corporation or government through the IoT. For example, hacktivists may try to make a political statement by “taking control and altering voting machine tallies, opening valves at a dam, or overriding safety systems at a chemical plant.” The McAfee Report states that “[w]ithin the next two to four years, we expect hacktivists to try, but few if any will succeed.”
Prediction: Incidents Involving Cloud Computing Will Increase
In recent years, cloud computing has provided an option to shift risk by moving data storage to cloud computing providers based on the premise that data will be safer. Consequently, hackers and other criminals have identified cloud computing providers as worthwhile targets. McAfee predicts that the increased trust in cloud computing has lead to the cloud storing more sensitive data, which in turn, could result in more attacks on cloud computing providers. McAfee’s experts believe the increased number of incidents involving cloud computing will give rise to more litigation against cloud providers, businesses and their customers as plaintiffs argue the efforts to protect their personal information were not “reasonable.”
Prediction: The Term “Dronejacking” Will Enter Our Vocabulary
If there was not enough to worry about already, McAfee coins the phrase “dronejacking” to describe how drones can be used by hackers. Similar to the problems related to the increased number of devices giving rise to the IoT, the increased number of drones used not just as toys but used in law enforcement, real estate, news media and shipping increase the chances that drones will be compromised. McAfee predicts that 2017 will bring “drone exploit toolkits,” which will make dronejacking easier. While the full impact of dronejacking is not entirely known at this time, McAfee’s Report discusses how drones can land on a roof and hack into the building’s wireless network.
Not a Prediction: A Number of Cyber Security Laws Will Change in 2017
There is no question that a number of laws addressing cyber security will definitely change in 2017. For example, Illinois has amended its breach notification statute, which means real changes will be seen on January 1, 2017. Specifically, Illinois’s Personal Information Act (815 ILCS §530/5) will now include a requirement that any entity holding “personal information concerning an Illinois resident” must “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”
Additionally, Illinois joins a number of other states that have expanded the definition of “personal information” to include an individual’s “user name or email address.” Therefore, an entity may have obligations to notify any individual that has had their user name or email address improperly disclosed. The Illinois legislature further broadened the definition of “personal information” to include medical information, health insurance information or biometric data.
Other states that also will see revisions to their data breach/cyber laws include California, Nebraska, Oregon and Rhode Island.
While predictions are important to get businesses to consider cyber security issues, businesses are required to know the changes in the law and meet those new requirements. For example, Illinois businesses need to determine whether they have implemented “reasonable security measures” to protect personal information to meet the requirements under Illinois law. Contact Tressler’s Privacy Group attorneys for advice on how to get ready for the changes imposed on data collectors under Illinois’ Personal Information Protection Act, effective January 1, 2017.