Operations
5/25/2017
11:50 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

You Have One Year to Make GDPR Your Biggest Security Victory Ever

The EU's new razor-toothed data privacy law could either rip you apart or help you create the best security program you've ever had. Here's how.

This is not a drill. One year from today, the grace period for the European Union's General Data Protection Regulation (GDPR) ends, and enforcement begins. 

The bad news: GDPR has rigorous rules -- like a 72-hour breach notification window -- and sharp teeth -- like fines of up to 20 million Euros or 4% of your annual "turnover" (roughly equivalent to revenue), whichever is higher. And despite that, chances are high that you won't be ready to comply by the deadline if you even realize that you have to comply in the first place.  

The good news is that it could help you do many of the things you should have done and wanted to do all along: data inventory, better monitoring, principles of least-privileges, encryption, secure application development, and a better understanding of the business you support. 

How do you get there in 12 months? Here are some guidelines.

Assemble your team.

Team - as in Infosec, Privacy, and Compliance. But you also need to loop in other groups, such as:

Marketing. "You've got to have enforceable rules about what marketing does with people's data," says ESET senior security researcher Stephen Cobb. 

Your marketers may use private data the most, and may already be aware of GDPR's coming impact on their operations. One ad-serving technology company executive told Advertising Age recently, GDPR is "ripping the digital ecosystem apart" and the CEO of the DMA (Direct Marketing Association) group said in a statement last month that the GDPR deadline of "May 2018 should be a date that is in every marketer's diary."

HR. GDPR does not only apply to customers' data. It also applies to your employees' information.

Development/DevOps. GDPR has stipulations for "data protection by design and by default," which will have implications for the secure development of any applications. There are also new mandates for data collection and use-consent that will require changes to more than just autocheck boxes on your Web forms and the opt-out functions of your newsletters. 

Communications/PR. The 72-hour breach notification response time will require planning. In addition, an official process for handling privacy violation complaints will need to be established.

Legal. Compliance cannot be outsourced. Contracts with third parties may need to be revisited. 

Data Protection Officer, if you need one. GDPR mandates that certain organizations, depending upon several factors, will need someone explicitly assigned to the task of protecting data. According to the International Association of Privacy Professionals, 100% of the large enterprises in information and communication will need a DPO, as well as 100% of financial institutions and insurance firms. IAPP estimates that there will be a need for 75,000 DPOs worldwide, including roughly 9,000 in the US alone.

Although there are rules about the DPO being independent from the organization, these responsibilities could be assigned to an existing role, a new person could be hired, or the job could be outsourced. 

According to a survey by Blancco Technology Group, DPOs are not typical and costly. Fifty-nine percent of American companies are most likely to assign the responsibilities of DPO to an existing role, according to the survey. Half of respondents to a survey by Varonis say their organization does not yet have a DPO, but 47% of those that are planning to appoint one expect the individual to have a primarily IT-based professional background.

Assess your exposure.

Does GDPR apply to you? "You increase your risk by first of all not knowing if you were covered," says Cobb. As Cobb explained in a blog: "Your firm probably needs to comply with GDPR if: You monitor the behavior of data subjects who are located within the EU; You're based outside the EU but provide services or goods to the EU (including free services); or You have an 'establishment' in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR)."

Do you know what "private data" means in the EU? The definitions, which still vary somewhat by country, are far broader than the American understanding of personally identifiable information. Information about location, income, cultural information like religion and political affiliation, and perhaps even one's shoe size is protected under law. Also, "Child" means something different – in the US, parental consent is needed for minors under age 13, but in the EU, if parental consent is required for children, it means kids under 16.

How many EU citizens do you have in your databases – internal and external users? Remember too, that Brexit does not absolve you from worrying about UK citizens. The UK is not officially scheduled to leave the Union until March 29, 2019. Also, 68% of respondents to the Varonis survey expect that any British organization that violates GDPR will be "made an example of," as recompense for Brexit; 57% believe the UK will be among the top three most rigorous enforcers of the law while the country remains in the EU. 

In how many countries do you operate? The more countries' citizen privacy you've violated, the worse the penalties may be.

In which countries do you operate? Certain countries have a more vigorous privacy culture and history of privacy activism and are expected to enforce the regulation – either from a top-down or bottom-up approach – more rigorously than others. 

How much of your business model relies on profiling? This can fall into a lot of categories, from target marketing to loan approval. All the information about income bracket, geography, age, and favorite color so frequently requested in Web forms will now be protected by law. (The rules against profiling could even have implications for any automated surveillance controls you have in place to watch out for insider security threats.) Read more at the IAPP: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-5-profiling/

How much of your business model relies upon the processing of data? If you're an IT or telecommunications company that transmits or stores data, you fit into this category alongside the payment and payroll processors.             

Know Your GDPR:

Article 35: data protection impact assessment. It isn't the first article that pertains to cybersecurity, but it's the first one you should think about. According to the Blancco survey, 41% of American organizations are currently undergoing a data protection gap analysis.

Article 7: consent. As the International Association of Privacy Professionals explains, "silence, pre-ticked boxes or inactivity" are not adequate ways of conferring consent. Also, GDPR gives data subjects the right to withdraw consent at any time and, as the law mandates "it shall be as easy to withdraw consent as to give it." 

Article 16: right to rectification. EU citizens have the right to have inaccurate information about themselves corrected. As CEO and founder of Seclore Vishal Gupta wrote in a column for Dark Reading earlier this month, "At first this sounds simple, but it comes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network."

Article 17: right to erasure (right to be forgotten): As IAPP explains, "This right allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request."  

Article 25: data protection by design and by default. As Roxane Suau of Pradeo describes it: "This is one of the most important aspects of GDPR. On the one hand, it is expected companies will include data privacy protection as part of their development process. On the other hand, they must apply the appropriate technical means and methods and organizational processes to ensure only relevant data collection, processing and storage."

Article 30: records of processing activities. Article 30 states that written records be kept about data subjects, data recipients, cross-border data transfers, and security measures placed upon them. These records must be presented to data protection authorities on request. 

Article 32: security of data processing. Article 32 is the biggest cybersecurity Article, but it allows for some risk management. It requires data controllers and processors "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk," including measures like pseudonymization/encryption; the ability to guarantee confidentiality, integrity, and availability; the ability to restore access to data in a timely manner after an incident, and; a process for regular security testing.

Articles 33-34: breach notifications to supervisory authorities and data subjects (within 72 hours of breach discovery)  

Article 46: transfers subject to appropriate safeguards. As Gupta wrote, this addresses the concern that when European citizen data gets "transferred outside the EU, it can become subject to surveillance by nation-states." To remain in compliance with this article, Gupta recommends data-level security tools that will hold security precautions in place while it travels. These precautions will also help meet the requirements of Privacy Shield.

Respondents to both reports from Varonis and Blancco named the right to be forgotten, the records of data processing activities, security of data processing, and the 72-hour breach notification rule, as the biggest concerns.

Find your data. Start monitoring.

"What you can't do is expect to navigate all that without knowing where that data is and what data you've got," Cobb says.

"If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement” for the “right to be forgotten,” said Richard Stiennon, chief strategy officer for Blancco Technology Group, in a statement. Stiennon goes on to say that companies often use “insecure and unreliable data removal methods, such as basic deletion and free data wiping software.” 

Brian Vecci, technical evangelist of Varonis, agrees and suggests organizations that are behind start simply by instituting basic monitoring, followed by automatic data classification.

Without at least knowledge of what data you have and how it's being used, Vecci says, it's impossible to institute any practices of  least privilege or keep adequate records. "It's like trying to clean up your garage in the dark," he says. "Just turn on the lights."

NEXT PAGE: Set new process, policies, enforcement fot GDPR

 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/4/2017 | 9:08:57 AM
Re: What Authority Does a Foreign Entity Have on a Sovereign Nation?
@Dr.T: It's more about the businesses -- who subject themselves to that jurisdiction by reaching out to do business there -- than it is about the government of the US.

(And, besides, that's what treaties are for.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/4/2017 | 9:07:41 AM
Re: What Authority Does a Foreign Entity Have on a Sovereign Nation?
@geriatric: I've not 100% made my way through GDPR yet, but it's unlikely so simple.

Realistically, regulators go affter the big targets and the targets that are most egregious. Realistically speaking, almost nobody cares about lone eBay seller who hasn't dotted his i's.

(*NOT LEGAL ADVICE.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2017 | 4:41:21 PM
Re: Going on different directions
It's a bigger political issue in Europe -- where people are still old enough to remember oppressive Communist regimes spying on citizens in a pre-digital era.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2017 | 4:36:35 PM
Re: HIPAA
@Dr. T: You would think, but it's not quite so simple (not that HIPAA is "simple") -- especially because fo the relative fungibility of EU privacy rules/regs/laws.  Privacy Shield and GDPR could very well be gone in five years time in favor of another period of BCR-mitigated chaos followed by yet a new rubric.
geriatric
50%
50%
geriatric,
User Rank: Moderator
5/30/2017 | 6:43:51 AM
Re: What Authority Does a Foreign Entity Have on a Sovereign Nation?
@Pablo Valerio - while I certainly agree that any corporation with a physical presence would be subject to the reg, I'm not at all convinced that the EU's authority would extend to an American citizen with an eBay storefront who sells a t-shirt to someone living in France, or even to a small U.S. community bank whose database contains the address of an ex-pat living in Germany. So it all comes down to what 'doing business' means.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
5/29/2017 | 3:19:15 PM
Re: What Authority Does a Foreign Entity Have on a Sovereign Nation?
@geriatric... actally it doesn't, except if a company does business in Europe. In that case they have all the authority.

If a company such as Facebook wants to quit the European market, and delete all the data they have on EU citizens, then they don't have to worry about GDPR.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:59:43 PM
GDPR
GDPR Is just a start I would say, all other countries will most likely have their own version of regulations to provide privacy to their citizens.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:55:00 PM
Re: DPO and "costl[iness]"
"When it comes to compliance and risk management, you get what you pay for." Agree. It requires lot of effort, time and money.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:53:43 PM
Re: What Authority Does a Foreign Entity Have on a Sovereign Nation?
"Why would the United States agree to comply with a foreign regulation?" No but mos likely you have branch in there or customers, then you are part of the regulation.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/29/2017 | 2:52:11 PM
Re: Going on different directions
"Looks to me that the EU and the US are going on opposite drections" Good point. We are making it political in here US.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.