Threat Intelligence

10/31/2017
05:12 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

RiskIQ Announces GDPR PII Analytics Solution for Website Compliance

New functionality aims to help organizations ensure that their websites comply with the new EU General Data Protection Regulation (GDPR).

SAN FRANCISCO -- RiskIQ, the leader in digital threat management, today announced new functionality in RiskIQ Digital Footprint to help organizations ensure that their websites comply with the new EU General Data Protection Regulation (GDPR). Under GDPR, which covers the protection of EU personal data, fines can be considerable if the personally identifiable information (PII) is compromised or solicited and handled insecurely.

RiskIQ Digital Footprint’s new PII/GDPR analytics feature helps expedite compliance during the initial and subsequent GDPR audit processes by actively identifying websites belonging to an organization, as well as highlighting issues with specific pages that collect PII. The regulation, in effect in May of 2018, applies to all organizations that actively engage with EU citizens—even if they have no physical presence in the EU.

GDPR governs the collection, storage, and usage of EU personal customer data and mandates that PII is collected and transmitted securely. Besides data breach notification, an offending organization can face fines of up to 4 percent of their annual revenue (€20 million) should inadequate security provisions be evidenced. GDPR also includes specifications designed to ensure that EU citizens know and consent to how their information is being used.

GDPR, as applied to the use of websites with EU citizen personal data solicitation, explicitly requires the following personal data safeguards:

  • Collect data in a secure, encrypted way
  • Provide terms and conditions that are easy to understand, with an opt-in requirement to accept
  • Notification within 72 hours of data breach discovery to a GDPR supervisory authority and the offended citizen

“GDPR is a global game changer that will pull the rest of the world toward setting a higher bar for protecting PII,” said Jarad Carleton, principal consultant, Digital Transformation, Frost & Sullivan Cybersecurity Practice. “However, to be compliant, you first need to know where PII is being collected, so proper process controls can be put around that data. RiskIQ Digital Footprint tells enterprises where PII collection is occurring, even when individual departments have web initiatives outside the oversight of IT. The automated approach supports GDPR and can help enterprises avoid fines and protect the future business.”

According to research published by PwC, 92 percent of U.S. multinational companies cited compliance with the GDPR as a top data protection priority. However, the challenge for larger organizations is the sheer volume and complexity of websites and web applications that need to be identified and inspected for GDPR compliance. For expansive European and U.S. multinational companies, the ongoing discovery, analysis, and remediation tasks are nearly unachievable without automation— leaving a considerable security and compliance gap. Plus, recent RiskIQ research of U.K. organizations revealed that nearly a third of the FTSE-30 websites collected EU citizen personal data insecurely.

RiskIQ research of North American organizations also looked at 25 of the 50 largest banks in the U.S. (2017) and discovered significant security gaps in PII collection. The findings indicated that 68 percent of the banks collect PII insecurely, revealing a per-organization average of:

  • 1,891 insecure login forms
  • 1,663 pages collecting PII insecurely
  • 1,326 EU first-party cookie violations
  • 1,265 EU third-party cookie violations

Each of these insecure collection points represents a violation of GDPR, as well as a potential to have customer data compromised.

RiskIQ Digital Footprint helps address this challenge by actively discovering, creating, and assessing an interactive inventory of public-facing web assets, including sites, applications, and infrastructure, connected to an organization. The new PII/GDPR analytics feature automatically highlights web pages where personal data is being solicited, including login forms, data collection forms, and persistent cookies.

The resulting inventory tags and reports indicate where GDPR policy violations exist to enable IT and security teams to focus their efforts on remediating those web assets to support GDPR specifications. As part of ongoing auditing efforts, it can identify the appearance of new sites and PII collection pages, checking that data is being collected securely and that approved data usage notices and user consent are present. Organizations benefit through significant time and resource savings in the discovery process and audit verification processes, as well as gaining an inventory of and insights towards their PII collection points.

“PII discovery, inventory, and compliance assessment is one of the major tasks for GDPR project teams. In our experience, most security and compliance teams have only partial visibility of the websites owned by their organization. They are left to engage users across the business in an effort to uncover them. And once they have compiled that list, inspecting tens of thousands of web pages is labor intensive and prone to error,” said Lou Manousos, CEO of RiskIQ. “The new PII/GDPR analytics feature in RiskIQ Digital Footprint automates the once cumbersome and often inaccurate process of ongoing website PII discovery and assessment, helping to more efficiently support compliance obligations for large enterprises and multinational organizations.”

RiskIQ's PII/GDPR analytics feature is immediately available and is included as part of its Digital Footprint Enterprise solution. Register for RiskIQ’s webinar on Wednesday, Nov. 29 to learn best practices for ensuring your organization is prepared for the looming GDPR mandate.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.