Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

2/28/2018
08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

GDPR: The New Price We Pay for Data Privacy

When the EU's GDPR regulations come into effect in May, the rules around how companies and individuals regard data privacy will change forever. Even for those outside Europe, this could be an expensive journey to take.

May 25 sees the launch of the General Data Protection Regulation (GDPR) in the European Union. It's a complex task to secure every single piece of personal data that firms process or store from EU residents.

With deep implications for privacy and data protection for EU and US companies, how prepared are we?

GDPR compliance touches many critical business areas: the relationships firms have with their customers, the technology that supports data protection, internal data process leadership and process change, legal issues and of course the cost of initiating and maintaining individual company GDPR strategies.

"Some companies will approach EU GDPR opportunistically and see it as a way to get more value out of the data," Joe Carson, chief security scientists at Thycotic -- a US privileged account security firm -- told SecurityNow. "[But] some organizations will see this as a painful process... [and] are organizations that hate change and see EU GDPR as preventing them from doing business."

About 30% of firms worldwide report being ready for GDPR, according to new stats from Forrester. Interestingly more US companies report they're fully prepared than their counterparts in the EU An additional 35% of firms say they're partially compliant today, or will be compliant within six months. (See GDPR Readiness Goes Beyond Security Controls.)

"These numbers are encouraging," said Enza Ianopollo, a security and risk analyst at Forrester, "however, few firms are approaching GDPR compliance with a comprehensive program and a sound risk-based approach."

"I do think that companies, especially outside of Europe, are overconfident about their ability to meet the new requirements because they doubt that EU regulators' reach will go beyond the EU. I think that they are taking a huge risk," Ianopollo added.

The new cost of data privacy
Firms in regulated industries clearly have had a head-start with GDPR because they are accustomed to operating within a tight compliance framework. According to Forrester's report, companies in the financial sector are the most GDPR mature, but media and retail firms -- which hold and process vast amounts of customer data -- lag, and have only just started their GDPR journey. They need to get it right because failure to comply with GDPR's rule set comes with a stiff price tag.

Organizations in breach of GDPR can be fined up to a maximum of 4% of global turnover, or E20m, whichever is the greater, in a tiered penalty system covering relatively minor to major infractions. Observers say it's possible that the EU could make an example out of a big US firm that fails to comply, in order to send a signal to the market right from the outset.

"The EU has a long history of standing for user freedom and fair competition," said Ambuj Kumar, CEO and co-founder of Fortanix, a data protection firm. "It's likely that the EU could impose an exemplary fine on a high-profile, well-known consumer company."

Potential fines aside, the cost of compliance for firms is somewhat of an unknown quantity, since GDPR is such a wide-sweeping regulation without an easily comparable precedent. Every company will have their own unique cost to stomach. (See GDPR, Cloud Changing Security Pros' Priorities Report.)

"On the negative side, I see a drawback in the increase of short-term costs for companies to rearchitect their security architectures," said Dr. Salvatore Stolfo, CTO of Allure Security. "We might also see a high short-term cost in the redesign of their business processes." He adds that because penalties could be high, this could complicate the risk management and estimates for future corporate liabilities.

"While many US companies will feel a financial strain to comply, a positive outcome is that underfunded security budgets will be right-sized due to compliance requirements," said Misha Govshteyn, co-founder of Alert Logic, a cloud security provider.

Legal implications
There are many recent examples of firms that failed to take adequate consumer data security precautions, and who also appeared sluggish to publicly acknowledging a breach. A prime example is the Sonic Drive-In breach last October, but notable consumer poster children include UPS, Barnes & Noble and Uber. (See SONIC Quiet on Data Breach Details.)

GDPR specifies that breaches notified outside of 72 hours will require an additional written explanation, and if the breach places a data subject at high risk, the notification must be made without "undue delay," which already appears a challenge for some companies.

"Companies who are not regulated usually do nothing to protect the data they have been entrusted to secure," said Thycotic's Carson. "It wasn't until cyberattacks became more expensive for insurance companies that as a result those that failed to secure and protect sensitive data began risking major financial losses."

Next page: GDPR adds additional complexity

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.