Like many college students who cram the night before a test – and some writers who test the limits of their editors' patience with their procrastination – many companies have pushed off GDPR compliance, believing either it doesn't apply to them, it's too costly or overwhelming or they can afford to wait and see just how serious regulators are about admonishing and fining companies who falter on privacy.
Big mistake.
The European Union spent a lot of time putting together, debating, reviewing and finalizing GDPR, which governs how data is handled, shared and protected and the organization is not about to abandon its efforts now that the regulation has been brought to bear.
“Regardless of industry, scope or scale, all organizations need to be prepared for these changes and the impact it could have on their business, and should employ a basic set of cybersecurity considerations to defend against today's growing cyber risk,” says eSentire Founder and Chief Security Strategist Eldon Sprickerhoff.
The new rules replace the EU's previous data protection laws dating from 1995 when the internet was just emerging. It gives citizens more control over their own private information and it's intended to give businesses clarity and legal certainty. At the same time, the new regulations also give them headaches and a fair amount of anxiety as significant fines for violations – four percent of global turnover — speedy breach notifications (where feasible, within 72 hours) loom and uncertainty reigns over how enforcement might play out. A few organizations are breathing a sigh of relief that their transgressions occurred before the rules take effect this month.
The Facebook/Cambridge Analytica debacle, for example, fell just a couple of months short of being a test case for GDPR. “Regulators say they aren't hunting for examples, but really they'd like to find a company that served as a good test case,” says Michael Magrath, director of global regulations and standards at Vasco.
Steve Durbin, managing director of the Information Security Forum (ISF), agrees that regulators likely would have set an example with the social media giant, which recently admitted that the data analytics firm Cambridge Analytica broke its privacy and data use policies by gleaning data from 87 million Facebook users without their permission.
Facebook suspended Cambridge Analytica—the data analytics firm used by the Trump and Brexit campaigns to target voters—for violating its policies when it collected the personal data from accounts of 87 million Americans without their permission, prompting the Federal Trade Commission, the U.S. Congress, the state of Massachusetts and the U.K. information commissioner to launch investigations.
An app developed by Cambridge University professor Aleksandr Kogan called thisisyourdigitallife harvested data for Cambridge Analytica, owned in part by hedge fund operator Robert Mercer and once led by former White House adviser Steve Bannon. About 270,000 Facebook users signed up to take a paid personality test through the app. Their data and that of their friends, counting in the millions, was passed along to Cambridge Analytica.
“We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons,” whistleblower Christopher Wylie, who worked closely with Kogan, told the Observer. “That was the basis the entire company was built on.”
While “it has been said that it's data taken from Facebook without the users' consent,” Evgeny Chereshnev, CEO at Biolink.Tech, calls the claim “both true and not true.”
By reading “the license agreement, when you sign up with Facebook, you would understand that you have absolutely no rights when it comes to your data; your information, what you post and how information is gathered about you. Facebook can analyze and use this data any way it wants.”
That might give the company some wiggle room under GDPR, but it certainly wouldn't help it escape the scrutiny and wrath of EU regulators.
Facebook CTO Mike Schroepfer has since admitted nearly all of the company's user accounts – in the billions – could have had their accounts scraped via the platform's search and account discovery features.
“Given the scale and sophistication of the activity we've seen [from malicious actors], we believe that most people on Facebook could have had their public profile scraped in this way,” Schroepfer told reporters in early April, explaining why the company had disabled the search feature.
Facebook CEO Mark Zuckerberg also confessed to the company recording the call logs of Android users employing Messenger, though he defended “call and text history logging” as a “part of an opt-in feature for people using Messenger or Facebook Lite on Android.” The company has since taken steps to rectify those issues, including banishing some features and improving policies around data handling and sharing, signaling it would hand ownership of data to its users.
Facebook is hardly the only company that dodged a GDPR bullet because its data handling transgression occurred before the regulation took effect. The high-profile Uber breach, too, likely would have set regulators' hair on fire. If GDPR had been in play during the latest Uber hack, the ride-sharing company would have faced stiffed consequences – or maybe it would have chosen a more prudent, secure route by promptly revealing the attack that compromised the personal data of 57 million customers and drivers, and by taking bold steps to mitigate the damage.
GDPR is “designed specifically to deal with such occurrences. Under [GDPR], Uber would have had to notify the regulator within 72 hours of being aware of the hack (not the year or so in this case). Then, assuming the regulator found them in breach of the regulations, they would have to pay a fine of four percent of global annual turnover, or 20 million Euros, whichever is higher,” says Dean Armstrong QC, cyber law barrister at Setfords Solicitors. “As Uber hasn't released its figures, we can't speculate as to the potential final cost of the fine, but it is fair to say the regulator would have come down hard, and under the regulations, it would likely be in the tens of millions.”
But the company will likely feel the biggest impact on “reputation, which although harder to quantify than a fine could far outstrip any penalty handed to them by a regulator,” says Armstrong. “The U.K. and Europe are adopting stricter rules on personal data protection for precisely this kind of event.”
Attackers lifted a set of login credentials from a GitHub coding site that Uber software engineers used, then accessed an infrastructure account where computing tasks are handled, only to find a treasure trove of archived driver and rider data.
“The hack wasn't sophisticated – the digital thieves broke into the accounts of two Uber engineers on Github, where they found the passwords to some online data storage that contained the personal info, according to the report,” says Imperva CTO Terry Ray.
“This appears to be a prime example of good intentions gone bad. Using an online collaboration and coding platform isn't necessarily wrong, and it isn't clear if getting your accounts hacked on these platforms is even uncommon,” says Ray. “Sadly, it's all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.”
Contending that Uber “played a risky game” by concealing the incident and paying the hackers $100,000 to delete the purloined data, which will likely embolden bad actors to steal personal information from other organizations, Armstrong says GDPR's eminent arrival pointed to “a huge shift in thinking towards this issue.”
Now Uber is left “to navigate a labyrinth of financial and state breach notification laws given a user base spanning the globe,” particularly GDPR, says Mark Sangster, vice president and industry security strategist at eSentire.
Sitting on a breach for a year could cause untold damage for the company, its employees and customers. “While comedians and senators are finding out that they can't keep sexual harassment under wraps, companies are learning that they can't bury the news when they get hacked,” says Jeff Williams, CTO and co-founder of Contrast Security. “In this case, Uber was legally required to disclose this breach, and I'm sure there will be repercussions.”
Williams called the breach likely “the tip of the iceberg.” While some incidents “don't legally require disclosure,” they “would outrage consumers if they knew,” he said. “And most organizations are sitting on mountains of unfixed vulnerabilities that don't require disclosure. Another outrage.”
Sangster finds Uber's response baffling; a recent series of mega-breaches should have been wake-up calls. “It's fascinating that even in light of the mega-breaches of 2016 and 2017, companies consider non- or delayed breach disclosure as an option,” he says. “The number of records compromised in the Uber hack far exceeds the entire population of Canada.”
Maintaining that “companies today have no excuse when it comes to cybersecurity controls,” since they have an abundance of tools and guidelines to choose from, Sangster says, “in Uber's case, you have a company already enduring a PR firestorm. Mix in a significant one-year-old, non-disclosed breach, and that storm suddenly becomes a hurricane.”
Sangster fully expects the Uber breach “will set new precedents when it comes to regulatory compliance and disclosure mandates.”
Now that GDPR is finally taking effect, “‘doing an Uber' will be unacceptable so organizations need to be working overtime now to get their technology, people and processes ready for compliance,” says Simon Townsend, chief technologist, EMEA, for Ivanti and an expert in GDPR best practices.
Data, data everywhere and all the systems did leak
As the Uber and Facebook examples – plus the countless reports of open AWS S3 buckets and the poor cyber hygiene practiced by many companies – demonstrate, organizations are leaking and exposing information. Personal data is pouring out of apps and sensitive material is left accessible to the public and bad actors as a result of those organizations' perilous and sometimes negligent practices. For example, a Varonis report found that almost half of organizations boast more than 1,000 users using passwords that don't expire and 41 percent have 1,000 or more sensitive files open to all employees.
Almost daily reports surface of AWS S3 buckets left open in public view. Digital Shadows published research in April showing more than 1.5 billion sensitive corporate and other files visible on the public internet, due to misconfigured Amazon S3 buckets, network attached storage (NAS) devices, FTP servers and other common tools used to back-up, sync and share files.
The amount of exposed data totaled 12 petabytes – four thousand times the size of the Panama Papers leak – and with its EU/cross-border aspects, it would run afoul of GDPR if it the companies involved didn't react quickly.
The financial penalty for non-compliance with privacy regulations, in general, can prove costly. Non-compliance with privacy regulations like HIPAA and PCI DSS costs 2.71 times the cost of maintaining or meeting compliance requirements,” according to a recent study by Globalscape and the Ponemon Institute.
“Non-compliance costs businesses on average $14 Million; a 45 percent increase since 2011. For those businesses that do comply, costs averaged around $5.47 million annually—less than half the cost of non-compliance,” Globalscape CTO Peter Merkulov says.
Which is why it's difficult to understand those companies that have refused, for whatever reason, to get their GDPR ducks in order. An AvePoint report found that 60 percent of companies haven't progressed much toward compliance, that's down only slightly from 67 percent the year before.
Yes, compliance is difficult – it requires budget dollars to adopt technology, implement encryption, staff up and get data in order. There's also some confusion over the obligations and expectations of the regulation. Although the EU is determined to protect data and privacy and is likely on a low-key search for a corporate poster child to drive the seriousness of that commitment home, it has also indicated, security professionals say, that regulators won't be unnecessarily heavy-handed. It takes resources to go after violators and they say all signs point to regulators showing leniency to companies that have taken steps to move toward compliance even though their journeys are not complete.
Yes, many organizations are woefully behind in their GDPR plans. But that's not to say that looming regulation hasn't lit a fire under others. Scale Venture Partners found that GDPR and breaches like those at Equifax and Facebook have prompted companies to adjust their perspectives and strategies, with 91 percent of the 200 security leaders surveyed saying that they've changed their security programs, increasing their spends on cybersecurity as well as measurement and reporting.
AvePoint's research shows that while 60 percent of survey respondents might be fumbling in the dark over handling sensitive data, half have committed additional headcount, budget or external counsel to GDPR compliance. That's an uptick from around 20 percent last year.
Organizations that are unprepared may be forced to add “hold our breath” to their GDPR strategies as the rules take effect, but it's not too late to start.
Simply following these six steps can lead to being in compliance. and urge putting in place as soon as possible:
Update your public-facing privacy policy. Your privacy policy is likely to be the first formal document a regulator will view. If your privacy policy is out of compliance, the assumption of the regulator might well be so are other privacy components. It is an invitation to further scrutiny by EU regulators.
Know your data's location. GDPR is all about managing the PII of EU citizens. Know exactly what data you have, where you have it, how it is protected, and how to access it. If you cannot access PII, you likely would be subject to a fine. Data flow mapping is a huge task, but essential under GDPR. Incidentally, if you use a customer relationship management (CRM) application, do disk drive backups or process various types of data analytics, there could be a lot of hidden PII there as well. Some experts believe it is impossible to develop a comprehensive privacy policy until data flow mapping is in place.
Put privacy protection policies in place and follow them. In the EU, corporate intent often overrides the letter of the law. If your company has policies and procedures in place for protecting PII and a breach occurs, regulators likely will be more understanding if a company tries to do the right thing and follows its policies and procedures. Unlike U.S. regulations, such as PCI DSS, where companies need to follow the letter of the regulation, the EU views trying to do the right thing as critical to the process and sometimes more important than actually following the letter of the law if the former approach protects PII more effectively.
Hire a data protection officer. Actually, not every company needs a data protection officer (DPO). The local coffee kiosk likely would be exempt, but if your company has a website that collects analytics, sells to EU citizens or EU companies or collects demographic data on EU citizens for any purpose, you definitely need to be GDPR compliant and have a DPO. That said, whom you name as a DPO — an existing employee, a new employee, a third party — opens an entirely new can of worms and has its own multiple levels of considerations.
Convert your data collection processes to opt in. In the U.S., most companies offer an opt-out option to individuals and companies when it comes to collecting and using personal data. In the U.S., if you don't want to be on a mailing list, you need to opt out. But the EU requires explicit opt-in consent from the person whose data is being collected. In addition, the popular Terms of Service (ToS) document used by U.S.-based companies that include opting in as part of unrelated approval is not acceptable to EU regulators. According to the EU, it is not consent if the person has no other options other than to approve a long ToS document.
Delete what you do not need. Many U.S. companies have a policy of collecting as much data as possible about their customers. This policy is not consistent with GDPR. If you do have data on an EU citizen, be prepared to request permission from the individual for you to keep the data. EU citizens have a legal right to ask you to produce data on demand and delete it at their request. Here is a simple recommendation: If your company has data on EU citizens that it does not require for business purposes, delete it now. If you do not have the data, it cannot be compromised in a breach and you do not have to produce it on demand.
Following those steps not only provides a pathway to compliance, they can help organizations enjoy what Durbin says is an even greater benefit of GDPR – business transformation.
By understanding what data it has as well as how it's used and shared, companies can transform their own business processes, introducing greater efficiencies and reducing costs. n
Special Projects Editor Stephen Lawton contributed to this story.
Cybercriminals will feel GDPR's impact too
For all the good that GDPR purports to do, it could make the cybercriminal's plight much easier (or stymie it) precisely because, a Sixgill study says, it will “affect the way global corporations handle consumer data encryption, but in even more basic terms, it will affect what kind of information is permitted to be stored and passed along to other users.”
The study identified three ways, the EU-backed regulation could impact cybercriminals:
Organizations may choose to pay ransom rather than find a solution to a breach on its own. “An organization will need to decide whether it can decrypt the ransomware on its own or need to wire the requested payment to the cyber-criminal,” the study contends. “GDPR puts the responsibility for the breach on the organization, thus in the case of a cyber-incident, the organization might prefer an immediate capitulation in which it pays the cybercriminal for the decryption rather than a continuous cyber crisis in which the organization's IT team works to resolve the incident on its own.”
Cybercriminals may remain anonymous. The moment GDPR comes into play, organizations may not be able to carry out some actions that can help them figure out the identities of key links within the chain of the data base breach,” according to Sixgill. “The updated regulation obligates the organization to implement tougher data protection rules. Thus, in some cases, IT teams will face legal difficulties when trying to complete an investigation, making the issue even more complex to solve.”
Malicious actors' business schemes will feel the impact. “Not that different than the average organization trying to get a handle on how GDPR will affect them, underground actors are also assessing the as of yet unknown effects of GDPR on their activities. Assessing the damage it may cause to their ‘business,' some cybercriminals seem to worry about new data encryption policies and other cyber-defense tools that may increase the difficulty of perpetrating an attack,” the study said. “Also, GDPR increases the accountability of an organization in case of a data breach. As a result, vulnerability exploiters may bump into more complex cyber-defense systems making hacking more difficult. The implementation of the GDPR regulation may turn out to be a turning point in the cyber-defense atmosphere.”