GDPR: The New Price We Pay for Data Privacy

  /     /     /  
Publicated : 22/11/2024   Category : security


GDPR: The New Price We Pay for Data Privacy


When the EUs GDPR regulations come into effect in May, the rules around how companies and individuals regard data privacy will change forever. Even for those outside Europe, this could be an expensive journey to take.



May 25 sees the launch of the General Data Protection Regulation (GDPR) in the European Union. Its a complex task to secure every single piece of personal data that firms process or store from EU residents.
With deep implications for privacy and data protection for EU and US companies, how prepared are we?
GDPR compliance
touches many critical business areas: the relationships firms have with their customers, the technology that supports data protection, internal data process leadership and process change, legal issues and of course the cost of initiating and maintaining individual company GDPR strategies.
(Source:
GDJ via Pixabay
)
Some companies will approach EU GDPR opportunistically and see it as a way to get more value out of the data, Joe Carson, chief security scientists at Thycotic -- a US privileged account security firm -- told SecurityNow. [But] some organizations will see this as a painful process... [and] are organizations that hate change and see EU GDPR as preventing them from doing business.
About 30% of firms worldwide report being ready for GDPR, according to new stats from
Forrester
. Interestingly more US companies report theyre fully prepared than their counterparts in the EU An additional 35% of firms say theyre partially compliant today, or will be compliant within six months. (See
GDPR Readiness Goes Beyond Security Controls
.)
These numbers are encouraging, said Enza Ianopollo, a security and risk analyst at Forrester, however, few firms are approaching GDPR compliance with a comprehensive program and a sound risk-based approach.
I do think that companies, especially outside of Europe, are overconfident about their ability to meet the new requirements because they doubt that EU regulators reach will go beyond the EU. I think that they are taking a huge risk, Ianopollo added.
The new cost of data privacy
Firms in regulated industries clearly have had a head-start with GDPR because they are accustomed to operating within a tight compliance framework. According to Forresters report, companies in the financial sector are the most GDPR mature, but media and retail firms -- which hold and process vast amounts of customer data -- lag, and have only just started their GDPR journey. They need to get it right because failure to comply with GDPRs rule set comes with a stiff price tag.
Organizations in breach of GDPR can be fined up to a maximum of 4% of global turnover, or E20m, whichever is the greater, in a tiered penalty system covering relatively minor to major infractions. Observers say its possible that the EU could make an example out of a big US firm that fails to comply, in order to send a signal to the market right from the outset.
The EU has a long history of standing for user freedom and fair competition, said Ambuj Kumar, CEO and co-founder of Fortanix, a data protection firm. Its likely that the EU could impose an exemplary fine on a high-profile, well-known consumer company.
Potential fines aside, the cost of compliance for firms is somewhat of an unknown quantity, since GDPR is such a wide-sweeping regulation without an easily comparable precedent. Every company will have their own unique cost to stomach. (See
GDPR, Cloud Changing Security Pros Priorities – Report
.)
On the negative side, I see a drawback in the increase of short-term costs for companies to rearchitect their security architectures, said Dr. Salvatore Stolfo, CTO of Allure Security. We might also see a high short-term cost in the redesign of their business processes. He adds that because penalties could be high, this could complicate the risk management and estimates for future corporate liabilities.
While many US companies will feel a financial strain to comply, a positive outcome is that underfunded security budgets will be right-sized due to compliance requirements, said Misha Govshteyn, co-founder of Alert Logic, a cloud security provider.
Legal implications
There are many recent examples of firms that failed to take adequate consumer data security precautions, and who also appeared sluggish to publicly acknowledging a breach. A prime example is the Sonic Drive-In breach last October, but notable consumer poster children include UPS, Barnes & Noble and Uber. (See
SONIC Quiet on Data Breach Details
.)
GDPR specifies that breaches notified outside of 72 hours will require an additional written explanation, and if the breach places a data subject at high risk, the notification must be made without undue delay, which already appears a challenge for some companies.
Companies who are not regulated usually do nothing to protect the data they have been entrusted to secure, said Thycotics Carson. It wasnt until cyberattacks became more expensive for insurance companies that as a result those that failed to secure and protect sensitive data began risking major financial losses.
Next page: GDPR adds additional complexity
Carson argues that firms consistently struggle to submit breach information to law enforcement, even after several months. Further complexity is added to breach notification due to confusion in the market about who is, or is not, a qualifying EU resident. Some companies are skirting this by ensuring they are compliant for all customers, not just the ones who may fall under GDPR jurisdiction.
Some companies have speculated that a simple way to be compliant, regardless of fuzzy national status definitions, is to simply process all data in Europe for customers who could be EU residents.
Many people mistakenly believe [this], but nothing can be farther from the truth, said Fortanixs Kumar. You need to follow the same process irrespective of where the data is processed.
Joseph Carson, chief security scientist at Thycotic

(Source:
Thycotic
)
Yet another layer of complexity -- relationships with third-party suppliers -- further muddies the waters. Contractors are often obliged to keep a firms data safe, and this situation could prove a flashpoint between the US and the EU.
US companies undoubtedly have many third-party relationships, but there is presently no easy way to [comply] with this using technology, said Allures Stolfo. Managing a third partys networks is impossible... and that third-party risk will ultimately cause a clash between EU GDPR regulators and US contract law.
Furthermore, its been suggested that the US struggles with the quality and quantity of material disclosed after a breach due to weak federal security disclosure laws. This prevents companies from learning from each others mistakes.
Companies that experience security breaches must provide transparency into how the attack happened, why defenses failed and what we must do to better avoid such breaches in the future, said Alert Logics Govshteyn. Today, disclosure laws vary by state, and this has done little to resolve the disclosure problem for companies that operate nationally or internationally.
Technology or process?
Enterprises are in the process of defining which technologies can be their best ally for GDPR compliance. Challenges include accessing, consolidating and exposing data to make it easily searchable, managing it through its lifecycle, and making it deletable upon request.
Such a request from a private citizen, known as the right to be forgotten, is particularly tricky because data can be encrypted at rest, in transit and also during runtime.
The simplest way to meet these requirements is to encrypt all the user data with a single key and then centrally manage the key, Kumar said. When the user requests deletion of their data, organizations can [just] delete the key. Thats providing the data can even be located, or can be reclaimed if its lost in a breach.
One new technology, which requires beaconization of all data, helps owners track its journey if it leaves the network either lawfully or though malicious action. Then, there are the magnetic tapes and floppy disks of yesteryear to find, too.
Just the act of finding all of the data to be forgotten is not trivial, said Allures Stolfo. Will a company have to maintain a copy of the deleted records to prove that they have indeed made best efforts to delete it all?
Forrester says the adoption of security controls such as encryption and tokenization, as well as acquiring controls for network security, are at the top of the enterprise list of GDPR-related priorities. Ianopollo believes, though, that firms anxious for compliance are burdening technology with the compliance task at the risk of retaining unhelpful internal processes.
As a result, firms are neglecting requirements that hinge more heavily on processes, such as managing data subject rights and consent management, she said.
And what of the citizen at the heart of GDPRs protections? Should we expect less stories in the press about big corporations failure to protect their customers now there will be enforceable financial penalties? Will the person on the street see an immediate benefit from tighter vigilance and management of their personal information?
The average EU citizen has no idea about the new privacy rights they will be entitled to, said Thycotics Carson. Only lawyers, governments, security researchers or companies who process or collect a vast amount of personal data, or solution providers have any idea what GDPR is. Most citizens have no clue.
Related posts:
EUs NIS Directive Compounding GDPR Burdens & Confusion
GDPR Blackmail Looms as a Double-Dip Cyber Attack Plan
GDPR Territorial Scope: Location, Location, Location?
— Simon Marshall, Technology Journalist, special to Security Now

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GDPR: The New Price We Pay for Data Privacy