When will the GDPR pot boil over? It’s sooner (and different) than you think
There’s an old saying that a watched pot never boils. In reality, the sauce in that pot is heating up in a way we can’t quite see yet. After the major compliance ramp by companies in 2018, a lot of us thought the impact of GDPR would be instant and boiling over, so to speak. Instead we watch, and hear complaints that one year out from its effective date, the GDPR is barely bubbling with mostly minimal fines.
The GDPR sauces have been slowly simmering and are just beginning to boil. Just how hot is it? Let’s take a look at the security and privacy lessons from enforcement actions small and large, especially for security, privacy professionals and executives.
Security basics have bubbled up
Data security fundamentals have garnered regulator action, including fines, which are sending a clear message about expectations for protecting personal data throughout the data supply chain. Issues such as access controls, open data sources and monitoring all fit into this pot. For example, UK, German, French and Portuguese Data Protection Authorities (DPAs) have been active in requiring specific changes in security practices and levying fines.
- A German chat provider left their platform open to the public and was required to add stronger account management, encryption and access controls.
- A Portuguese hospital had over three times the number of physician accounts as actual doctors, and allowed access to all patient files. As a result, they were required to remove old and duplicate accounts and implement stricter access controls.
- A UK medical practice allowed a trainee to read patient records of colleagues, friends and family for two years. Ultimately, they were required to add role-based access.
- A prominent target was Uber. The French, UK and Dutch fined Uber for failure to implement basic security measures that made the 2016 breach possible. Mandated practices include an IP filtering system to access AWS S3 Servers, requiring engineers to connect to GitHub with 2FA and not store those credentials in plain text.
The message is obvious – no need to wonder about whether GDPR enforcement actions and fines involve data security – they do. These actions make clear exactly what’s expected for minimum security practices for organizations large and small, and the heat will be on for future expanded actions against companies inside and outside the EU.
Special security sauce
Two high profile actions point to the pot getting ready to boil – British Airways and Marriott International. Let’s start with British Airways (BA), where users were directed to a fraudulent website that collected payment and personal details, part of the Magecart injection script that acts as a digital card skimmer – a known attack. BA is now required to implement regular security reviews, code analysis and malware detection technology and reviews, and encrypt sensitive data. Lastly, they had to add additional controls throughout their data collection, from forms to payment submission, including third parties, and more actively monitor and respond to the external threat environment.
The Marriott case is notable because of the reach into an American company, and the emphasis on M&A due diligence to assess security practices, secure code and identify a possible breach. Specifically, while Marriott investigated a small breach by recently acquired Starwood Hotels in 2015, security experts and the UK regulator (ICO) said that should have prompted the Marriott to investigate more deeply, which would have allowed them to find hackers who lurked in its reservation system for three more years. According to the ICO, “With all the resources they have, they should have been able to isolate hackers back in 2015.”
The requirements for M&A under GDPR are now precise: representations of security practices and of no breaches are not sufficient. Acquiring organizations will need to require more proof of security practices and technical monitoring controls, perform extensive technical due diligence including pen testing and code reviews. The target organizations should also be prepared to respond.
The GDPR has given EU DPA more powers to enforce the rules. In a one-year report from the EU Commission published in late July 2019, it calls out the intent to expand their enforcement activity by pooling their efforts across the EU and with regulators in other countries. The EU sees the GDPR as transformational around the world lifting all economies – where consistent and stronger data protection standards expand across the globe as more countries establish modern data protection rules.
We can expect to see that GDPR pot bubbling and to incorporate more international flavors – influencing other countries and regions and bringing equal parts complexity and alignment from Australia to Brazil to California – and how organizations can align with procedural aspects and simplify processes.
The GDPR has pushed businesses to adapt data handling practices that encompass end-to-end data governance and to ensure the security of that data both in transit and at rest. Data that is better protected drives confidence and trust across companies and geographies. It instills faith in the integrity of their ‘data supply chain’, making the effective management and beneficial uses of data a competitive advantage. This entails inventorying and mapping your data, understanding its uses and where it is vulnerable to attack – smart business practices for any size organization. Knowing what data you have, why you have it and where it is kept makes securing it a bit more straightforward.
Once we recognize that data is an invaluable and vital element of the expanding digital economy, the need for increased security rigor should be a priority. The intense emphasis on data security in year one of GDPR enforcement gives companies a clear list of where to invest and focus. We all know the GDPR enforcement pot is slowly coming to a boil, but securing data at every stage will slow it down.