Cyber Expert Breaks Down The EU’s Sweeping Answer To InfoSec: GDPR
With the General Data Protection Regulation (GDPR) just weeks away from becoming applicable for multinational organizations, some businesses may be scrambling to become compliant.
To gauge the state of data privacy and this imminent mandate, “Task Force 7 Radio” host George Rettas spoke with Rebecca Wynn, Head of Information Security and Data Protection Officer for Matrix Medical Network. In his May 7 episode of “TF7 Radio,” Rettas also discussed the advisory from Twitter to its user base on vulnerable passwords. He used the latter half of his show to discuss GDPR measures with Wynn.
In the opening segment, Rettas addressed Twitter’s warning. The social media platform reportedly stored passwords internally before “fortifying” them, making them vulnerable to hackers. Rettas cited Fortune Magazine’s reporting of the announcement. He also said passwords were likely stored in clear text and not encrypted. Twitter’s CTO, Parag Agrawal, opined that users should change passwords across mediums if the same login is used for other sites. Twitter also disclosed the flaw in a regulatory filing.
Rettas explained that the defect relates to how companies store passwords through hashing – in using a random assortment of numbers. That way, Twitter can validate passwords without having to read them. The password is written into an internal log before it’s converted to a series of numbers. At that point, it’s left vulnerable, although no one appears to have tampered with the data.
“I don’t really get what’s wrong with telling people,” Rettas said, before arguing that Twitter was proactive in its warning. He said Twitter used an “abundance of caution” in advising users to change passwords. He also suggested users utilize the two-factor authentication the platform offers – which sends a text message to validate entry.
The remaining segments of the show found Wynn explaining various aspects of GDPR, the most significant data privacy regulation to go on the books in decades. It’s a mandate that could find companies hit with 20 million euro fines, or $23.6 million. Or, it could amount to 4% of annual turnover – whichever is higher.
Wynn stated that GDPR sets a “higher bar for consumer rights.” This strict set of rules goes into effect May 25, 2018. Adding context, she noted that GDPR replaces an EU regulation formed in 1995. “The world has adapted new technologies since then,” she said. GDPR, then, will be consistent across all EU members. The U.K., too, is adhering to GDPR, despite the ongoing exit (“Brexit”) from the political union.
See Related: Reducing Risk, Creating Compliance With GDPR
Wynn said she’s heard instances of companies paying 1 million euros, or even 10 million euros, to make them compliant. She said GDPR ventures into web data (protection) as well, including location, IP address, cookie data, health and genetic data, biometrics, racial/ethnic data, political opinions and sexual orientation.
The Information Security executive said that “noncompliance can be fatal for most businesses,” especially for those that have not initiated compliance measures yet. What’s more, cloud providers are not immune to the regulation, either.
Asked whether she believes companies will be fined right away for noncompliance, Wynn said that it really “depends on the company.” She said it depends on whether the organization was working on compliance efforts for years. Wynn agreed that there’s debate over whether high fines will be levied, but she said data regulators “may want to send a clear message.”
The “TF7 Radio” guest also said that the C-Suite must have a good understanding of the data that the company holds and where it resides. She said impact assessments could be beneficial for the organization, as well as thorough risk management and data-flow mapping.
Wynn soon outlined what she calls the “creeper effect,” meaning when an individual moves within an organization, often their rights are not revoked. So, instead of receiving rights appropriate to the department, they carry them throughout, and are granted more access. She suggested policy analysis to ensure the right users have the right access.
In communicating a breach, Wynn said officials must talk to a local data protection authority (DPA) within 72 hours of identifying or confirming the incident. To prevent against a mega-breach, then, the “TF7 Radio” guest said organizations must look at their systems and minimize the volume of personal data used within them.
Transfers, U.K., Bundles & More
GDPR will also impose restrictions on the transfer of data outside of the EU. In that case, organizations must ensure that the level of protection afforded by GDPR is present in these other locales. This ensures the regulation is not undermined. Wynn said that viewing information in real time and preventing against accidental data transfer can help organizations prepare themselves for May 25.
Explaining the U.K. situation, Wynn also said that GDPR will have been in effect for 10 months by the time Brexit occurs. The U.K.’s Data Protection Bill will replace GDPR, and even add one extension (on social media requests to delete posts before someone’s 18th birthday).
Will the tech titans be immune from GDPR? The answer is a resounding “no.” Wynn said that companies like Facebook may become susceptible to GDPR consequences, especially following the data scandal with Cambridge Analytica.
Reviewing “bundled consent,” Wynn said that according to the U.K. supervising authority, the Information Commissioner’s Office (ICO), consent cannot be “bundled,” and must be separate from other terms and conditions. She called it a “great change,” so that consent can be offered before discovering which data is being collected. She called it a more “linear” system of opting out.
The Information Security executive also suggested that individuals check terms and conditions for all websites, and perhaps create a system to review what consent is given. The upcoming mandate will go as far as affecting file storage accounts, too (DropBox, Google Drive). She said the concern with that revolves around the circumstances to which files are being stored. Guidance must be provided on use, storage, data purging, etc.
If employees store data on certain platforms without companies knowing, the latter is still deemed liable under GDPR. Wynn said she’s an advocate of “blocking them at the firewall and actively monitoring (them) through data loss prevention (DLP) tools.”
“I doubt any organization can be 100% compliant all the time,” Wynn soon stated. Still, she said the best approach for an organization entails complying with the areas of GDPR that are clear. She said you have to be “agile and nimble” and move on these points quite quickly. Frameworks set by NIST and ICO become useful tools in creating a “pathway” to compliance.
“The whole aim of GDPR is to move away from the checkbox approach,” the data privacy expert stated. She warned companies against falling victim to those offering official GDPR certifications, too, for they are not in use yet.
Lastly, while Wynn said GDPR carries the “right to be forgotten,” it is not a given. There are some “only if” grounds set in place, too. There is a three-part test organizations go by to know if there are legitimate interests still in play in the data collection. This, of course, is balanced against individual rights and freedoms.
Remember, the mandate goes into effect in just a few weeks!