The General Data Protection Regulation (GDPR) has been in effect for more than a year now, and it has already yielded significant returns, but there are still key issues that need work. Fortinet’s Jonathan Nguyen-Duy discusses.
Abuse of individuals’ personal data has led to an outcry for stronger data privacy laws. Action toward such laws has tended to apply to one industry at a time – health care, financial services and so on. In the absence of a federal mandate in the U.S., states have created their own privacy regulations, such as the California Consumer Privacy Act. Many such specific regulations can engender a “check the box” approach to data security and privacy, which fails to provide true protection, because it falls short of doing everything possible and settles for “good enough.”
For example, the EU’s 1995 Data Protection Directive (which was replaced by the General Data Protection Regulation “GDPR”) allowed individual member nations to write and pass their own breach notification laws. Not only did these laws sometimes tend to be incomplete, but the enforcement and requirements were inconsistent across the EU. Multinational companies were especially challenged, because data gathered in a specific country had to be managed differently than data collected in a neighboring one.
Taking effect last May, GDPR streamlined these various regulations into one comprehensive mandate. The regulation requires organizations to report data breaches to affected individuals and appropriate regulatory authorities within 72 hours of being discovered. Even better, it also established a common and broader definition of personal data, including things like IP addresses, biometric data, mobile device identifiers and other types of data that could potentially be used to identify an individual, determine their location or track their activities.
The GDPR Effect
Because the GDPR more explicitly defines what constitutes a breach of personal data, expands the definition of personal data and implements a standardized and consistent notification requirement across the entire EU, now organizations responsible for the monitoring of data privacy have been able to analyze and report on a much larger data set of incidents. This has significantly expanded visibility into what types of breaches are occurring, which, in turn, has provided security professionals and vendors with a clearer understanding of what countermeasure needs to be in place to combat the attacks. The expanded GDPR definition has also contributed to a rise in the level of due care as a standard practice by organizations and government agencies, rather than just compliance alone. Yet there is still no generally accepted definition of what exactly constitutes a reasonable level of due care.
The GDPR has thus far yielded significant returns while still leaving some key issues for further work. We certainly know more about the incidence of data breaches than ever before. During a panel discussion at the IAPP Data Protection Intensive 2019 conference in London, Stephen Eckersley, the Head of Enforcement at the U.K. Information Commissioner’s Office (ICO), said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation. Notably, it was reported that in the U.K. alone, 206,326 total cases had been reported in the first nine months of GDPR. Of these, 94,000 were complaints and 64,000 were data breach notifications. As a result, the ICO staff has nearly doubled, growing from 380 to 700 investigators and support staff.
California Follows Suit
In response to loud demands by individuals and advocacy groups elsewhere for similar protections, new privacy regulations and laws are being put in place that are modeled after the GDPR.
On January 1, 2020, the California Consumer Privacy Act (CCPA) takes effect. Like the GDPR, it enhances the privacy rights and consumer protection for residents of the state of California. All companies that serve California residents and have at least $25 million in annual revenue, or that have the personal data of at least 50,000 people, or that collect more than half of their revenues from the sale of personal data fall under the law. And, like the GDPR, it imposes its requirements on any company doing business in California, regardless of where the business is located. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States.
The CCPA potentially has more teeth than the GDPR. Not only do companies have 30 days to comply with the law once regulators notify them of a violation, but it also includes a fine of up to US$7,500 for every record not in compliance after that time. It also takes a broader view of what constitutes private data than the GDPR does – such as IP addresses, geolocation data and shopping, browsing and search histories — placing additional pressure on organizations to locate and secure that private data.
The Benefits of Vagueness
Requirements such as “reasonable security” or “due care” are not well-defined, moving the focus from simply compliance to a more holistic risk management approach. Such vague requirements are included in many regulations because legislation with specific technology requirements can literally become obsolete between the time a bill is proposed and when it becomes law. Indeed, controls, technology and regulations are all perishable. Further, due care and reasonable security for the financial sector or a pharmaceuticals company may be very different than for an e-commerce or social media company. The same is true for an organization with an infrastructure comprised of a strictly defined perimeter versus one with a multi-cloud environment versus one that uses an open-edge computing model that provides high-speed applications powered by 5G.
Consequently, requirements offer general guidance only and are vague. But that is actually part of the value of these regulations. If you try to be too prescriptive, security becomes a checklist, which is how things get missed. If a specific area of vulnerability or exploit is not included on the checklist, not only does what you’re NOT looking for tend to become the critical thing you miss, but companies that violate the law by not addressing a security issue can claim they were in compliance.
This vagueness forces organizations to review their processes, technologies and controls to determine what constitutes a reasonable level of due care for their industry, network framework and use case to mitigate risk. And from a legal perspective, the notion of “reasonable security” often gets translated in court as to whether the organization met “professional standards of care,” such as NIST 800-53, which are more rigorous than the ordinary “prudent person” standard and have the potential to increase liability. And given the potential severity of the penalty for a breach, organizations are often being counseled to be more cautious.
Another development is the elevation of the cybersecurity discussion to the boardroom. If you’re a CEO or on a board, you are suddenly not only asking, “are we compliant?” but, more importantly, “have we implemented reasonable due care?” and “what have we considered beyond the bare minimum?” This leads to conversations about risk management – protecting the corporate brand, knowing what and where the crown jewels are, implementing an effective incident response plan and communicating a culture of security across the business. Security is not about plug-and-play technology or checklist compliance; rather it is about consistent and rigorous application of technology and processes to identify and mitigate risk – a reasonable level of care.
Toward a Brighter Security Future
It is estimated that about half of companies that fall under the GDPR’s jurisdiction are still in the process of compliance and that the transition will likely go on for another couple of years, but the most important thing is that companies in the EU are now expressing much higher levels of confidence that they will be able to address the GDPR’s data breach notification requirements.
How does that match up, though, against the U.K.’s high numbers of reported breaches? The evidence suggests that such high numbers are showing up because EU companies just didn’t report data breaches pre-GDPR. Not only that, but many companies around the world still fail to observe basic security hygiene, such as patching and updating devices or ensuring consistency for firewall configurations. Now that more comprehensive regulations like the GDPR and CCPA are in play, in time, we will likely see a reduction in breaches as the security focus moves from check-the-box compliance to implementing a reasonable level of care. That’s a benefit companies and consumers alike can all look forward to.