GDPR and disclosing data breaches [Q&A]
With GDPR coming into force in May this year, companies are preparing themselves to comply with the new legislation, in particular putting in place procedures to deal with data breaches.
But some, like Uber -- who have suffered a breach in the past and covered it up -- may well be wondering whether it’s better to disclose these events now rather than risk them leaking out once GDPR is in force.
We spoke to Joseph Carson chief security scientist at privileged access management company Thycotic to find out more about what GDPR might mean for companies that suffer, or have already suffered, a data breach.
BN: Will we see many organizations 'coming clean' about data breaches before the GDPR deadline?
JC: We've see public breach disclosures increasing over recent years. Even so we’re seeing only perhaps 40 percent of actual data breaches. This may be because some breaches haven’t been discovered yet, but many organizations are hiding them. Until now there’s been no regulation forcing them to make disclosures.
GDPR comes with some very harsh penalties for those that fail to make disclosures of breaches of personal data, notify law enforcement and so on. This means that if there are organizations like Uber which paid to keep a breach hidden, they may now be thinking this is a safer time to disclose it. Because while there will be a financial penalty and a reputational penalty, disclosing after GDPR comes into force would mean much higher financial penalties from the European Commission.
Many organizations may now be thinking the same thing. If they know they’ve had a breach and covered it up or paid a ransom, they will be thinking about whether it’s better to disclose it now and face the consumers, or after May. There’s a risk that after May the cyber criminals could come back and ask for more money. We’re likely to see more organizations taking the risk and disclosing breaches before May rather than continuing to try to cover them up and face a potential business disaster.
BN: Is there a risk that even if companies have paid cyber criminals they can't guarantee the information won’t be used in 'credential stuffing' attacks for example?
JC: If there has been a credential breach you will of course take the precaution of changing the credentials, but you're still facing the challenge of that data popping up on the Dark Web. Even if they're no longer valid you're still going to be facing the exposure.
There's also the risk that credentials have been used elsewhere, so unless some kind of single sign on system is in use you’re dependent on the employee maintaining credentials and will have many duplicate passwords being reused. If there's an external breach at, says, a public cloud service it's very likely that any employees using that have a password similar to their corporate credentials, so you should realistically change your internal credentials too.
BN: Is there a need for more education, and at what level?
JC: Where companies are concerned, people don’t always realize that a breach at a third party may overlap with their business. They don't see the 'dotted line' connections. They should be looking at how external events can impact on their in-house systems security.
A change in attitude has to start from the top down. GDPR will change the mindset of leadership in companies because of the financial risks involved. When it comes to the average EU citizen they may have heard of GDPR but they don’t know how it applies to them. In the short term we’re going to see much more from organizations in terms of compliance before we see citizens taking action around targeting things like the right to be forgotten.
BN: Will we need to see an organization receive a big fine before some people start to take notice?
JC: Yes, absolutely. Lot's of people are saying, 'Let's wait and see what happens when organizations get hit. But let's hope it's not us first.' It’s going to be very interesting to see what happens. The first organizations that do get affected are likely to be made examples of, so you wouldn't want to be one of the first.
BN: The Information Commissioner's Office in the UK has said it will be sympathetic if companies can show they have taken the right measures even though they haven't complied fully. Will there be a honeymoon period?
JC: Three things will be applied in deciding how harsh any penalties are. One is did they have consent to process and collect the data in the first place. The second is do they have adequate security protection and policies in place. The third is what they do in a post-breach scenario, how dis they respond? Did the contact law enforcement and the authorities within the 72 hour window? Did they notify the data subjects involved without undue delay?
BN: What would you advise companies to do to protect themselves before GDPR arrives?
JC: I have been one of the draft reviewers of GDPR for the past 10 years. What's been interesting is looking at it from an implementation perspective, how to comply with it. The best piece of advise is 'don’t assume'. Too many organizations assume it doesn’t apply to them, but they may be collecting data indirectly, through third parties for example. Businesses really need to take a hard look at the data they are collecting.
It's also important to understand this is not about borders. It doesn’t matter whether you have a presence in Europe. It's about are you collecting data that contains PII related to EU citizens and do you have consent to collect it, plus are you updating and maintaining that consent?
I also recommend data classification to determine how sensitive information is. Collecting things like health and financial data mean you must have a data protection officer. Finally it’s important to take a least privilege approach to ensure people only have access to the information they need.