CyberWire Daily - GDPR: Privacy from Across the Pond [Special Edition]
Episode Date: October 9, 2017Following major breach revelations from Equifax, Yahoo!, Deloitte and the US Securities and Exchange commission, there have been many calls in the US for increased legislation and regulation that woul...d force better privacy and identity management practices. In this CyberWire special edition, we’ll ask some cyber security experts about GDPR, what it means for privacy and data use, the right to be forgotten, the penalties for noncompliance, and what it means for organizations outside the EU. Joining us are Steve Durbin, Managing Director of the Information Security Forum, a not-for-profit organization providing its members with guidance on cyber, information security and risk management, Brett Hansen, Vice President of data security solutions at Dell, one of the largest suppliers of computer hardware, software and services in the world, and Darron Gibbard, CTSO at Qualys, a global provider of cloud-based security and compliance solutions. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
In a darkly comedic look at
motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home In the thick of the winter season, From Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
Following major breach revelations from Equifax, Yahoo, Deloitte, and the U.S. Securities and Exchange Commission,
there have been many calls in the U.S. for increased legislation and regulation that would force better privacy and identity management practices.
Kind of like they're getting in Europe next year thanks to GDPR, the General Data Protection Regulations set for implementation May 25, 2018.
protection regulations set for implementation May 25th, 2018. In this Cyber Wire special edition, we'll ask some cybersecurity experts about GDPR,
what it means for privacy and data use, the right to be forgotten, the penalties for noncompliance,
and what it means for organizations outside the EU.
Joining us are Steve Durbin, Managing Director of the Information Security Forum, a not-for-profit
organization providing its members with guidance on cyber, information security, and risk management.
Brett Hansen, Vice President of Data Security Solutions at Dell, one of the largest suppliers
of computer hardware, software, and services in the world.
And Darren Gibbard, CTSO at Qualys, a global provider of cloud-based security and compliance solutions.
Stay with us.
I think that if we go right the way back, the European Union for some while has been concerned about the volume of data that's being produced as relates to individuals.
That's Steve Durbin, Managing Director of the Information Security Forum.
And what the GDPR really has at its heart is an attempt to protect the rights of the individual. So it's a very citizen-centric,
individual-centric piece of regulation, which is quite different from what we see perhaps in other
parts of the world. But what the GDPR does is it says, as an EU citizen, you have the right to your
information. So you have a right to understand how it is being used,
how it is being protected, stored at each and every stage of the life cycle.
And what the working party has done around GDPR is trying to come up with an approach
that protects that information, sets some very clear guidelines for anybody who is dealing with
or handling European citizen data, and also
to give powers to the supervisory authorities that allow them to investigate and really provide
some form of tangible sanction where appropriate on organizations that, for whatever reason,
have not applied the appropriate level of GDPR protection to the personal information
that they've been holding. If you're looking at the laws in place and what GDPR represents,
this is a benchmark move by the EU to say that organizations are going to be held accountable
if they are collecting, if they are storing, if they are processing citizen information.
That's Brett Hansen, Vice President of Data Security Solutions at Dell. You now have to be accountable and you're going to have to be
able to document and prove that the data is being safely managed and stored. The EU is clearly
drawing a line and making a bold statement saying, you know, this is important.
And again, if you're operating within our borders, you're going to adhere to these rules or you're going to be facing some serious penalties.
What we have in the GDPR is consistency across all of the member states.
So there is only one GDPR. There is only one way of interpreting that within reason.
And of course, in the United States, there are very many different ways of viewing some of the
legislation that's being brought out because some of it is both at the state level and,
of course, federal. And so how will this affect companies in the United States?
I firmly believe that it will affect them just as much as what it affects the organizations
within the EU itself. That's Darren Gibbard. He's the chief technical security officer and
managing director at Qualys. It's ensuring that EU citizen data is protected wherever it goes
across the globe. PwC did a very good article last October in the US where they interviewed over 2,500 organizations within
the US. And the average spend per organization was a million dollars on preparing for GDPR and
making sure that their organizations were ready. And that's across obviously multiple sectors,
obviously multiple sectors, multiple size organizations. So if the US is leading by example, then obviously Australia are working well towards it. I was down in South Africa
basically three weeks ago. They're preparing for it. If I'm totally honest, I probably think
everybody outside of the EU is better prepared for the GDPR than what they are within the EU.
Why do you say that?
Just because of the understanding of the budgets that are being spent and the preparation that's being put into making sure that the citizens' data is separated and is understood and is known and where that data is going and where and how it's being used within the
organizations that are processing it the bottom line is that if a company in the united states
is handling european citizen data and then the gdpr will apply so if a u.s corporation has perhaps
an office in the european union and is dealing with citizens' data, then it will apply.
Even if it doesn't have an office in Europe, but it's handling data that relates to an EU citizen,
the GDPR covers that eventuality as well. So what we're actually looking at with the GDPR,
even though it's a piece of European legislation, is legislation that actually impacts organizations
all around the world if they happen to be either active in the European Union
or using information that relates to a European citizen.
Companies in the U.S. first and foremost need to understand, are they covered by GDPR?
And many of them will be. Most companies of any size have operations in Europe, and they are
likely to be collecting EU citizens' data in some form. And for those reasons, they are required to
be compliant with GDPR or face the same penalties that the EU would enforce on companies and organizations who are directly in
Europe. So even though you might be in Texas, like I am, if you have operations, if you have
activities in the EU, you need to be aware and you need to be adhering to GDPR principles or
face potentially stiff penalties. If you are dealing with European citizen data,
then be under no illusion. The European Union will come after you and they will catch you.
They have sufficient relationships with the authorities in the United States to be able to
do this. The key thing is, you know, any organization needs to understand if they're dealing with European citizen data, then the GDPR covers that eventuality.
And believe you me, supervisory authorities do have the reach and the clout to come after you.
Obviously, it's all going to, you know,
hunt you down wherever you are, Baltimore, Maryland, and elicit fines? No, I think that's
less likely to happen. However, if you have major operations, let's say you have a sales office in
Madrid, Spain, or you are operating a fairly extensive website with, you know, translations in German
and French and Spanish and operations, and you're selling through there, the answer to your question
is yes, they can actually enforce if you are not adhering to GDPR. With all cybersecurity,
and GDPR is an extension of cybersecurity, it's a regulation, it's all about mitigation of risk.
And so, you know,
if I'm an American company, my first step is to assess my risk. If I'm doing, you know,
$20 million of business in Europe, and it represents 40% of my overall bookings for the
year, then I'm going to need to take this very seriously. And I'm going to need to understand
what the regulations entail. I'm going to need to take the necessary steps to
ensure I meet GDPR standards. I'm curious about one of the things that GDPR covers is this notion
of consent, that consent must be explicit. I think most of us are familiar with EULA,
end user license agreements that are pages and pages long. Are we going to see the end of that?
Are we going to see simpler opt-in options for collecting data?
Well, certainly that's the hope and the intent, I think, behind the GDPR.
It is to try to prevent those kinds of things, those kind of users, as you mentioned,
in simple, easy-to-understand language for individuals.
Perhaps more importantly, organizations need to be able to demonstrate
that they have the consent of an individual to using their data
as it relates to a particular project or perhaps campaign.
Now, I'm a marketing guy by training,
and for me, this presents a whole range of different issues
because from a marketing standpoint, of course, we're used to having people either required to opt out of some of the
campaigns that we run or opt in to multiple campaigns. You won't be able to do that anymore
under the GDPR. You have to have an opt-in for each and every single campaign that is being
run. And that, if nothing else, presents some significant challenges to the
marketing side of the business. There is an actual specific language called out that you have to say
these eight words and it has to be at this size of font, but they are encouraging sort of, you know,
you do to make sure that your folks who your fucking data is, they are aware. And that would
naturally lend itself to not burying it in a 15-page EULA on item 14-6.7.
What about the right to erasure?
The right to be forgotten, as it's often referred to.
I think this was one of the key elements that people really talked about when GDPR was first being mooted.
This really is, I think, relies on the core tenet of GDPR.
This is about the right of the individual.
So as an individual, I have the right to go to an organization and ask them to remove my information from their databases.
They have no obligation to keep that data once I've made that request unless it is either core to their business, so their
business will essentially fall apart if they don't have that information, or it's someone
like, for instance, the IRS, or in the case of Europeans, you know, HMRC, or the tax office
in the individual member state.
So the individual really does have control.
So I could, for instance, determine that I no
longer wish my telecoms carriers to be sending me a whole pile of information because maybe I've
moved carriers and I can ask for that information then to be removed from all of their systems
and databases. And they would have to do that and demonstrate that that indeed was the case.
It also allows the individual, of course,
to have what we term portability of information.
So again, in the case where I'm switching from perhaps one supplier to another,
I can request the information
that my current supplier holds be sent to me
so that I could take it to a new supplier
and say, look, this is my track records
and so perhaps use that as some bargaining chip
in terms of getting the right level of arrangement with the new supplier.
So, right to be forgotten, very important, and portability of personal data as well.
So again, GDPR really views the individual citizen as owning their data,
and that's one of the key differences, as we've said, between what happens in the European Union
and perhaps other countries like the United States.
And how about enforcement?
What's going to be in place in terms of penalties and even having the funding to have people
who can execute the enforcement?
Yeah, the role of the supervisory authority has really been beefed up under the GDPR.
They have investigative powers, they have corrective
powers, as rather nicely referred to. A corrective power allows for a supervisory authority to impose
fines that can be up to about 20 million euros. So today's exchange rate, that's probably about
20 million dollars, or indeed up to 4% of worldwide annual turnover for a serious non-compliance with the GDPR.
There are very many things that the supervisory authority can do up to that point.
So they have the power, for instance, to close down your processing of personal data
if they believe that you haven't fallen in line with some of the guidelines of GDPR.
That, for some organizations, could have a much bigger impact
than merely paying a fine. But, you know, the reality of this is that nobody really knows
how these authorities are going to behave and react until the regulation comes in, which is
25th of May 2018. And I think the other thing I'd say is that nobody really wants to be
a first part of the post in terms of having the conversations with the supervisory authority because something has gone wrong.
Is there a sense that companies are preparing properly or are they going to be ready?
If you'd have asked me a year ago, I'd have said no.
If you asked me recently when I engage with CISOs and I talk to CISOs and CIOs in various organizations, yes, they will be.
and I talked to CISOs and CIOs in various organisations,
yes, they will be.
I think there has been a lot of focus in the last 12 months,
basically, within the regulatory bodies,
within the vendor space that has been helping organisations prepare for it.
I think 90%, 95% of organisations will be ready to go by the May 25th,
2018. I don't believe that everybody is. I think that quite a number of organisations have been
taken aback by the volume of work that is required in order to fully understand where personal data
is. You just think about the amount of information that is
created on an ongoing basis. You have to go through a discovery process within your enterprise to
understand how much personal data you've actually been accumulating and where it's stored and how
it's been shared perhaps with third parties. Then when you've done that, you've got to determine
whether or not you're compliant with some of the guidelines from the GDPR. And so you have to
perform a gap analysis.
Now, a lot of organizations have engaged legal firms to help them in this particular space.
That gives you the perspective on where you actually stand.
Then you have to go about implementing the processes and the controls
that ensure that you aren't just compliant on day one, but this is an ongoing
process. So for me, GDPR is very much more than pure compliance. I think in a lot of organizations,
it does require a change program. It is about raising awareness at the individual level,
because of course, this isn't the kind of thing that we can do just once a year,
put the tick in the box and then move on. It's an ongoing process. And it really will impact the way in
which we behave, I think, as organizations, and more importantly, how individuals within our
enterprises handle personal information and personal data. If you peel away all the regulations
GDPR really comes down to knowing your data.
And most companies don't. Most companies couldn't tell you what they're collecting,
where it's stored, how they're using it, who they're using it. And so the starting point is,
is having someone who is able to look across the breadth of operations, look across marketing,
look across sales, look across HR, all the
different elements that are collecting information. To know what you're collecting, that's a very
fundamental point. Are you collecting PII? Are you collecting address, phone number, social security,
credit card information? What are you collecting? Where is it being stored? Are you storing it on premise? Are you storing it
in a cloud? Where's that cloud? Are you storing it on personal devices, PCs, smartphones, tablets?
How are you using it? Is it just being collected and stored and there's no other activity? Are you
using it for mining information? Are you selling it to someone else? That has
implications. And then, you know, really another one that's often overlooked is who is using it
and then who should be using it. So having someone who's able to answer those questions
is a logical starting point for GDPR. Whether that's a dedicated individual because you have
the scope of operations that you need to have that, whether it's someone's part-time job, again, you have to look at that in your company and evaluate your risk and risk mitigation. actions, to define a policy around those questions, and then ultimately to start to work backwards
and say, okay, if these are the activities we're doing with data, this is what we're
collecting, this is where it's being stored, this is what we're using it for, these are
who are the people using it for, how do we start to reduce our risk?
How do we consolidate the storage of that data?
How do we ensure it's being protected no matter where it's going?
How do we ensure that only the right no matter where it's going? How do we ensure that
only the right people have access? And we're reducing the number of people of access,
thus further reducing our risk. Do you suspect that this will become the global standard?
I think we're starting to see that already, yes. I mean, certainly a large number of countries
outside of the European Union have been viewing this and saying, okay,
if we have to comply with this, then we might as well at least set our own bar at the same level,
if not higher. So I think when I look at other countries, perhaps out in the Far East and
across other parts of the world, we're starting to see them falling in line with this and using it,
if not in its entirety, then certainly as a template for handling personal data.
Clearly, I would be someone who would be advocating for increased diligence and regulation on the U.S. side, just because I think there is an opportunity for us to be more proactive and encouraging organizations to be better stewards of data. Is GDPR the right
set of regulations? Does it really address the key areas that we need to be thinking about?
I think there's a lot of things that we can learn from it once it gets launched.
What GDPR is encouraging companies to do is the right thing. Again, being good stewards over your
employees and your customer data, that's a good thing to do. It was interesting. We did a
survey of line of business professionals. It was about four or five
months ago, so it's still fairly fresh. And we asked them
around data security hygiene. And it was great. He said, okay, do you feel
accountable for keeping your company's data safe? Oh, absolutely. Like 70% said, yes,
I feel accountable. Okay, I feel pretty good about that. Like I said, 95 or 80 or a hundred percent, but 70%. Okay, good. A lot of business
feels they're accountable for keeping their data safe. Well, what are some of your practices? How
do you, how do you keep it safe? Well, do you send it to outside the organization? 70% said yes. Do
you use a public data sharing site to present information? 50% said yes. Do you use your work device for personal
email and or social networking? Over half said yes, right? So what came out of that survey
was with employees a very clear line around, yeah, I think that I should be protecting my
company's data unless it starts to impede me from doing the job that I want to do in the way I want to do it.
Right.
And it all comes down to sort of, you know, I get paid on getting my job done, whatever it is, as quickly as possible.
I don't get paid on good data security hygiene.
Heck, I'm a cybersecurity professional.
I don't get paid on that.
When I talk to my boss, we talk about revenue.
We talk about delivering new products, innovation.
He's never said, are you keeping good data hygiene over your customer's information? No,
never come up in any of my reviews. But I think that we need to start thinking about that as
something that isn't really important. Because if we don't, we're going to keep seeing employees
choose convenience over good data security and hygiene. You know, that's still an ongoing
challenge, I think, for most every large company in the world,
which is how do I make sure that all of my employees are motivated
and feel responsible and accountable and educated around data security?
It's interesting that the fines and the penalties are all civil offenses,
that there are no criminal offenses for a massive data breach.
No, that's right. And it's interesting to ponder, I suppose, as to whether or not that is going to
change. I think that one of the impacts of GDPR coming in next year is that certainly we're going
to see an increase in the amount of breaches that are reported because there is a reporting
requirement. You have to report to the supervisory authority within 72 hours of a breach that impacts personal data, for instance.
And you also have to inform affected individuals without undue delay where there is a high risk to those particular individuals.
So I do expect that we're going to see an increase certainly in volume,
whether or not that is an artificial increase,
and so we haven't actually been seeing some of these things,
but they've been happening, who knows.
But certainly I think that as the volume will increase,
again, there will be a temptation to say,
well, hang on, should we be actually reviewing this again
now in the light of organizations
perhaps taking their responsibilities
not quite as seriously as they might?
And what is the role of the C-suite in all of this?
So I think we're in for some pretty interesting times
in terms of the way that the GDPR is implemented,
the way in which supervisory authorities use it,
and indeed what happens
after that. Because certainly we have been seeing of late some very large-scale breaches that
clearly have been affecting personal information. I'm thinking particularly of things like Equifax
recently, of course. I would expect over a period of time that perhaps things will change in this
place. Let's talk about Equifax. The breach occurred
in May. We don't get notification until July. The amount of data being collected and how that data
was being protected, it appears to be an afterthought in many ways. So that's a global
company with huge amount of operations and resources, and they were not doing a sufficient job of protecting data,
clearly. So I think GDPR is a good step to focus organizations on good data hygiene.
Honestly, if you look through what GDPR is asking companies to do, it's the right thing to do,
regardless of compliance or not. Protecting your customers,
your employees' information is important, whether it's because there's going to be a fine levied by
a government agency or whether you will be potentially sued by customers whose data is lost,
whether your brain will be degraded and compromised if your information is lost.
be degraded and compromised if your information is lost. There's a value to protecting data.
I think GDPR, while a significant regulation, encourages companies to take the right steps to practice far better data hygiene than we've seen over the last few years.
I'm hoping it will be a very quiet event and basically a bit like Y2K.
And basically it will become a non-event and just be everything will carry on as per normal.
So from my perspective, I think it will be business as usual.
So organizations that are already under regulatory regime will be prepared, will be ready and will be basically be ready to go.
Organisations that are not so used to the regulatory regime will have a lot more work to do to get themselves used to the language of the regulation and to understand what the impacts would be to their respective organisations?
I think step one is, you know, determine whether or not it's applicable to you. Do you handle
data? If you don't in this particular space, then you can breathe a sigh of relief.
So assess applicability. Do we process personal data about EU residents? That's the first question.
If the answer is yes, then you have to look at the controls. Do you require a data protection officer?
Do you have a risk assessment process that looks at data protection impact, for instance?
Can you demonstrate that?
Do you really understand where and how you transfer data?
And that includes your third parties.
Then I think you need to look at the legal basis within your enterprise as well
to make sure that you're covered from that standpoint.
And just review as well some of your breach reporting requirements.
So some fairly basic things I think that organizations in the U.S. could be doing to really get in line with the regulations.
This can't be an IT or a compliance officer exercise in a vacuum.
This has to be a company business conversation.
I have run across way too many companies where I meet with a CSO or I meet with our compliance officer and they have these great plans.
I said, great, go forward.
And I get a call from them six months later and they say, holy cow, we were going west and my CEO took us east and our cybersecurity plans are off the rails.
In a lot of cases with things like privacy by design and privacy impact assessments, security teams have been left out of the project management of future development strategy conversations within respective organizations.
And I think this is an opportunity for the security industry to mature and to grow up and to finally have that C-level, C-suite presence.
Because what the cyber, the security teams, the CISOs, the CIOs are going to be protecting the organizations and
protecting the CEO from breach from massive regulatory fines. So I think, you know, I've
been in this industry for 25 years now. I think it's now finally with the incoming GDPR,
the regulation, I think it's going to actually improve and I think it's going to
make the CISOs role a lot more important within organizations.
And so there has to be a meaningful conversation between those folks who are tasked to do this
and the line of business teams who are actually going to be the ones who are going to be collecting
the data, utilizing the data, storing the data.
You've got to find that balance between the different groups.
So having that meaningful conversation is absolutely essential.
But it all starts with the first question, which is know your data.
Our thanks to Brett Hansen, Steve Durbin, and Darren Gibbard for sharing their views on the GDPR.
And thank you for listening.
and Darren Gibbard for sharing their views on the GDPR.
And thank you for listening.
Don't forget to check out our website, thecyberwire.com,
where you can sign up for our daily news brief,
read interviews, event reports, and more.
The Cyber Wire podcast is produced by Pratt Street Media.
Our editor is John Petrick.
Social media editor is Jennifer Iben.
Technical editor is Chris Russell.
Executive editor is Peter Kilpie.
And I'm Dave Bittner. Thanks for listening.
Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.