The Facebook fine announced today for the Cambridge Analytica breach would have been significantly larger under GDPR. While the flurry of activity around the May 25 GDPR deadline may have subsided, the confusion regarding privacy, consent and what comprises actual GDPR compliance is only building.
Pravin Kothari, Founder and CEO of cloud security provider CipherCloud, offers insights and advice regarding consent and other GDPR issues.
Pravin Kothari, Founder and CEO at CipherCloud:
Lack of Compliance readiness:
“With compliance regulations in the U.S. such as HIPAA, most companies were active well ahead of the deadline to ensure compliance. With GDPR, most companies are still struggling to understand how it affects them. At best, businesses focused on the compliance deadline of May 25 as a point of departure to begin the conversation. For a large multinational this is a dangerous and risky state of affairs. You may get called out on compliance failure. The EU is putting together plans, member by member, to proactively audit in support of GDPR compliance. Ending up on the wrong side of such an audit could constitute a business disaster given the large fines. Large multinationals will be in the bulls-eye before anyone else.”
Misleading approval for collection of personal data:
“The first issue that requires immediate action is the explicit approval for the collection of personal data. This notification is necessary for the websites of companies that collect data on European Union residents. This requires explicit approval or you cannot collect the data. Most companies have instead structured a privacy notice exclusion where you can click yes, or in some cases not click anything at all, and still proceed to use the website and have your data collected. This is ingredient number one of a recipe for compliance failure.”
The role of encryption:
“Encryption is a nice fail-safe to successfully completing the GDPR compliance journey. The breach of encrypted data does not require notification under GDPR as this data is useless to the attacker. In order to gain this safe harbor it is essential that you maintain tight control and do not share the data encryption keys, keep the data encryption keys stored in a separate location from the data, and that you encrypt the data end-to-end, not just when the data is sitting in the back-end database. Based upon anecdotal evidence, we believe that over 75% to as many as 85% of the cloud data in large multinationals which would appear to require compliance under GDPR is not properly encrypted, managed, or compliant.”
Tips for good security hygiene:
“Once you have decided to move decisively to support the GDPR compliance journey, there are other important steps to help you maintain good security hygiene. We recommend you review the number and access levels of privileged users such as administrators. Limit and restrict these privileges to the smallest possible number. All users should be observed using technologies such as user experience behavior analysis (UEBA) to understand if the behavior of a user fits expected behavior, as opposed to that of an attacker. This can identify and stop an attack quickly. UEBA monitors all user activity, time of day, attempts to bulk file download and more. Access control monitoring should also look a the time of day, IP address and geo-location of the user, device (official company issued device, user provided device, mobile device, or something else) to also ascertain if a potential user is legitimate. Digital rights management is another important technology to secure data, both online and offline, and can reduce risk substantially in the event of an active breach event. In the event that downloaded data needs to be protected from misuse ,administrators have the ability to retract access to the data, even if it was downloaded and copied to another device, stolen or even lost. Finally, logging and tracking must be comprehensive in order to support any GDPR related activities or audit.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.