Technologically speaking, the world was very different when the current Data Protection laws were written. Combine this with the sharp rise in cyber-crime and the Snowden revelations about the extent of
government surveillance, both made during this time, it should not come as a surprise that data protection has suddenly become such a hot topic both within the information security industry and of course with the general public.
It is estimated by the European Commission that in 1995 when directive EC/49/65 (the current data protection laws) came into power to protect data and the passing of information through companies, only one percent of Europeans were connected to the internet. Fast forward to the year 2000, when Safe Harbour came into power and regulated the transatlantic flow of information between the EU and America, it is estimated by Pingdom.com that worldwide there were still only 320 million people using the internet.
Since so much of our information is now online, cyber-crime has seen such a sharp rise that many in the security industries would argue that being breach- or hack-proof is impossible. Companies are advised that a breach is inevitable and that no one is safe. But this mindset is not a coincidence.
Growth in breaches
PWC's Global State of Information Security Survey 2016 clearly highlighted this issue by saying that, “Year after year, cyber-attacks continue to escalate in severity and impact. Prevention and detection methods have proved largely ineffective against adept assaults, and many organisations do not know what to do, or lack the resources to combat today's skilled and persistent cyber-criminals.”
Speaking on the changing threat landscape now faced by many and how much it has evolved in the past 10 years, Mikko Hypponen, F-Secure's CRO told the Slush conference 2015 in Finland that:
“We are now regularly witnessing huge data sets stolen and leaked online from huge multi-billion corporations like eBay, Sony and Ashley Madison; cyber-criminals are no longer motivated [just] by money, but rather by morals and ideals, wanting to destroy company data. Owing to this, companies, both public and private, and the public themselves have started to understand the implications that could follow if they don't take the appropriate measures to protect their data.”
Both in the cases of Max Schrems fighting Facebook and the ruling that Safe Harbour is invalid, and Spaniard Mario Costeja Gonzalez fighting Google for the ‘right to be forgotten', we witnessed two Silicon Valley giants being taken to court and losing, as the plaintiffs demonstrated that their data rights were being infringed.
This is where the GDPR (the General Data Protection Regulations proposed by the European Commission) comes in – expected to be approved early 2016 and likely coming into power by 2018. Gregg Iddon, security evangelist at Sophos, notes that the new laws as announced are designed to create a single pan-European rulebook that should modernise current data protection laws and make it easier for the European Commission to act as a one-stop shop supervisory authority, in order to avoid confusion over who can legislate on the topic.
A lot of the GDPR focuses around getting rid of ambiguous terms and conditions. It will no longer allow for a simple ‘tick this box to allow for X'; companies will have to explain exactly what is going to happen with the data, where it's going, how it's stored and who will have access to it. Employment contracts, vendor contracts, financial records etc are all classified as personal data and should not be seen by anyone unless it is relevant to them, the new GDPR rules explain. Just because IT personnel have access to IT systems, which store these files, it does not mean they should be allowed to view them.
One of the most controversial parts of the GDPR promises huge fines for companies that don't store data in an adequate and secure manner. Currently under discussion and potentially standing at a maximum of €20 million or four percent of worldwide revenue (likely up to two percent, but it could even be up to five percent), the fine for not adequately protecting customer data has brought to light not only the need for a central governing body that can enforce the rule, but also the fact that companies need to build an adequate environment for their data that can provide real-time assurance that it is safe.
For example, if a company encrypts its data, it will need to be able to show when it encrypted it, who has the keys, and if stolen, that it was still encrypted when it left its supervision. The supervisory body (EC) will ask to see who had access to the data, from when and until it is encrypted as well. Companies will have to prove they took every step needed to protect company data.
The EC must be notified of a breach, and companies then have to communicate that there has been a breach to the subject it affects. It's not all bad news for compliance officers though; if a company suffers a breach but its data is encrypted the fine will be reduced and the company won't need to notify customers of the breach.
Among issues raised are, how soon after discovery must the breach be reported, is it deemed worse if discovery was late, and what about disclosure during sensitive periods such as during takeover negotiations?
Companies are being encouraged to have a rock solid data protection policy and must consider how data flows into and out of their organisation. If they are using external data processors, they are encouraged to find companies that have stringent data protection policies and will work hard to keep the data safe.
Dr Elizabeth Maxwell, EMEA technical director at Compuware said: “A fifth of firms do not mask or protect customer data before sharing it with outsourcers, with the vast majority of them relying on non-disclosure agreements that, in essence, do not satisfy even current data privacy regulation. It is therefore extremely important for all businesses to start looking at their testing practices. If any real personal data is used for testing, it's high time to start protecting it with a test data privacy project to ensure compliance with the existing and also new EU regulations.”
The same goes for Internet of Things devices connected to the company network, and company data being used on private machines−both need rock solid company policies.
The GDPR will turn the ‘right to be forgotten' and ‘right to erasure'−the issue that was first brought to light in ruling C-131/12−into actual laws, as the GDPR wants to put people in control of their data. If a company is collecting data on them, companies must explain how long they plan to retain it and how it's encrypted.According to Gregg Iddon at Sophos, the EC is even considering developing a stop-light system to tell users whether or not a certain website is a trustworthy place where they can enter personal details.