Mandatory breach notification is a highly misunderstood portion of the GDPR. Here we dispel some common myths.Cybersecurity // 11.11.2016
This is the first in a four-part series of posts about the EU’s General Data Protection Regulation and how it will force European businesses to develop their incident detection and handling processes.
If you run your business in Europe, you still have some time before the EU’s General Data Protection Regulation enters into force on 25 May 2018. I hope your preparations for the new requirements are already well underway!
One feature of GDPR that needs to be specifically highlighted is the mandatory breach notification. It may be the most misunderstood portion of the new regulation. Having worked in a regulated sector and part of the breach notification scheme for fifteen years, I’d like to dispel some myths about the regulation.
One of the aims for breach notification laws such as GDPR is to push companies to step up their ability to detect breaches and to mitigate the negative impacts effectively. The foremost thought in the lawmaker’s mind is not to punish the companies who themselves have been victims of a crime, but to make them better equipped to deal with the very likely eventuality that there will be a breach some day.
Remember how it was in school? The exams were not there to make you look bad but rather to push you to study. The lawmaker’s intention with GDPR is to help you respond better in the event of breach. Provided, of course, that you have done your homework.
The GDPR introduces a requirement to notify your customers and users and authorities about personal data breaches. But you’d be mistaken to think that breaches to privacy-related data will be interpreted in a narrow sense.
The regulation requires you to disclose not only how personal data was affected, but also information that will help the authorities assess what made the breach possible. They will also want to know the corrective actions you’ve taken and plan to take, how you (or someone else!) detected the breach, how long it took to detect, and how you assess its damage. They’ll want you to speculate on how you and your customers will be affected by the residual risks. This information will enable people outside your company to form a more complete picture of your ability to protect any aspect of your business.
If there’s dirty laundry in your information security posture, it will soon be apparent. Was the personal data you handle acquired lawfully? (Pro tip: get familiar with how to acquire a valid user consent). Were your cybersecurity protections adequate given the threat? There will also be questions about your network and information security, hiring procedures, physical security and your ability and willingness to honor your commitments beyond user privacy, such as SLAs and corporate secrets.
Regulators know that no law will miraculously put an end to criminal activity. Neither will the GDPR incentivize all companies to turn into cybersecurity leaders. Rather, the GDPR aims to raise the minimum level of security and privacy protections across the board. And while minimum protections will help address accidental leaks and prevent each mishap from escalating into full-blown chaos, they will do little to stymie criminals.
Make no mistake, your adversaries will continue to attempt to breach your business. They’ll know you have made some minimal enhancements in predictable places in a less-than-enthusiastic manner. So if you have to comply with security-enhancing regulation, why not comply with style?
This is your moment to make good cybersecurity posture a differentiator in your business. Take pride in making your organization stand out from the crowd. When customers compare service providers and want proof of a company’s ability to deliver GDPR compatibility, you’ll rise above the rest. Exceeding the minimum expectations can also be seen as a business continuity asset that not only lowers the cost of cyber insurance, but saves a pretty penny when you need to activate your incident handling plan. When things start falling apart for your competitors and the regulators start asking everyone difficult questions, you’ll have added degrees of freedom to operate.
The European media seem to treat GDPR as a novelty and something unheard of in the rest of the world. That is not the case.
While there is no federal law on the subject, 47 states in the US already have breach notification laws. That’s why there are so many public accounts of American security breaches. It is not that American businesses are worse “in cyber” than Europeans – they are just more open and honest about their mishaps.
We can safely assume that in the coming years there will be plenty of stories about European companies being breached, too. In all 24 official languages that the EU recognizes.
Speaking of America, one particular feature of breach notifications in the U.S. is that regardless of what actually happened, it seems affected consumers are always being offered free credit monitoring services. While the offer seems mechanical and habitual to the extent of being almost comical, there is a logical line of thinking behind it.
The most likely misuse of stolen personal information is financial fraud by obtaining credit or by purchasing goods to be paid for in monthly instalments. The collateral victims of a breach face a very real risk of losing their good credit ratings. An offer to cover monitoring services for a limited period of time will help tick a box of “actions taken” when reporting the incident to the authorities. Plus, it is a convenient way of mitigating the risk of future lawsuits from affected customers.
In Europe, we’ve inwardly laughed about the custom. It’s like what you would imagine a bored priest would issue during confessional as a penance for the umpteenth venial sinner of the day: “Give me ten Ave Marias and you are free to go, my son!” It remains to be seen what the European equivalent of cyber Ave Marias will be once the GDPR is in force. Any bets?
In 2012, speaking at the RSA Conference, the then-director of the FBI, Robert S. Mueller, III, suggested that in the future the divide will be between companies that have been hacked and companies that will be hacked again. His comments reflected what the incident response and law enforcement community had already seen in practice: what separates winners and losers in cyber security is the way the organizations prepare for the inevitable breach.
There will be attempts to breach your systems. It’s likely the attackers will succeed someday, in some fashion. Your cybersecurity posture will be measured by how well you learn from mishaps and near-misses and keep stepping up your protections. Failure to do so will manifest itself not only in breaches, but in repeated breaches.
Only through careful analysis of each incident and attempted breach can one determine which security controls actually worked, and which gaps are left for attackers to exploit. Those who fall victim to attack are being offered a valuable lesson – it would be wise to take the hint. The best performers, however, will be the ones who learn from mishaps that happen to others.
After May 2018, when the GDPR has entered into force, it will still be perfectly okay to continue to build up resiliency towards cyber threats and design your systems around the notion of segregation in an effort limit the likely damages. What will not be tolerated, however, is having no way of knowing when your protections have failed.
It’s common for breaches to go unnoticed for extended periods of time (I’ll discuss this at length in my next article). But under the GDPR, many executives will find that ignorance is not an excuse. In the spirit of Director Mueller’s statement from 2012 (see Myth #6), the big divider in post-GDPR Europe will be between those who have been breached and those who have been breached but have no clue about it.
Having a reliable and effective intrusion detection and response system in place will be very important when GDPR comes into force. I recommend a system that combines human and machine intelligence. Such a system will minimize false positives, so actual incidents that require attention don’t get buried. Many companies will find that a managed service is the way to go, as it offers the fastest, most cost-effective way to get set up, along with dedicated cybersecurity expertise.
Years of experience from incident response and forensics investigations by F-Secure specialists has shown that many organizations are ill-prepared to handle the eventuality of a security breach. Their capability to detect anything other than malware-based attacks is underdeveloped, logs are either missing or in a non-actionable state, and staff is untrained or inexperienced.
Most first-time victims of a breach will improvise a response, make hasty decisions that either destroy or alter evidence, and end up hurting business in the process. What’s worse, if the adversary is any good at their tradecraft, all the pomp and circumstance of incident response efforts will yield no results as the intruder will simply stop, clean up and head out the door.
The GDPR will require companies to let regulators know the mitigation actions they plan to take and how those actions will address the problem. Companies that don’t know what they’re doing will stick out like a sore thumb under scrutiny. The authorities, customers and the media will question the relevance and efficiency of each action taken post-breach. That’s why there’s no better time to think about your response plan than now – waiting until a breach happens is too late.
The fact that the GDPR is a regulation, not a directive, means it will be directly enforceable by EU officials. Member states are not in a position to interpret the regulation locally, but will have to follow pan-European guidelines. At this stage, no one in Europe is in a position to define what the thresholds for notifications will be.
Given the situation, your best defense will be to start building up a baseline of the types of incidents and near-incidents your organization faces and develop threshold definitions of your own. Later, if faced with authorities who disagree with you on which incidents need to be reported, you’ll already have developed a sense of what constitutes a serious incident and you’ll be better prepared to argue your case.
There are bound to be situations where the authorities have been tipped off about a potential breach and they approach you requesting information. In such cases, they’ll want an explanation of why they were not informed on your own initiative.
The GDPR was marketed as a single set of European rules. In practice, that will not be the case.
For a multinational company, the GDPR must be consulted alongside national implementations of key topics such as freedom of information, exemptions for information obtained for journalistic and academic purposes, employment records, the definition of a minor, handling of SSNs, etc.
Things will get even more complicated if the forthcoming national implementations of the NIS directive introduce breach notification requirements that are incompatible with the GDPR. On top of that, certain business verticals already have pre-existing (and of course incompatible) sectoral requirements for breach notifications. These include telecommunications, financial services, medical and social services and food safety.
In my next post, we’ll discuss the glaring capability gap in most organizations’ security postures: detection.
Erka Koivunen is a former head of the Computer Emergency Response Team (CERT) in Finland, and joined F-Secure in 2015 as a Cyber Security Advisor. Companies, governments, and a variety of other organizations consult with Erka extensively on everything from risk assessment to incident response, and he has testified as an expert witness for the EU, Finnish, and British Parliaments.
Banner image courtesy of Thijs ter Haar, flickr.com