GDPR: A Bridge Too Far?

As we all know by now, on May 25, 2018, the European Union General Data Protection Regulation (GDPR) goes into effect in the 28 EU member states. It will require that every multinational company that offers products or services to European Union residents must comply with a rigorous set of data privacy and security measures. In addition, these requirements will apply equally to those companies’ business partners and third party entities.

GDPR is not just an EU-centric regulation. It requires that every EU citizen’s private data, regardless of where it is stored, must be protected. This of course means that all companies throughout the world irrespective of size, that store customer data for citizens of EU countries are covered entities and subject to the compliance requirements of the GDPR law. 

Simply failing to uncover the fact that a company is storing the PII (Personally Identifiable Information) of just one EU customer will result in a failure to comply and can be assessed with potentially huge fines, and criminal charges.

Last year in May, a Compuware study found that of the 94% of surveyed companies that stored PII of EU citizens, only 60% of U.S. companies had plans in place to comply with GDPR. The biggest problem cited by those surveyed was that it was difficult to know where the specific data resides, which happens also to be a key requirement of the regulation.

We have never seen anything quite like this before and prior to blowing it off as just another regulation that won’t be enforced, be forewarned that the EU is deadly serious about this and will likely spend the first 12 months seeking examples for public flogging. If one gets flogged gently in the public square, it probably won’t have the impact of a true 4% of annual revenue fee battering. And not to put too fine a point on it, GDPR will allow for an active criminal prosecution against directors and officers for “deliberate” breaches. In other words, go to jail and do not pass GO.

A deliberate breach is one where the directors and officers had reason to know that their preparations were inadequate. Broad and vague; just like the regulators want it. GDPR requires that the board of directors demonstrate that they took a leadership position in moving an organization into compliance. Rather than passively relying on Risk or IT or the CISO to understand, deal with and resolve the issues, the board must show that they have personally examined their company’s readiness, and have directed human and financial resources to assuring full compliance. If you want to try and defend against that claim, then by all means you should go for it. I suggest getting your house in order will be both easier and cheaper.

Our recommendation is that boards immediately establish a formal committee focused on cyber-risk management, regulatory compliance (specifically including GDPR) and cybersecurity defense that addresses the protection of information assets across the company, the defense against potential cyber-threats of all classes, an active ability to weaponized threat intelligence for use in that defense and the specific actions that the IT organization will take to preserve the integrity of all customer information. The greater the specificity, the better you will be able to make the case for proper diligence and preparedness in an attempt to fully comply.

We know that only a small percentage (5-12%) of board members at even the world’s largest financial institutions (Accenture) have any professional technology background and/or understanding of cyber-risk or cybersecurity challenges or issues. GDPR is the first real warning shot across the bow of the American corporate board institutions, and it will soon be followed by additional shots from both Federal and State regulatory agencies looking for dramatically improved controls and governance. Already several states have pending legislation moving through their legislative processes and the Federal government is working on a GDPR clone.

All of this pressure of course is the result of the demonstrated widespread inability of both the private and public sector to take care of the cybersecurity business on their own.  We don’t need to be reminded of the specifics again from the fiascos at Yahoo, Adobe, eBay, Target, Home Depot, Michaels, Equifax, OPM, etc., where hundreds of millions of customer records and tons of PII have been compromised and stolen.

So, instead of chaffing over the oncoming crush of regulations, our energy might be better spent actually putting in place the actual cyber-defense and process fundamentals that these regulations will ultimately require.

Another issue rising from this regulation that should be of interest to corporate boards is the potential impact on cyber liability and management liability insurance policies. Underwriters will understandably want to be assured that their insureds are going to be prepared for compliance by the May 25th date. If companies fail to comply, shareholder lawsuits become a real threat and will begin to represent serious secondary financial risk. The more that these compliance failures occur, the greater the upward pressure will be on coverage terms and pricing. With officers and directors now personally liable, it will shift the landscape on their Directors & Officers coverage as well.

As a reminder, PII is defined by GDPR as any information about an individual maintained by an organization, including any information that can be used to distinguish or map an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

This definition is also expanded to include any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

These expanded definitions are important because these “online identifiers” now are defined to include IP addresses, User IDs, Global Positioning System (GPS) data, browser cookies for logins and passwords, MAC addresses, unique mobile device identifiers (UDID), geo-location data from smart-phones, or data from medical devices, wearables, etc.

This has wide-ranging impact to marketing campaigns and software licenses just to name two domains that may not have been considering the application of the regulation in quite the same light. For example, GDPR won’t allow you to email prospects without permission.

Since one of the cornerstones of GDPR is obtaining explicit permission to send any kind of email communications to prospects, telemarketing is one of the surefire ways to be able to do this and remain compliant at the same time. Because you are not allowed to obtain permission by email, one of the only viable ways of doing so is to ask outright, on the phone.

Once you have verified the data you have, replaced erroneous contacts and updated your database accordingly, you can get the opt-ins you need to further engage with prospects on other channels. This alone will dramatically impact data mining and email marketing and companies who engage in that practice (which is like everyone), will have to put processes in place that will guarantee that the subjects of the campaign will have an opportunity to “opt-out” before the email is sent. Think about that one. The implications are enormous. It means you must call first, talk with the person and ask their permission to be included in your email campaign before you send them an email.

Also for application software vendors, any activity that puts User IDs at risk must be secured, meaning that no one may have access to that data other than the users themselves without an opt-out opportunity. Even inventorying software for licensing purposes is considered the processing of personal data (User IDs) under the regulation.

And geo-location data from smart-phones? Don’t even go there.

The current definitions of “appropriate technical and organisational measures” to protect personal data are unclear at this time, but they will surely be crisply defined through implementation and arbitration over the first 12 months or so. But the “ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems” with specific “encryption” rules and the “ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident” probably don’t require much greater definition (unless you are a lawyer).

Our read is simply that the regulation is insisting that companies and organizations apply information security best practices in accord with an accepted framework (NIST, CoBIT, etc.), which will enable the cybersecurity management function to create consistent, repeatable processes and implement controls that are generally accepted by the information security community.

It is also clear and not vague that companies and organizations must ensure that adequate means of protecting data have been implemented, with reasonable controls like access being restricted to authorized personnel, proper multi-factor authentication is being used, reasonable, tested and proven procedures for backing up and archiving data and data retention and destruction policies and processes are in place, and that all third parties that have access to the data must be properly and thoroughly evaluated to ensure they also have adequate controls in place.

So, the ramifications are that all companies who process and/or store PII on EU citizens or are partnered with or TPAs with companies or organizations that do, will be forced to demonstrate that they actively (and not passively) pursued best practices with regard to the protection and safe-keeping of that data.

Without wandering down the rabbit hole of the need for an information lifecycle management approach and all that it implies, none of these GDPR requirements are either draconian or even unreasonable and in fact all of it should have been in place in every business and organization eons ago – or at least since it occurred to us that the Internet might be a great way to attack businesses and steal data. Now, the implementation and execution of the actual compliance measures are another story entirely and will undoubtedly be fraught with pain, fear and loathing. Our overly complex threat landscape greatly hinders compliance and increases risk, yet the fact that it won’t be easy should not be a newsflash either.

Finally making the CEO and the Board of Directors actively responsible for GDPR compliance and ensuring that information security practices are balanced with all cybersecurity and data privacy regulations that apply to their organization doesn’t seem to me to be a bridge too far for anyone.