Brexit - a GDPR deep-dive

 

Imagine the situation. You are curious about 'something' and so make a Freedom of Information Request about it, expecting to get all the non-business-confidential data delivered to you while not necessarily even knowing what constitutes 'business confidential'. But instead you get everything, lock, stock, and enough confidential information about every component part of the `something' to engineer several hundred different ways to break into it and exploit the hell out of it.

That is what happened recently with the story earlier this year about a freedom of information request made by a privacy activist, Phil Mocek, on Landis+Gyr. It concerned that company's plans to install a city-wide smart metering system ordered by Seattle City Light throughout the city. He asked for all available information on what is planned for these smart meters and in a way, that is exactly what he got.

Because of some lapse, error or whatever at the Landis+Gyr end, just about all the information available is forwarded to him, including details of all the components, their specifications, passwords and setting processes etc etc. Mocek then passed the information to Michael Morisy, who runs the campaigning Muckrock website.

This resulted in a humungous legal spat between Landis+Gyr, Morisy and Muckrock, with the former demanding, and getting, a judgement that the latter pull down the pages on the subject Muckrock had put up, and turn over individual readership data on anyone who had read the information.

The Washington State judge who granted this judgement rescinded it a week later.

Security equals (not) technology

This is a classic example of how peripheral much of the security technology business has become when it comes to `defending' data, when most often the issue is one of straight-up human error (or, rarely, malice).

The story emerged at the InfoSecurity conference and exhibition at London's Olympia, and made an ironic counterpoint to vast swathes of vendor stalls selling bits and bobs of technology that all claimed (in one way or another) to be the solution to at least small corner of the insecurity of IT systems. Yes, they have parts to play, but they are no longer 'the answer' to data security.

It also highlighted why the latest developments in European Union data security legislation may be far more important than any piece of technology. The EU's General Data Protection Regulation (GDPR) is due to kick in in less than two years - and regardless of Brexit developments, will impact on UK businesses. It is reasonable to assume that for any business looking to conduct any level of trade with EU nations the ability to comply with the new directive will be a key requirement.

And the penalties for risking non-compliance look like they will be painful. According to Austin O'Malley of Ipswitch, who presented an outline of the new regulations at the conference, those penalties could rise to fines of $20 million, or 4% of total turnover, whichever is the greater.

What the Directive will demand

More details of the new Directive can be found here, but O'Malley highlighted the five main regulations that businesses will need to comply with.

The first requirement will be around consent. All businesses will need to ensure that all customers know that you have their data and that they consent to the business having that data. It is probably going to be safer to assume that personal data gathered in any way, even from transactions that were never completed or even tyre-kicking exploratory browsing, will need some form of explicit confirmation that the data is currently being held and continued holding is approved.

The second requirement is that all businesses will have just three days to report data breaches to both the relevant authorities and customers.

Next up is one that is of increasing importance to individuals - the Right to be Forgotten. This will mean businesses having in place the processes and tools necessary to delete all examples of whatever data an individual is citing, but also the means to prove that the data has been erased.

From a business perspective the next requirement may be more important, for it concerns the right to data portability. This is important for business users, though many vendors have, for as long as cloud-based services have been available, contended it was next to impossible to deliver. There will certainly be issues with this, particularly where SaaS applications are concerned, for the data is only half the issue, and it may be next to useless in a new and different environment, separated from the core applications that have been used to generate it.

The objective, however, is to create an environment where businesses can, for whatever reason, choose another service provider and take their data away from  the current provider. This will obviously include ensuring that the data is proved to be erased from the old provider's systems.

Finally there will be the need for every business to keep accurate records of all transactions associated with each customer record and comprehensive data analytics will need to used to track and record all relevant action associated with each record.

The technologies most expected to be needed to meet the requirements of the new Directive are encryption everywhere, new analytics tools for visibility and reporting, more perimeter security and tools to manage mobiles. Finally, there will be a need for robust file-sharing  and transfer methodologies. O'Malley suggested that Managed File Transfer may prove to be the winner here as it has strong authentication, good automation and guaranteed delivery. When it comes to authentication, using single factor methodologies will no longer be satisfactory: multi-factor authentication will be essential.

DPO: volunteers required

According to O'Malley the GDPR will move the control and maintenance of data security much higher up the chain of command within a business:

This will need the appointment of a specific Data Protection Officer for every business. This will be a case where the buck really will stop there.

This will also require businesses to develop action plans to accommodate GDPR:

This will need to look at risk management first, with a need to identify the most critical data first. This will also require C-Level involvement. It will also need a new control framework developed out of what is being used to protect data now, plus what standards are being used and coming along in the near future. Finally, this will need extensive staff training programs to be in place.

Ipswitch has recently conducted a survey in Europe on the potential impact of GDPR on businesses, with 69% saying yes, it will have an impact on their operations, and 68% saying that it will impose a financial burden. Budgets have already been allocated for it by 51%. Perhaps more worrying, however, is the fact that 28% said they had no idea about its impact or costs.

It is that latter factor which highlights the difference between just buying security technology and understanding the security issues. GDPR will be a major step for all European countries, in or out of the EU, with major changes to the way security is managed and the development and implementation of best practices. The latter will stop being a 'nice, if possible' objective and become a 'do it, or else' requirement.

That, more than any technology, is going to be the step that can stop major data breaches such as happened with Landis+Gyr. It is likely that no technology would have stopped that breach as it certainly looks like a straight forward failure of process. There is, of course, the outside chance it was done with malicious intent, but it is far more likely that the good old cock-up theory applies. On that basis, far more rigorous best practices are essential, and their meticulous application becomes a primary requirement.

At its heart that is what GDPR is targeting and all European companies - indeed any company looking to trade in Europe - will need to be aware of its requirements. Another factor to bear in mind is that, unlike the USA, GDPR will apply across all branches of industry and commerce, so there will be no hiding place from its strictures.

This will differ from current practice in the USA, which is further down the road of tougher data security regulations. The downside of that, however, as O'Malley acknowledged to diginomica, is that different industries have developed their own regulations and there are some significant differences between them. Though it has not happened yet, there now exists the possibility of Business A in one industry sector trading with Business B in another, with both working to different data security regulations. Here, a data breach could then lead to major legal problems where each blames the security regulations of the other.

With GDPR,  the situation will be far more clear - it will apply to everyone, equally.

My take

This does move the security agenda on to the development of management processes and the application of best practice as front line security tools, rather than just nice-to-have tick-boxes. And by applying across all commerce and industry, can create a security environment of no hiding place. Yes, it will cost more, but that really should be a price worth paying.