main

Security

Past GDPR Predictions: Have They Come To Fruition?

September 17, 2019 — by David Hobbs0

GDPR-960x540.jpg

In July 2017, I wrote about GDPR and HITEC and asked if the past could predict the future. At the time, GDPR had not yet gone into effect. Now that it has been active for over a year, let’s take stock at what’s occurred.

First, a quick refresher: GDPR implements a two-tiered approach to categorizing violations and related fines. The most significant breaches can result in a fine of up to 4 percent of a company’s annual global revenue, or €20 million (whichever is greater).

These higher-tier violations include failing to obtain the necessary level of customer consent to process data, failing to permit data subjects to exercise their rights including as to data erasure and portability, and transferring personal data outside the EU without appropriate safeguards.

[You may also like: The Impact of GDPR One Year In]

For less serious violations, which include failing to maintain records of customer consent or failing to notify the relevant parties when a data breach has occurred, the maximum fine is limited to 2 percent of annual global revenue, or €10 million (whichever is greater).

Rising Complaints & Notifications

The first year’s snapshot from May 2019 of the Data Protection Commission (DPC) demonstrates that GDPR has given rise to a significant increase in contacts with the DPC over the past 12 months:

  • 6,624 complaints were received.
  • 5,818 valid data security breaches were notified.
  • Over 48,000 contacts were received through the DPC’s Information and Assessment Unit.
  • 54 investigations were opened.
  • 1,206 Data Protection Officer notifications were received.

[You may also like: WAF and DDoS Help You on the Road to GDPR Compliancy]

In my first article, I discussed Memorial Healthcare System’s breach and resulting settlement of $5.5 Million USD. Now, let’s look at the first round of investigations under GDPR.

High-Profile Breaches: 2018-19 Edition

Marriott. In December 2018, news of Marriott’s massive breach hit. Upon receiving Marriott’s breach report in September 2018, the International Commissioner’s Office (ICO) — the UK’s GDPR supervisory authority — launched an investigation.

When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated, as well as complaints about GDPR violations from consumers.

In July 2019, the ICO announced that it plans to fine the hotel chain $123 million USD. Marriott said it plans to appeal the decision.

[You may also like: Marriott: The Case for Cybersecurity Due Diligence During M&A]

Bergen, Denmark. One file in the wrong place landed the municipality of Bergen in Denmark in trouble. Computer files containing login credentials for 35,000 students and employees were insufficiently secured and accessed.

Per the European Data Protection Board, “the lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.” As a result, the Norwegian Data Protection Authority fined the municipality of Bergen
€170,000.

British Airways. This is the largest fine to date, with an overwhelming price tag of £183.4m or $223.4M USD.  After an extensive investigation, the ICO concluded that information was compromised by “poor security arrangements” at British Airways. This relates to security around log in, payment card, and travel booking details, as well name and address information.

Sergic. France’s data protection agency, CNIL, found that real estate company Sergic knew of a vulnerability in its website for many months and did not protect user data. This data contained identity cards, tax notices, account statements and other personal details. The fall out? A €400,000 fine (roughly $445,000 USD).  

[You may also like: The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?]

Haga Hospital. Now looking at healthcare, Haga Hospital in the Netherlands was hit with a €460,000 fine ($510,000 USD) for breaching data confidentiality. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.

In my previous article, I wrote, “other industries you may not think about, such as airlines, car rentals and hotels which allow booking from the internet may be impacted. Will the HITECH Act fines become the harbinger of much larger fines to come?”

We can see that this prediction was spot on.  Some of the largest fines to date are pointing at airlines and hotels and the travel industry. I predict in the next year, we will start to really see the various agencies in the EU continue to ramp up fines, including cross border/international ones. 

CCPA is Almost Upon Us

Now, for the U.S.: California’s new Consumer Privacy Act (CCPA) goes into effect in January 2020. Will the state start rolling fines out like those imposed under GDPR?

If you’re an international company withany U.S. based customers, it’s pretty likely that you’ll have Californians in your database.  The CCPA focuses almost entirely on data collection and privacy, giving Californians the right to access their personal information, ask whether it’s being collected or sold, say no to it being collected or sold and still receive the same service or price even if they do say no.  

[You may also like: Why Cyber-Security Is Critical to The Loyalty of Your Most Valued Customers]

Come January 2020, you’ll either have to meticulously segment your database by state to create separate procedures for Californian citizens (and EU ones for that matter), or you’ll have to implement different data collection and privacy procedures for all your customers going forward.

With all of the new privacy rules coming and fines that are already starting to hit from GDPR, what will you do to maintain all the laws of the world to keep your customers safe?

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Security

The Impact of GDPR One Year In

June 27, 2019 — by Radware1

gdpr1-960x540.jpg

Data breaches are expensive, and the costs are only going up.

Those reporting attacks that cost 10 million USD/EUR/GBP or more almost doubled from last year — from 7% in 2018 to 13% in 2019. Half of Radware’s C-Suite Perspectives survey respondents estimated that an attack cost somewhere between 500,001 and 9.9 million USD/EUR/GBP.

One Year In

Arguably, the General Data Protection Regulation (GDPR), which has been active in the European Union since May 2018, contributes to these rising costs.

Every EU state has a data protection authority (DPA) that is authorized to impose administrative fines for improper handling of data. Fines can go up to 4% of a company’s worldwide revenues for more serious violations. Article 83 of the GDPR requires that fines be “effective, proportionate and dissuasive.”

More than half of Radware’s 2019 C-Suite Perspective survey respondents from EMEA experienced a self-reported incident under the GDPR in the past 12 months.

In the largest fine to date, France levied a fine against Google for €50 million for lack of consent on advertisements. Germany fined Knuddels €20,000 for insufficiently securing user data, enabling hackers to steal user passwords. And a sports betting café in Austria received a €5,000 fine for unlawful video surveillance.

C-Suite Perspectives: From Defense to Offense — Executives Turn Information Security Into a Competitive Advantage

So far, DPAs have received almost 150,000 complaints about data handling. Most are about video surveillance and advertising calls or mailings, according to the EU Commission. While fines have not yet been imposed in many cases, the potential for significant penalties is there.

The takeaway? C-suite executives in all regions should not let the leniency of the first year of GDPR enforcement lull them into complacency. The threat of GDPR fines is just one risk facing organizations that experience a data breach.

The danger is very real.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Security

How Do Marketers Add Security into Their Messaging?

May 7, 2019 — by Anna Convery-Pelletier0

Marketing_Security-960x640.jpeg

These days, data breaches are an everyday occurrence.  Companies collect volumes of data about their customers, from basic contact information to detailed financial history, demographics, buying patterns, and even lifestyle choices. Effectively this builds a very private digital footprint for each customer. When this footprint is leaked, it not only erodes the trust between consumers and the affected brand, but also erodes trust for all brands.

The latest marketing buzzwords call this a ‘post-breach era’ but I’d call it a post-trust era. We have watched the slow erosion of consumer trust for several years now. Forrester predicted that 2018 would mark the tipping point, calling it “a year of reckoning,” but here we are in 2019 and trust only continues to decline. The Edelman Trust Barometer claims that in the U.S., we saw the sharpest drop in consumer trust in history, bringing it to an all-time low.

Why is Consumer Trust Falling at Such a Rapid Rate?

Organizations have spent billions of dollars digitally transforming themselves to create faster, easier and more numerous access points for their customers to interact with their brand. And it’s worked. Consumers engage much more often with more personal data with brands today than ever before. For marketers, it’s a dream come true: More access equals more insights and more customer data recorded, enabling more personalized and customized customer experiences.

[You may also like: The Costs of Cyberattacks Are Real]

However, each touch-point comes with increased security risk and vulnerabilities. Prior to the digital transformation revolution, brands interacted much less frequently with their customers (for the sake of argument, let’s say once a month). But now, brands communicate daily (sometimes multiple times per day!) across multiple touch-points and multiple channels, collecting exponential amounts of data. This increases not only the opportunities for breaches, but the possibility for negative customer interactions with so much more private information known about an individual. An overabundance of those marvelous personalized interactions can make consumers feel invasive and uncomfortable at the risk in their digital footprint.

Trust is necessary to offset any negativity.  

[You may also like: Cybersecurity as a Selling Point: Retailers Take Note]

Brands have a tremendous responsibility to protect all the data they collect from their customers.  Historically lack of vigilance on security has led to the start of many data breaches. For many years, the C-suite has treated information security as an expense to treat the basics of a regulatory compliance standard, not as an investment.

Today that organizational behavior just does not suffice. The stakes are much higher now; the size, frequency, and resulting consequences of recent data breaches have created a huge backlash in consumer sentiments. We feel the impact of this trust erosion in new legislation across the globe (GDPR, Castle Laws, etc.) designed to give consumers some power back with regards to their data. We also feel the impact in customer churn, brand abandonment poor Customer Lifetime Value (CLV) after a security breach. The ripple effects of data breaches signal the value of investing in security upfront; invest in the right cybersecurity infrastructure now or risk paying far more later.

It forces us as marketers to change the type of conversations we have with our customers.

What’s a Brand to Do?

How important is data security to your customers and your brand promise?  If asked, surely every one of your customers would tell you it’s important.  Most marketers are afraid to make security promises for fear of future data breaches. However, there’s a compelling argument that if you don’t address the issue up front, you are missing a critical conversation with your customers that could cost you their loyalty.

[You may also like: Consumer Sentiments About Cybersecurity and What It Means for Your Organization]

  • Don’t fear the security conversation, embrace it.  Brands like Apple are once again leading the privacy conversation.  Apple’s new ad campaign address privacy issues head on.  Executives may not need the exact stance as Apple, but as a marketer, you can identify the right tone and timing for a security conversation with your audience.
  • Ask your customers about their security concerns and listen to their answers! Our digitally transformed world empowers us to engage in a two-way dialog with our audiences.  Talk to them. Ask them their opinions on security – and more importantly, listen to their answers. Take their suggestions back to your product and development teams and incorporate it into your company’s DNA.
  • Develop features and services that empower your customers to protect their own privacy. Today, banks offer credit monitoring, credit locking, fraud alerts, subscriptions to services that monitor the dark web for an entire family, etc.  IoT devices have enabled people to see who is ringing the doorbell even when they are not home. Those doorbell recordings can now be shared through neighborhood watch sites to warn the community of incidents when they occur.  These are all examples of innovation and evolution around security as a feature. 
  • Highlight all the different ways your company is protecting its customers data and privacy.  Don’t assume your customers know that you take their privacy concerns seriously.  Show them you care about their security concerns. Tell them and educate them about all the steps you are taking to protect them.
  • Don’t whitewash security concerns. Be a champion for injecting security into the DNA of your organization – from product development to responsible data collection and storage, to the customer experience. 

Regardless of your industry— from finance to retail to consumer goods to healthcare and beyond—there is a security discussion to be had with your customers. If you are not embracing the conversation, your competitors will, and you will be left behind. 

Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.

Download Now

Security

Deal, No Deal: The State of U.K. Cybersecurity Post-Brexit

June 14, 2018 — by Jeff Curley0

brexit-state-of-cybersecurity-960x677.jpg

A topic inescapably in the minds of us Brits is what type of relationship will the U.K. maintain with the EU post our departure, which in one transitional form or another is slated to commence 29 March 2019.

The next few months are considered to be a pivotal period for defining what this relationship will look like and of as of right now there are many unknowns, including implications for the U.K.’s cyber assurance capability.

There are broadly three domains across cybersecurity that could be impacted by the character of the agreements struck: Skills access, legal matters and threat intel sharing.

It is sensible for security leaders in U.K. -headquartered businesses to start thinking about the potential impacts and considering plans to mitigate.  The below is not an exhaustive exploration, just some initial food for thought.

Security

2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards

June 5, 2018 — by Carl Herberger0

cyber-security-regulations-960x640.jpg

Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape.  This change hasn’t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats.

Security

GDPR in Action, Even Facebook Impacted

May 15, 2018 — by Fabio Palozza0

GDPR-960x540.jpg

As Europe awaits the General Data Protection Regulation (GDPR) to come into force on May 25th, Facebook is enforcing new terms of service to its users to ensure compliance with the upcoming data privacy law. It will regulate how Facebook collects and uses user data that is critical to the success of its advertisement business. While Facebook executives are claiming that GDPR will have minimal impact on its user base and its revenues, experts opine that there are multiple other ways that GDPR can affect Facebook in a severe manner. With GDPR being an extraordinary regulation with strong potential to impact large businesses, Facebook stands exposed to a number of uncertainties that are yet to take shape.

Security

GDPR and HITECH: Can the Past Predict the Future?

June 27, 2017 — by David Hobbs2

gdpr-hitech-compliance-960x640.jpg

In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal criminal charges were filed against the ex-employee.

Fines, Fines, Fines

The first question that comes to mind is: Why did the hospital get such a hefty fine if an ex-employee was responsible? According to the report from the Office of Civil Rights, “At the root of this breach was MHS’s failure to follow its own polices and deactivate the login credentials of a former employee from an affiliated physician’s office. Over the course of roughly a year, these credentials were repeatedly used to gain access to MHS’s data systems and client ePHI.”

[You may also like: Healthcare is in Cybercriminals’ Crosshairs]

This isn’t the only case of the office of Civil Rights issuing fines over HIPAA violations. We’ve seen numerous violations and breaches resulting in multi-million dollar fines. Many organizations didn’t believe that a data breach would ever result in fines, and some thought that cyber insurance would cover them and so didn’t bother securing their systems.

In 2013, California’s Cottage Health System notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. As a result, the data may have been publicly available on search engines like Google. Columbia Casualty Company insured Cottage Health System for data breach.  Because Cottage Health System failed to properly secure their system, Columbia Casualty Company has challenged the insurance claim in court.

[You may also like: Think Cybersecurity Insurance Will Save You? Think Again.]

Evolving Regulations

General Data Protection Regulation (GDPR) is the new global compliance initiative from the EU. The GDPR implements a two-tiered approach to categorizing violations and related fines. The most significant breaches of the GDPR’s obligations can result in a fine of up to 4 percent of a company’s annual global revenue, or €20 million (whichever is greater).

These higher-tier violations include failing to obtain the necessary level of customer consent to process data, failing to permit data subjects to exercise their rights including as to data erasure and portability, and transferring personal data outside the EU without appropriate safeguards.

For less serious violations, which include failing to maintain records of customer consent or failing to notify the relevant parties when a data breach has occurred, the maximum fine is limited to 2 percent of annual global revenue, or €10 million (whichever is greater).

[You may also like: WAF and DDoS Help You on the Road to GDPR Compliancy]

Companies not located in the EU but that process the data of EU customers will have to appoint a representative in the EU. In relation to enforcement, we can take a look at the USA and determine how this might work in Asia.

The GDPR directs EU authorities to develop international cooperation mechanisms to support its extraterritorial reach, which could potentially build upon existing treaties and mutual investigative assistance agreements the EU has in place with the U.S. Federal Trade Commission.  Companies should be aware that the EU is increasing its efforts to work with and through American authorities to investigate American targets, which may yield increased scrutiny on companies with an EU web presence.

What’s Next?

If we look at India for a moment, the Indian outsourcing industry nearly stands at over 150 Billion USD, contributing nearly 9.3% to the GDP. More than 100 Billion USD of revenues comes from overseas, largely attributed to cross border data flow, that too from majority of countries of western regions and the EU. With factors like data privacy and security becoming an important determinant in outsourcing, the global landscape on data flows is likely to be impacted.

[You may also like: The Impact of GDPR One Year In]

Other industries you may not think about, such as airlines, car rentals and hotels which allow booking from the internet, may be impacted.

Will the HITECH Act fines become the harbinger of much larger fines to come? Which countries will have cooperation with the EU, and which might get banned? Would banning nations from doing business with EU citizens force compliance?  Would “content filtering” the internet for offenders cause a large disruption in their business?

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

DDoSSecurityWAF

WAF and DDoS Help You on the Road to GDPR Compliancy

January 19, 2017 — by Pascal Geenens1

gdpr-compliance-960x539.jpg

Data is the currency of today’s digital economy, the oil of the 21st century. Personal data is considered our economical asset generated by our identities and our behavior and we trade it for higher quality services and products. Online platforms act as intermediaries in a two-sided market collecting data from consumers and selling advertising slots to companies. In exchange for our data being collected, we get what appears to be a free service.

The growth and the market capitalization of social platform providers like Facebook and search engines such as Google demonstrate the value of personal data. Personal data also provides new ways to monetize services as news organizations are finding it difficult to charge ‘real’ money for digital news, but leverage our willingness to pay for a selection of ‘free’ news with our personal data. Every 3 out of 4 persons prefer free registration with selective access over a paid registration with full access.