Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Leadership and ManagementSecurity & Business Resilience

A Year Later, Has GDPR Raised the Bar on “Reasonable Security”?

By Jonathan Nguyen-Duy
GDPR
May 24, 2019

As more personal devices and applications are interconnected across our expanding digital infrastructure, concerns about who has access to that data, what they do with it where and how it is stored have become even more serious concerns for individuals, privacy advocates, and governments. Historically, the challenges with crafting laws that provide privacy protections are that they have only applied to a single sector, (such as the retail industry’s PCI-DSS, the US’s HIPAA healthcare privacy act, or the New York Department of Financial Services’ Cybersecurity Regulation), or are too specific a “check box” approach and as a result cannot anticipate digital transformation well enough to provide real protection.

A case in point was the EU’s 1995 Data Protection Directive (which the GDPR replaced) that allowed individual member nations to write and pass their own breach-notification laws. Not only did these laws sometimes tend to be incomplete, the enforcement and requirements were inconsistent. Multi-national companies were especially challenged as data gathered in a specific country had to be managed differently than data collected in a neighboring one.

The GDPR, initiated in May 2018, swept away all these different statutes. It now requires organizations to report data breaches to affected individuals and appropriate regulatory authorities within 72 hours of being discovered. Even better, it also established a common and broader definition of personal data, including things like IP addresses, biometric data, mobile device identifiers and other types of data that could potentially be used to identify an individual, determine their location or track their activities. 

GDPR Redefined Personal Data

By expanding the definition of personal data, more explicitly defining what constitutes a breach of personal data and implementing a standardized and consistent notification requirement across the entire EU, organizations responsible for the monitoring of data privacy have been able to analyze and report on a much larger data set of incidents. This has significantly expanded our visibility into what types of breaches are occurring, which, in turn, has provided security professionals and vendors with a clearer understanding of what countermeasure needs to be in place. It has also contributed to a rise in the level of due care as a standard practice by organizations and governments agencies, rather than just compliance alone.

The results have been impressive. At a March panel discussion at the IAPP Data Protection Intensive 2019 conference in London, Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office (ICO), said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation. Notably, it was reported that in the UK alone, 206,326 total cases had been reported in the first nine months of GDPR. Of these, 94,000 were complaints and 64,000 were data breach notifications. As a result, the ICO staff has nearly doubled, growing from 380 to 700 investigators and support staff.

California Steps Up to the Plate

As a result of its initial success, and to respond to growing demands for similar protections by individuals and advocacy groups elsewhere, new privacy regulations and laws are being put in place that are modeled after GDPR. 

The California Consumer Privacy Act (CCPA), passed on June 28, 2018, goes into effect on January 1, 2020. Like the GDPR, it enhances the privacy rights and consumer protection for residents of the state of California in the United States. All companies that serve California residents and have at least $25 million in annual revenue, or that have personal data on at least 50,000 people, or that collect more than half of their revenues from the sale of personal data fall under the law. And like the GDPR, it imposes its requirements on any company doing business in California, regardless of where the business is located. All companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States. 

And that’s no small matter. As of 2018, California now has the world's fifth largest economy, surpassing that of the United Kingdom. And the CCPA has potentially more teeth than the GDPR. Not only do companies have 30 days to comply with the law once regulators notify them of a violation, it also includes a fine of up to $7,500 USD for every record not in compliance after that time. And it also takes a broader view of what constitutes private data than the GDPR, such as IP addresses, geolocation data and shopping, browsing and search histories—placing additional pressure on organizations to locate and secure that private data.

Reasonable Security and Due Care

One of the challenges with complying with regulations like the GDPR and CCPA is that there is a lack of definition for what is meant by requirements such as “reasonable security” or “due care.” Such vague requirements are included in many regulatory requirements because legislation with specific technology requirements can literally become obsolete between the time a bill is proposed and when it becomes law. This challenge can be compounded because a reasonable level of due care directive is subjective and not prescriptive. Due care and reasonable security for the financial sector or a pharmaceuticals company may be very different than an e-commerce or social media company. The same is true for an organization with an infrastructure comprised of a strictly defined perimeter versus one with a multi-cloud environment versus one that utilizes an open-edge computing model that provides high-speed applications powered by 5G.

As a result, standards are usually vague and provide general guidance. But that is actually part of the value of these regulations. If you try to be too prescriptive, security becomes a checklist, which is how things get missed. If a specific area of vulnerability or exploit is not included on “the clipboard checklist,” not only does what you’re NOT looking for tend to become the critical thing you miss, but companies that violate the law by not addressing a security issue can claim they were in compliance. 

Instead organizations are forced to review their controls, processes and technologies to determine what constitutes a reasonable level of due care for their industry, network framework and use case to mitigate risk. And from a legal perspective, the notion of “reasonable security” often gets translated in court as to whether the organization met “professional standards of care,” such as NIST 800-53, which are more strict than the ordinary “prudent person” standard and have the potential to increase liability. And given the potential severity of the penalty for a breach, organizations are being advised to err on the side of caution.

In addition, because the stakes are now so high, this conversation is also moving from the white board to the boardroom. If you’re a CEO or on a Board, you are suddenly not only asking, “are we compliant?,”  but more importantly, “have we implemented reasonable due care?” and “what have we considered beyond the bare minimum?” This leads to conversations around protecting the corporate brand, knowing what and where the crown jewels are, implementing an effective incident response plan and communicating a culture of security across the business.

Conclusion

Many experts believe that as many as 50 percent of companies covered by GDPR are still in the process of compliance, and that the transition will likely go on for another couple of years. But the most important thing is that companies in the EU are now expressing much higher levels of confidence that they will be able to address the GDPR’s data breach notification requirements. 

So what about those high numbers of reported breaches in the UK? According to one expert,  “what we [are beginning to] understand is that EU companies never reported data breaches.” In fact, an alarming number of companies worldwide still don’t engage in even the most basic security hygiene, such as patching and updating devices or ensuring consistency for firewall configurations, let alone having tools like forensic analysis and behavioral analytics in place. 

It appears that regulations with real teeth, like GDPR and CCPA, are likely to change that. 

KEYWORDS: cybersecurity data breach GDPR privacy concerns

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jonathan nguyenduy

Jonathan Nguyen-Duy is vice president, strategy and analytics at Fortinet, where he focuses on emerging technologies and key partnerships. He has unique global government and commercial experience with a deep understanding of threats, technology, compliance and business issues. Nguyen-Duy holds a BA in International Economics and an MBA in IT Marketing and International Business from the George Washington University.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Digital-Lock.jpg

    Experts weigh in on CIRCIA one year later

    See More
  • Fred Burton 9/11 reflections podcast

    Twenty years later: How 9/11 has shaped enterprise security

    See More
  • Bot attacks cost fraud prevention security professionals a lot of money

    One in four enterprises say a single bot attack has cost them $500,000 or more in the past year

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!