A Year Later, Has GDPR Raised the Bar on “Reasonable Security”?
As more personal devices and applications are interconnected across our expanding digital infrastructure, concerns about who has access to that data, what they do with it where and how it is stored have become even more serious concerns for individuals, privacy advocates, and governments. Historically, the challenges with crafting laws that provide privacy protections are that they have only applied to a single sector, (such as the retail industry’s PCI-DSS, the US’s HIPAA healthcare privacy act, or the New York Department of Financial Services’ Cybersecurity Regulation), or are too specific a “check box” approach and as a result cannot anticipate digital transformation well enough to provide real protection.
A case in point was the EU’s 1995 Data Protection Directive (which the GDPR replaced) that allowed individual member nations to write and pass their own breach-notification laws. Not only did these laws sometimes tend to be incomplete, the enforcement and requirements were inconsistent. Multi-national companies were especially challenged as data gathered in a specific country had to be managed differently than data collected in a neighboring one.
The GDPR, initiated in May 2018, swept away all these different statutes. It now requires organizations to report data breaches to affected individuals and appropriate regulatory authorities within 72 hours of being discovered. Even better, it also established a common and broader definition of personal data, including things like IP addresses, biometric data, mobile device identifiers and other types of data that could potentially be used to identify an individual, determine their location or track their activities.
GDPR Redefined Personal Data
By expanding the definition of personal data, more explicitly defining what constitutes a breach of personal data and implementing a standardized and consistent notification requirement across the entire EU, organizations responsible for the monitoring of data privacy have been able to analyze and report on a much larger data set of incidents. This has significantly expanded our visibility into what types of breaches are occurring, which, in turn, has provided security professionals and vendors with a clearer understanding of what countermeasure needs to be in place. It has also contributed to a rise in the level of due care as a standard practice by organizations and governments agencies, rather than just compliance alone.
The results have been impressive. At a March panel discussion at the IAPP Data Protection Intensive 2019 conference in London, Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office (ICO), said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation. Notably, it was reported that in the UK alone, 206,326 total cases had been reported in the first nine months of GDPR. Of these, 94,000 were complaints and 64,000 were data breach notifications. As a result, the ICO staff has nearly doubled, growing from 380 to 700 investigators and support staff.
California Steps Up to the Plate
As a result of its initial success, and to respond to growing demands for similar protections by individuals and advocacy groups elsewhere, new privacy regulations and laws are being put in place that are modeled after GDPR.
The California Consumer Privacy Act (CCPA), passed on June 28, 2018, goes into effect on January 1, 2020. Like the GDPR, it enhances the privacy rights and consumer protection for residents of the state of California in the United States. All companies that serve California residents and have at least $25 million in annual revenue, or that have personal data on at least 50,000 people, or that collect more than half of their revenues from the sale of personal data fall under the law. And like the GDPR, it imposes its requirements on any company doing business in California, regardless of where the business is located. All companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States.
And that’s no small matter. As of 2018, California now has the world's fifth largest economy, surpassing that of the United Kingdom. And the CCPA has potentially more teeth than the GDPR. Not only do companies have 30 days to comply with the law once regulators notify them of a violation, it also includes a fine of up to $7,500 USD for every record not in compliance after that time. And it also takes a broader view of what constitutes private data than the GDPR, such as IP addresses, geolocation data and shopping, browsing and search histories—placing additional pressure on organizations to locate and secure that private data.
Reasonable Security and Due Care
One of the challenges with complying with regulations like the GDPR and CCPA is that there is a lack of definition for what is meant by requirements such as “reasonable security” or “due care.” Such vague requirements are included in many regulatory requirements because legislation with specific technology requirements can literally become obsolete between the time a bill is proposed and when it becomes law. This challenge can be compounded because a reasonable level of due care directive is subjective and not prescriptive. Due care and reasonable security for the financial sector or a pharmaceuticals company may be very different than an e-commerce or social media company. The same is true for an organization with an infrastructure comprised of a strictly defined perimeter versus one with a multi-cloud environment versus one that utilizes an open-edge computing model that provides high-speed applications powered by 5G.
As a result, standards are usually vague and provide general guidance. But that is actually part of the value of these regulations. If you try to be too prescriptive, security becomes a checklist, which is how things get missed. If a specific area of vulnerability or exploit is not included on “the clipboard checklist,” not only does what you’re NOT looking for tend to become the critical thing you miss, but companies that violate the law by not addressing a security issue can claim they were in compliance.
Instead organizations are forced to review their controls, processes and technologies to determine what constitutes a reasonable level of due care for their industry, network framework and use case to mitigate risk. And from a legal perspective, the notion of “reasonable security” often gets translated in court as to whether the organization met “professional standards of care,” such as NIST 800-53, which are more strict than the ordinary “prudent person” standard and have the potential to increase liability. And given the potential severity of the penalty for a breach, organizations are being advised to err on the side of caution.
In addition, because the stakes are now so high, this conversation is also moving from the white board to the boardroom. If you’re a CEO or on a Board, you are suddenly not only asking, “are we compliant?,” but more importantly, “have we implemented reasonable due care?” and “what have we considered beyond the bare minimum?” This leads to conversations around protecting the corporate brand, knowing what and where the crown jewels are, implementing an effective incident response plan and communicating a culture of security across the business.
Many experts believe that as many as 50 percent of companies covered by GDPR are still in the process of compliance, and that the transition will likely go on for another couple of years. But the most important thing is that companies in the EU are now expressing much higher levels of confidence that they will be able to address the GDPR’s data breach notification requirements.
So what about those high numbers of reported breaches in the UK? According to one expert, “what we [are beginning to] understand is that EU companies never reported data breaches.” In fact, an alarming number of companies worldwide still don’t engage in even the most basic security hygiene, such as patching and updating devices or ensuring consistency for firewall configurations, let alone having tools like forensic analysis and behavioral analytics in place.
It appears that regulations with real teeth, like GDPR and CCPA, are likely to change that.