As you may well be aware by now (and if you’re not, take a look here, here and here to catch up. Or even Wikipedia. I’ll wait) that on the 25th of May 2018, new regulation called the General Data Protection Regulation, or GDPR, will come into effect. This regulation has several huge ramifications for anyone who handles data (which is practically everyone), and security practitioners in particular. One of these devastating consequences can be a fine of up to €20 million or 4% of annual global turnover. I’ll let that sink in a moment, because this is a massive leap from the maximum £500,000 fine the ICO could impose under 1998’s Data Protection Act. GDPR is a serious piece of legislation, with very sharp teeth, for a serious issue.
It isn’t a complete hellfire and damnation and threatening sermon, though. There are suggestions on good practice for mitigating the risk of data breaches and on data handling. It outlines the reporting procedure for data breaches, what data is at risk and which are negligible.
I’m not going to go through every point of this regulation here, it’s far too big, detailed and complex a piece of legislation for a blog, but I am going to walk through the parts salient to CyberSec practitioners. Unlike the DPA, this isn’t a law that can be treated lightly and use more as a guideline, as the upper fine limit demonstrates. This week, I’ll give you a brief overview of data breaches.
Data breaches are a big part of the GDPR’s raison d’etre. As practitioners of the Cyber Security arts, we are expected to make every effort to protect and control all data within the realm of our networks, but we are also savvy enough to know that breaches of security are near inevitable: no system is perfect unless it is completely inaccessible, therefore defeating the object of the system.
Article 51 deals with what you need to do should such a breach occur, namely contacting the supervising authority (the ICO in the UK) within 72 hours of a breach event. Should it not be reported within this time-frame, without reasonable justification, a fine of €10 million or 2% of annual global turnover can be imposed. When reporting, you must report how many records have been affected, who the Data Protection Officer is and their contact details, and how you plan on proceeding. If it can be determined that the breach causes significant risk to the data subjects, then they must also be notified immediately. However, if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” (Article 33(1)), then notification is not required.
What all of this means, put simply, is that a) blue team need to batten down the hatches, b) red team players are looking at a fair bit of work to help this along; and c) no more hiding hacks and breaches, it will do neither your company nor you any favours, and could easily get you a bad reputation in an industry where reputation is your business.
Next week: Pseudonymisation