The GDPR Disclosure Problem

Uploaded on 2018-11-28 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Law

Enterprises haven’t always been particularly transparent or timely in disclosing their data breaches. This type of behavior bred significant consumer distrust and was one of the key data security provisions within the GDPR (General Data Protection Regulation).

According to GDPR regulations, companies must “notify personal data breaches likely to present a risk to without undue delay, and within 72 hours if feasible, after becoming aware of the breach.” It’s a clear win for consumers whose data may have been stolen for months before they were notified.

However, the new rules imposed by the EU can be particularly challenging for organisations to disclose a breach within such a tight a timeframe. 

Is 72 hours of discovery a realistic timeframe to accurately assess the breach, affected data and communicate the situation effectively to the public? Most businesses would say that it’s not.

Most organisations have only a vague idea of where all their data is stored, which makes assessing and disclosing the harm of the breach extremely difficult. 

If they unveil a breach too early, businesses risk assessing the situation inaccurately, which means they will have to issue an update, extend a negative news cycle, and further damage their company’s reputation. 

This leaves business, security and IT leaders with a lose-lose situation: either they disclose on time and run the risk of getting it wrong or conduct thorough due diligence to get it right and pay a hefty fine.

Businesses can avoid this situation by aligning their policies and technology. When a data breach transpires, companies should be honest, empathetic and timely, to ultimately maintain their customers’ digital trust.

Not all companies refuse the release of a disclosure for nefarious reasons: they may simply not know they’ve been breached, or it may take a while to determine the scope of the exposure. 

Businesses leverage tools and policies to build transparency to understand where their data is located, providing visibility into cloud infrastructure to streamline the discovery process. Continuous monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems.

Whether you’re on the lookout for an unauthorised employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is vital for a strong security posture. Simply monitoring your infrastructure could help in identifying and disclosing a breach quickly.

Before implementing monitoring tools, it is helpful to perform a full security configuration audit to see the true state of your network and its security to eventually improve cloud infrastructure security posture.

Visibility is incredibly helpful in allowing businesses to move quickly and efficiently during a breach disclosure assessment. 

A best practice would be to centrally collect and view data from all environments, comprehensively leveraging the visibility tool to detect, deny, and disrupt threats. 

If you choose to use a visibility tool, ensure it has host-based, behavioral detection to give you complete wide spread visibility into your environment.

Implementing a security strategy that incorporates real-time vulnerability monitoring, threat intelligence correlation, intrusion detection and full visibility, enables an organisation to become secure by design. 

Meaning a company can go from four hours to four minutes in terms of detection and knowledge about a security event. That alone can drive massive cuts in time-to-detection, enabling the issue of data breach disclosure to be quick and correct.

From monitoring file activity and user activity, to automatically patching vulnerabilities and scanning configurations, security is ingrained within the correct infrastructure and appropriate tools. 

The overall goal of GDPR is to ensure the data privacy of all EU citizens and reshape the way organisations approach data privacy and security. 

Enabling continuous monitoring and complete visibility into your company infrastructure is a way organisations can meet the challenge of assessing, disclosing and even possibly preventing a breach within the 72-hour window.

While there are challenges to GDPR compliance, there are also opportunities to significantly upgrade security infrastructure and create visibility and control over the data in corporate systems as well as the opportunity to build greater trust with your customers.

Infosecurity Magazine:

You Might Also Read:

GDPR Alert As Average ICO Fines Double In A Year

« Cathay Pacific Admits Cyber-Attack
Google Helps Boost High Street Spending »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Packet Storm

Packet Storm

Packet Storm is an online resource for security tools, whitepapers, exploits, and advisories on computer security issues.

Barracuda Networks

Barracuda Networks

Barracuda provides a range of solutions covering network security, data storage, protection and disaster recovery.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

Array Networks

Array Networks

Array Networks, the network functions platform company, develops purpose-built systems for hosting virtual networking and security functions with guaranteed performance.

Automox

Automox

Remediate vulnerabilities 30X faster than the industry norm – and dramatically reduce your risk with simple, fast, and cloud-native endpoint hardening from Automox.

Nominet

Nominet

Nominet's cyber division offers network detection and response services to governments and enterprises worldwide.

Secure Technology Integration Group (STIGroup)

Secure Technology Integration Group (STIGroup)

Secure Technology Integration Group, Ltd. (STIGroup) is an innovative firm that provides CyberSecurity consulting, secure IT engineering, managed security services, and human capital solutions.

Viria

Viria

Viria is an information and security technology solution provider that promotes digitalization in a secure way.

Horizon3.ai

Horizon3.ai

Horizon3.ai is a leader in security assessment and validation enabling continuous security overwatch from an attacker’s perspective through our NodeZero SaaS solution.

Cyber Defense Networking Solutions (CDNS)

Cyber Defense Networking Solutions (CDNS)

CDNS is a global network infrastructure provider whose platforms are engineered for security, optimized for speed and designed for resiliency.

Sotero

Sotero

Sotero is the first cloud-native, zero trust data security platform that consolidates your entire security stack into one easy-to-manage environment.

Quartz Network

Quartz Network

Quartz Network is a curated community for change-makers, up-and-comers, and professionals who are ready to grow, adapt, and thrive.

Eventus Security

Eventus Security

Eventus, are a team of highly skilled professionals who are committed to deliver excellence in next generation cyber security services and customized solutions for your enterprise.

SignMyCode

SignMyCode

SignMyCode is a one-stop shop for trusted and authentic code signing solutions to safeguard software.

Vector Choice Technologies

Vector Choice Technologies

Vector Choice Technology Solutions has a long standing reputation in cyber security consulting since 2008.

Dotsquares

Dotsquares

Dotsquares leverage the latest web and mobile technologies to build, grow and support your business.