The GDPR Disclosure Problem

Uploaded on 2018-11-28 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Enterprises haven’t always been particularly transparent or timely in disclosing their data breaches. This type of behavior bred significant consumer distrust and was one of the key data security provisions within the GDPR (General Data Protection Regulation).

According to GDPR regulations, companies must “notify personal data breaches likely to present a risk to without undue delay, and within 72 hours if feasible, after becoming aware of the breach.” It’s a clear win for consumers whose data may have been stolen for months before they were notified.

However, the new rules imposed by the EU can be particularly challenging for organisations to disclose a breach within such a tight a timeframe. 

Is 72 hours of discovery a realistic timeframe to accurately assess the breach, affected data and communicate the situation effectively to the public? Most businesses would say that it’s not.

Most organisations have only a vague idea of where all their data is stored, which makes assessing and disclosing the harm of the breach extremely difficult. 

If they unveil a breach too early, businesses risk assessing the situation inaccurately, which means they will have to issue an update, extend a negative news cycle, and further damage their company’s reputation. 

This leaves business, security and IT leaders with a lose-lose situation: either they disclose on time and run the risk of getting it wrong or conduct thorough due diligence to get it right and pay a hefty fine.

Businesses can avoid this situation by aligning their policies and technology. When a data breach transpires, companies should be honest, empathetic and timely, to ultimately maintain their customers’ digital trust.

Not all companies refuse the release of a disclosure for nefarious reasons: they may simply not know they’ve been breached, or it may take a while to determine the scope of the exposure. 

Businesses leverage tools and policies to build transparency to understand where their data is located, providing visibility into cloud infrastructure to streamline the discovery process. Continuous monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems.

Whether you’re on the lookout for an unauthorised employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is vital for a strong security posture. Simply monitoring your infrastructure could help in identifying and disclosing a breach quickly.

Before implementing monitoring tools, it is helpful to perform a full security configuration audit to see the true state of your network and its security to eventually improve cloud infrastructure security posture.

Visibility is incredibly helpful in allowing businesses to move quickly and efficiently during a breach disclosure assessment. 

A best practice would be to centrally collect and view data from all environments, comprehensively leveraging the visibility tool to detect, deny, and disrupt threats. 

If you choose to use a visibility tool, ensure it has host-based, behavioral detection to give you complete wide spread visibility into your environment.

Implementing a security strategy that incorporates real-time vulnerability monitoring, threat intelligence correlation, intrusion detection and full visibility, enables an organisation to become secure by design. 

Meaning a company can go from four hours to four minutes in terms of detection and knowledge about a security event. That alone can drive massive cuts in time-to-detection, enabling the issue of data breach disclosure to be quick and correct.

From monitoring file activity and user activity, to automatically patching vulnerabilities and scanning configurations, security is ingrained within the correct infrastructure and appropriate tools. 

The overall goal of GDPR is to ensure the data privacy of all EU citizens and reshape the way organisations approach data privacy and security. 

Enabling continuous monitoring and complete visibility into your company infrastructure is a way organisations can meet the challenge of assessing, disclosing and even possibly preventing a breach within the 72-hour window.

While there are challenges to GDPR compliance, there are also opportunities to significantly upgrade security infrastructure and create visibility and control over the data in corporate systems as well as the opportunity to build greater trust with your customers.

Infosecurity Magazine:

You Might Also Read:

GDPR Alert As Average ICO Fines Double In A Year

« Cathay Pacific Admits Cyber-Attack
Google Helps Boost High Street Spending »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Talend

Talend

Talend is a leader in cloud and big data integration software. Applications include Risk and Compliance management.

Arcanum Information Security (AIS)

Arcanum Information Security (AIS)

Arcanum Information Security is a specialist Information Assurance Consultancy and a leading provider of Cyber Security services to UK Defence, UK Government, Enterprise businesses and SMEs.

Balbix

Balbix

Balbix BreachControl™ is the industry’s first system to leverage specialized AI to provide comprehensive and continuous predictive assessment of breach risk.

Quest Software

Quest Software

Simple IT management for a complex world. Whether it’s digital transformation, cloud expansion, security threats or something new, Quest helps you solve complex problems with simple solutions.

ArcusTeam

ArcusTeam

ArcusTeam is at the forefront of the firmware and applications security industry, with a mission to increase the level of security on all IoT devices and applications.

Flipside

Flipside

Information Security training provider specialized in personalized training and security awareness campaigns.

Danish Maritime Cybersecurity Unit

Danish Maritime Cybersecurity Unit

The Danish Maritime Cybersecurity Unit is tasked with delivering the initiatives set out in the Cyber and Information Security Strategy for the Maritime Sector.

Netsurion

Netsurion

Netsurion powers secure and agile networks for highly distributed and small-to-medium enterprises and the IT providers that serve them.

NGN International

NGN International

NGN International is a full-fledged systems integrator and managed security services provider established in 2015 in Bahrain.

HADESS

HADESS

We are "Hadess", a group of cyber security experts and white hat hackers.

Total Secure Technology

Total Secure Technology

Total Secure Technology provides trusted Managed IT Security and Managed IT Services for organizations looking to increase their cybersecurity defensive posture.

CMIT Solutions

CMIT Solutions

CMIT Solutions is a recognized leader in Managed IT Services for businesses. We empower businesses like yours by providing innovative technology solutions, managed IT services and cybersecurity.

ThreatDown

ThreatDown

ThreatDown, powered by Malwarebytes, is on a mission to overpower threats and empower IT by removing the complexity of detecting and stopping today’s most advanced threats.

DATS Project

DATS Project

DATS Project enables the utilization of high computing power across a number of cybersecurity services, all on a pay-as-you-go basis, eliminating the need for upfront investment costs.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

Synergy Quantum

Synergy Quantum

Synergy Quantum has pioneered a proprietary suite of military-grade, quantum-secure communication technologies.