The GDPR Disclosure Problem

Enterprises haven’t always been particularly transparent or timely in disclosing their data breaches. This type of behavior bred significant consumer distrust and was one of the key data security provisions within the GDPR (General Data Protection Regulation).

According to GDPR regulations, companies must “notify personal data breaches likely to present a risk to without undue delay, and within 72 hours if feasible, after becoming aware of the breach.” It’s a clear win for consumers whose data may have been stolen for months before they were notified.

However, the new rules imposed by the EU can be particularly challenging for organisations to disclose a breach within such a tight a timeframe. 

Is 72 hours of discovery a realistic timeframe to accurately assess the breach, affected data and communicate the situation effectively to the public? Most businesses would say that it’s not.

Most organisations have only a vague idea of where all their data is stored, which makes assessing and disclosing the harm of the breach extremely difficult. 

If they unveil a breach too early, businesses risk assessing the situation inaccurately, which means they will have to issue an update, extend a negative news cycle, and further damage their company’s reputation. 

This leaves business, security and IT leaders with a lose-lose situation: either they disclose on time and run the risk of getting it wrong or conduct thorough due diligence to get it right and pay a hefty fine.

Businesses can avoid this situation by aligning their policies and technology. When a data breach transpires, companies should be honest, empathetic and timely, to ultimately maintain their customers’ digital trust.

Not all companies refuse the release of a disclosure for nefarious reasons: they may simply not know they’ve been breached, or it may take a while to determine the scope of the exposure. 

Businesses leverage tools and policies to build transparency to understand where their data is located, providing visibility into cloud infrastructure to streamline the discovery process. Continuous monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems.

Whether you’re on the lookout for an unauthorised employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is vital for a strong security posture. Simply monitoring your infrastructure could help in identifying and disclosing a breach quickly.

Before implementing monitoring tools, it is helpful to perform a full security configuration audit to see the true state of your network and its security to eventually improve cloud infrastructure security posture.

Visibility is incredibly helpful in allowing businesses to move quickly and efficiently during a breach disclosure assessment. 

A best practice would be to centrally collect and view data from all environments, comprehensively leveraging the visibility tool to detect, deny, and disrupt threats. 

If you choose to use a visibility tool, ensure it has host-based, behavioral detection to give you complete wide spread visibility into your environment.

Implementing a security strategy that incorporates real-time vulnerability monitoring, threat intelligence correlation, intrusion detection and full visibility, enables an organisation to become secure by design. 

Meaning a company can go from four hours to four minutes in terms of detection and knowledge about a security event. That alone can drive massive cuts in time-to-detection, enabling the issue of data breach disclosure to be quick and correct.

From monitoring file activity and user activity, to automatically patching vulnerabilities and scanning configurations, security is ingrained within the correct infrastructure and appropriate tools. 

The overall goal of GDPR is to ensure the data privacy of all EU citizens and reshape the way organisations approach data privacy and security. 

Enabling continuous monitoring and complete visibility into your company infrastructure is a way organisations can meet the challenge of assessing, disclosing and even possibly preventing a breach within the 72-hour window.

While there are challenges to GDPR compliance, there are also opportunities to significantly upgrade security infrastructure and create visibility and control over the data in corporate systems as well as the opportunity to build greater trust with your customers.

Infosecurity Magazine:

You Might Also Read:

GDPR Alert As Average ICO Fines Double In A Year

« Cathay Pacific Admits Cyber-Attack
Google Helps Boost High Street Spending »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

RPC

RPC

RPC is a business law firm. Practice areas include technology and cyber risk.

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

Ponemon Institute

Ponemon Institute

Ponemon Institute conducts independent research on data protection and emerging information technologies.

CERT Tonga

CERT Tonga

CERT Tonga is the national Computer Emergency Response Team for Tonga.

Fortanix

Fortanix

Fortanix Runtime Encryption keeps keys, data, and applications completely protected from external and internal threats.

Sequretek

Sequretek

Sequretek was formed with the aim to “Simplify Security”. We envision a future where enterprise networks are streamlined, secure and simple.

Liongard

Liongard

Liongard automates the management and protection of modern IT environments at scale for IT MSPs - Managed Service Providers and Enterprise IT Operations.

spriteCloud

spriteCloud

spriteCloud is an independent software testing, test automation and cybersecurity services provider.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

Nardello & Co

Nardello & Co

Nardello & Co. is a global investigations firm with experienced professionals handling a broad range of issues including Digital Investigations & Cybersecurity.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Pathlock

Pathlock

Pathlock (formerly Greenlight) help enterprises and organizations automate the enforcement of any process, access, or IT general control, for any business application.

Kompleye

Kompleye

Kompleye is a recognized cybersecurity and compliance audit organization that offer a comprehensive solution for different industries.

CommandK

CommandK

CommandK provides companies with infrastructure to protect their sensitive data. Built-in solutions to prevent data-leaks and simplify governance.

OneCollab

OneCollab

OneCollab, your unwavering ally in the dynamic landscape of IT services and cybersecurity.