GDPR: Privacy from Across the Pond - Special Edition

Dave Bittner: [00:00:03] Following major breach revelations from Equifax, Yahoo, Deloitte, and the US Securities and Exchange Commission there have been many calls in the US for increased legislation and regulation that would force better privacy and identity management practices, kind of like they're getting in Europe next year thanks to GDPR - the General Data Protection Regulations set for implementation May 25th, 2018. In this CyberWire Special Edition, will ask some cybersecurity experts about GDPR. What it means for privacy and data use, the right to be forgotten, penalties for noncompliance, and what it means for organizations outside the EU.

Dave Bittner: [00:00:42] Joining us are Steve Durbin, Managing Director of the Information Security Forum, a not-for-profit organization providing its members with guidance on cyber, information security, and risk management; Brett Hansen, Vice President of Data Security Solutions at Dell, one of the largest suppliers of computer hardware, software, and services in the world; and Darron Gibbard, CTSO at Qualys, a global provider of cloud-based security and compliance solutions. Stay with us.

Dave Bittner: [00:01:18] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine-speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance: Artificial intelligence. Real threat prevention. And we thank Cylance for sponsoring our show.

Steve Durbin: [00:02:17] I think that, if we go ride the way back, the European Union for some while has been concerned about the volume of data that's being produced as relates to individuals.

Dave Bittner: [00:02:26] That's Steve Durbin, Managing Director of the Information Security Forum.

Steve Durbin: [00:02:30] And what the GDPR really has at its heart is an attempt to protect the rights of the individual. So, it's a very citizen-centric, individual-centric piece of regulation, which is quite different from what we see, perhaps, in other parts of the world. But what the GDPR does is it says, as an EU citizen, you have the right to your information. So, you have a right to understand how it is being used, how it is being protected, stored, at each and every stage of the lifecycle.

Steve Durbin: [00:03:04] And what the Working Party has done around GDPR is try to come up with an approach that protects that information, sets some very clear guidelines for anybody who is dealing with or handling European citizen data. And also, to give powers to the supervisorial authorities that allow them to investigate and really provide some form of tangible sanction, where appropriate, on organisations that, for whatever reason, have not applied the appropriate level of GDPR protection to the personal information that they've been holding.

Brett Hansen: [00:03:40] If you're looking at the laws in place and what GDPR represents, this is a benchmark move by the EU to say that organisations are going to be held accountable if they are collecting, if they are storing, if they are processing citizen information.

Dave Bittner: [00:03:56] That's Brett Hansen, Vice President of Data Security Solutions at Dell.

Brett Hansen: [00:04:00] You now have to be accountable, and you're going to have to be able to document and prove that the data is being safely managed and stored. The EU is clearly drawing a line and making a bold statement, saying, you know, this is important, and, again, if you're operating within our borders, you're going to adhere to the rules or you're going to be facing some serious penalties.

Steve Durbin: [00:04:27] What we have in the GDPR is consistency across all of the member states. So, there is only one GDPR. There is only one way of interpreting that within reason. And of course, in the United States, there are very many different ways of viewing some of the legislation that's being brought out, because some of it is both at the State-level and of course Federal.

Dave Bittner: [00:04:50] And so, how will this affect companies in the United States?

Darron Gibbard: [00:04:54] I firmly believe that it will affect them just as much as it affects the organizations within the EU itself.

Dave Bittner: [00:04:59] That's Darron Gibbard. He's the Chief Technical Security Officer and Managing Director at Qualys.

Darron Gibbard: [00:05:04] It's ensuring that EU citizen data is protected wherever it goes across the globe. PwC did a very good article last October, in the US, where they interviewed over 2,500 organizations within the US, and the average spend per organization was a million dollars on preparing for GDPR and making sure that their organizations were ready. And that's across, obviously, multiple sectors, multiple-size organizations.

Darron Gibbard: [00:05:39] So, if the US is leading by example then, you know, obviously, Australia are working well towards it. I was down in South Africa, basically three weeks ago, they're preparing for it. If I'm totally honest, I probably think everybody outside of the EU is better prepared for the GDPR than what they are within the EU.

Dave Bittner: [00:06:00] Why do you say that?

Darron Gibbard: [00:06:02] Just because of the understatement of the budgets that are being spent, and the preparation that's being put into making sure that the citizen's data is separated and is understood, and is known, and where that data is going, and where and how it's being used within the organizations that are processing it.

Steve Durbin: [00:06:22] The bottom line is that, if a company in the United States is handling European citizen data, then the GDPR will apply. So, if a US corporation has, perhaps, an office in the European Union, and is dealing with citizens' data, then it will apply. Even if it doesn't have an office in Europe, but is handling data that relates to an EU citizen, the GDPR covers that eventuality as well. So, what we're actually looking at with the GDPR - even though it's a piece of European legislation - is legislation that actually impacts organizations all around the world, if they happen to be either acting from the European Union, or using information that relates to a European citizen.

Brett Hansen: [00:07:07] Companies in the US first and foremost need to understand, are they covered by GDPR? And many of them will be. Most companies of any size have operations in Europe, and they are likely to be collecting EU citizens' data, in some form. And for those reasons, they are required to be compliant with GDPR, or face the same penalties that the EU would enforce on companies or organizations who are directly in Europe.

Brett Hansen: [00:07:41] So, even though you might be in Texas, like I am, if you have operations, if you have activities, in the EU, you need to be aware, and you need be adhering to GDPR principles, or face potentially stiff penalties.

Steve Durbin: [00:07:56] If you are dealing with European citizens data, then be under no illusion - the European Union will come after you, and they will catch people. They have sufficient relationships with the authorities in the United States to be able to do that. The key thing is, you know, any organization needs to understand, if they're dealing with European citizen data, then the GDPR covers that eventuality. And believe you me, supervisorial authorities do have the reach and the clout to come after you.

Brett Hansen: [00:08:28] Obviously, it's all about scale, right? So, if you're selling, you know, dongles for fifteen dollars, and you have three customers in Germany, you know, is the EU, you know going to hunt you down, wherever you are - Baltimore, Maryland - and elicit fines? No, I think that's less likely to happen. However, if you have major operations - let's say you have a sales office in Madrid, Spain, or you are operating a fairly extensive website with, you know, translations in German and French and Spanish, and operations, and you're selling through there - the answer to your question is yes. They can actually enforce, if you are not adhering to GDPR.

Brett Hansen: [00:09:10] With all of cybersecurity - and GDPR is just an extension of cybersecurity, it's a regulation - it's all about mitigation of risk. And so, you know, if I'm an American company, my first step is to assess my risk. If I'm doing, you know, 20 million dollars in business in Europe, and it represents 40 percent of my overall bookings for the year, then I'm going to need to take this very seriously. And I'm going to need to understand what the regulations entail. I'm going to need to take the necessary steps to ensure I meet GDPR standards.

Dave Bittner: [00:09:41] I'm curious about - one of the things that GDPR covers is this notion of consent - that consent must be explicit. I think most of us are familiar with EULA - end-user license agreements that are pages and pages long. Are we going to see the end of that? Are we going to see simpler opt-in options for collecting data?

Steve Durbin: [00:10:03] Well, certainly, that's the hope and the intent, I think, behind the GDPR. It is to try to present those kinds of things - those kind of EULAs, as you've mentioned - in simple, easy-to-understand language for individuals. Perhaps more importantly, organizations need to be able to demonstrate that they have the consent of an individual to using their data, as it relates to a particular project, or perhaps campaign.

Steve Durbin: [00:10:30] Now, I'm a marketing guy by training. And for me, you know, this presents a whole range of different issues, because, from a marketing standpoint, of course, we're used to having people either required to opt out of some of the campaigns that we run, or opt in to multiple campaigns. You won't be able to do that anymore under the GDPR. You have to have an opt-in for each and every single campaign that is being run. And that is - if nothing else - presents some significant challenges to the marketing side of the business.

Brett Hansen: [00:11:01] There isn't actual, like, specific language called out that you have to say these eight words, and it has to be at the size of font, but they are encouraging sort of, you know, you do make sure that your folks who your collecting data is - they are aware. And that would naturally limit itself to not burying it in a fifteen-page EULA on, you know, Item 14-6.7.

Dave Bittner: [00:11:22] What about the right to erasure?

Steve Durbin: [00:11:23] The right to be forgotten, as it's often referred to. I think this was one of the key elements that people really talked about when GDPR was first being noted. This really is, I think, the - relies on the core tenants of GDPR. This is about the rights of the individual. So, as an individual, I have the right to go to an organization and ask them to remove my information from their databases. They have no obligation to keep that data once I've made that request, unless it is either core to their business - so, their business will essentially fall apart if they don't have that information - or if someone like, for instance, the IRS or, in this case, it's European - you know, HMRC, or the tax office in the individual member state.

Steve Durbin: [00:12:14] So, the individual really does have control. So I could, for instance, determine that I no longer wish my telecoms carrier to be sending me that whole pile of information, because maybe I've moved carriers, and I can ask for that information then to be removed from all of their systems and databases. And they would have to do that and demonstrate that that indeed was the case.

Steve Durbin: [00:12:35] It also allows the individual, of course, to have what we term "portability of information." So, again, in the case where I'm switching from perhaps one supplier to another, I can request for the information that my current supplier holds be sent to me so that I could take it to a new supplier and say, look, this is my track records, and so, perhaps use that as a bargaining chip in terms of getting the right level of arrangement with a new supplier. So, right to be forgotten, very important, and portability of personal data as well.

Steve Durbin: [00:13:06] So, again, GDPR really views the individual citizen as owning their data. And that's one of the key differences, as we've said, between what happens in the European Union and perhaps other countries like the United States.

Dave Bittner: [00:13:20] And how about enforcement? What's going to be in place in terms of penalties, and even having the funding to have people who can execute the enforcement?

Steve Durbin: [00:13:30] Yeah, the role of the supervisory authority has really been beefed up under the GDPR. They have investigative powers. They have corrective powers, as they're rather nicely referred to. A corrective power allows for supervisorial authority to impose fines that can be up to about 20 million euros. So, today, the exchange rate, that's probably about 20 million dollars. Or, indeed, up to 4 percent of worldwide annual turnover for a serious non-compliance with the GDPR.

Steve Durbin: [00:14:00] There are very many things that the supervisorial authority can do up to that point. So, they have the power, for instance, to close down your processing of personal data, if they believe that you haven't fallen in line with some of the guidelines of GDPR. That, for some organizations, could have a much bigger impact than merely paying a fine.

Steve Durbin: [00:14:21] But, you know, the reality of this is that nobody really knows how these authorities are going to behave and react until the regulation comes in, which is the 25th of May 2018. And I think the other thing I'd say is that nobody really wants to be the first past the post in terms of having the conversations with the supervisorial authority because something has gone wrong.

Dave Bittner: [00:14:42] Is there a sense that companies are preparing properly? Are they going to be ready?

Darron Gibbard: [00:14:46] If you'd have asked me a year ago, I'd have said no. I mean, if you asked me recently, when I engaged with CISOs and I talked to CISOs and CIOs of various organizations - yes, they will be. I think there has been a lot of focus in the last twelve months, basically, within the regulatory bodies, within the vendor space, that has been helping organizations prepare for it. I think 90 percent, 95 percent of organizations will be ready to go by May 25th, 2018.

Steve Durbin: [00:15:22] I don't believe that everybody is. I think there's quite a number of organizations have been taken aback by the sheer volume of work that is required in order to fully understand where personal data is. Just think about the amount of information that is created on an ongoing basis. You have to go through a discovery process within your enterprise to understand how much personal data you've actually been accumulating, and where it's stored, and how it's being shared, perhaps with third parties.

Steve Durbin: [00:15:51] Then, when you've done that, you've got to determine whether or not you're compliant with some of the guidelines from GDPR. And so you have to perform a gap analysis. Now, a lot of organizations have engaged legal firms to help them in this in this particular space. That gives you the perspective on where you actually stand. Then you have to go about implementing the processes and the controls that ensure that you aren't just compliant on day one, but that it's an ongoing process.

Steve Durbin: [00:16:20] So, for me, GDPR is very much more than pure compliance. I think, in a lot of organizations, it does require a change program. It is about raising awareness at the individual level, because of course, this isn't the kind of thing that we can do just once a year, put the tick in the box and then move on. It's an ongoing process. And it really will impact the way in which we behave, I think, as organizations. And more importantly, how individuals within our enterprises handle personal information and personal data.

Brett Hansen: [00:16:54] If you peel away all the regulations in GDPR, it really comes down to knowing your data. And most companies don't. Most companies couldn't tell you what they're collecting, where it's stored, how they're using it, who are using it.

Brett Hansen: [00:17:08] And so, the starting point is having someone who is able to look across the breadth of operations - look across marketing, look across sales, look across HR, all of the different elements that are collecting information - to know what you're collecting. That's a very fundamental point. Are you collecting PII? Are you collecting, you know, address, phone number, Social Security, credit card information? What are you collecting? Where is it being stored? Are you storing it on-premise? Are you storing it in a cloud? Where that cloud? Are you storing it on personal devices? PCs, smartphones, tablets? How are you using it? Is it just being collected and stored, and there's no other activity? Are you using it for mining information? Are you selling it to someone else? That has implications. And then, you know, really another one that's that's often overlooked is, who is using it? And then who should be using it?

Brett Hansen: [00:18:07] So, having someone who's able to answer those questions is a logical starting point for GDPR. Whether that's a dedicated individual, because you have the scope of operation that you need to have that, whether it's someone's part-time job - again, you have to look at that in your company and evaluate your risk and risk mitigation.

Brett Hansen: [00:18:26] But if you're - if you do have some serious scope of operations, then you're going to want to have someone who's able to spend sufficient time to answer those questions, to define a policy around those questions, and then, ultimately, to start to work backwards to say, okay, if these are the activities we're doing with data - this is what we're collecting, this is where it's being stored, this is what we're using it for, these are who are the people using it for - how do we start to reduce our risk? How do we consolidate this towards that data? How do we ensure it's being protected no matter where it's going? How do we ensure that only the right people have access? And we're reducing the number of people who have access, thus further reducing our risk.

Dave Bittner: [00:19:06] Do you suspect that this will become the global standard?

Steve Durbin: [00:19:10] I think we're starting to see that already, yes. I mean, certainly, a large number of countries outside of the European Union have been doing this and saying, okay, if we have to comply with this, then we might as well at least set our own bar at the same level, if not higher. So, I think, when I look at other countries - you know, perhaps in the Far East and across other parts of the world - we're starting to see them fall in line with this, and using it - if not in its entirety - then certainly as a template for handling personal data.

Brett Hansen: [00:19:43] Clearly, I would be someone who would be advocating for increased diligence and regulation on the US side, just because I think there is an opportunity for us too, to be more proactive in encouraging organizations to be better stewards of data. Is GDPR the right set of regulations? Does it really address the key areas that we need to be thinking about? I think there's a lot of things that we can learn from it, once it gets launched.

Brett Hansen: [00:20:09] What GDPR is encouraging companies to do is the right thing. Again, being good stewards over your employees' and your customers' data - that's a good thing to do. It was interesting - we did a - Dell did a survey of business professionals - it was about four or five months ago, so fairly fresh - and we asked them, you know, around data security hygiene and, you know, it was great when you said, okay, do you feel accountable for keeping your company's data safe? Oh, absolutely, like 70 percent said, "Yes! I feel accountable." Okay, I felt pretty good about that. I'd like to see 95 or 100 percent, but 70 percent - okay, good, line-of-business feel they are accountable for keeping their data safe.

Brett Hansen: [00:20:44] Well, what are some of your practices? How do you how do you keep it safe? Well, do you send it outside the organization? 70 percent said yes. Do you use public data-sharing sites for sensitive information? 50 percent said yes. Do you use your work device for personal email and/or social networking? Over half said yes.

Brett Hansen: [00:21:04] Right, so, what came out of that survey was, with employees, a very clear line around, yeah, I think that I should be protecting my company's data, unless it starts to impede me from doing the job that I want to do, in the way I want to do it.

Dave Bittner: [00:21:18] Right.

Brett Hansen: [00:21:18] And it all comes down to sort of, you know, I get paid on getting my job done, whatever it is, as quickly as possible. I don't get paid on good data security hygiene. Heck, I'm a cybersecurity professional. I don't get paid on that. When I talk to my boss, we talk about revenue, we talk about delivering new products, innovation. He's never said, "Are you keeping good data hygiene over your, uh, your customers' information?" No. Never come up in any of my reviews.

Brett Hansen: [00:21:44] But I think that we need to start thinking about that as something that is really important, because, if we don't, we're going to keep seeing employees choose convenience over good data security hygiene. You know, it's still an ongoing challenge, I think, for almost every large company in the world, which is, how do I make sure that all of my employees are motivated and feel responsible, accountable, and educated around data security?

Dave Bittner: [00:22:10] It's interesting that the fines and the penalties are all civil offenses - that there are no criminal offenses for a massive data breach.

Steve Durbin: [00:22:19] No, that's right. And it's interesting to ponder, I suppose, as to whether or not that is going to change. I think that one of the impacts of GDPR coming in next year is that, certainly, we're going to see an increase in the amount of breaches that are reported, because there is a reporting requirement - you have to report to the supervisorial authority within 72 hours of a breach that impacted personal data, for instance. You also have to inform affected individuals, without undue delay, whether there is a high risk to those particular individuals.

Steve Durbin: [00:22:56] So, I do expect that we're going to see an increase, certainly, in volume, whether or not that is an artificial increase. And so, we haven't actually been seeing some of these things, but they've been happening. Who knows? But certainly, I think that, as the volume will increase, again, there will be a temptation to say, well, hang on, should we be actually reviewing this again, now, in the light of organizations perhaps taking their responsibilities not quite as seriously as they might? And what is the role of the C-suite in all of this?

Steve Durbin: [00:23:27] So, I think we're in for some pretty interesting times in terms of the way that the GDPR is implemented, the way in which supervisorial authorities use it, and indeed, what happens after that. Because certainly, we have been seeing, of late, some very large-scale breaches that clearly have been affecting personal information. I'm thinking particularly of things like Equifax, recently, of course. I would expect, over a period of time, that perhaps things will change in this in this place.

Brett Hansen: [00:23:56] Let's talk about Equifax. The breach occurred in May. We don't get a notification till July. The amount of data being collected, and how that data was being protected - it appears to be an afterthought in many ways. So, that's a global company, with huge amounts of operations and resources, and they were not doing a sufficient job of protecting data. Clearly. So, I think GDPR is a good step to focus organizations on good data hygiene.

Brett Hansen: [00:24:30] Honestly, if you looked through what GDPR is asking companies to do, it's the right thing to do, regardless of compliance or not. You know, protecting your customers', your employees' information is important. Whether it's because there is going to be a fine levied by a government agency, or whether you will be potentially sued by customers whose data is lost, whether your brand will be degraded and compromised if your information is lost. There's a value to protecting data. I think GDPR - while a significant regulation - encourages companies to take the right steps to practice far better data hygiene than we've seen over the last few years.

Darron Gibbard: [00:25:13] I'm hoping it will be a very quiet event, and basically a bit like Y2K, and basically it will be become a non-event and just - everything will carry on as per normal. So, from my perspective, I think it will be business as usual. So, organizations - those that are already under regulatory regime - will be prepared, will be ready, and will be, basically, be ready to go. Organizations that are not so used to the regulatory regime will have a lot more work to do to get themselves used to the language of the regulation, and to understand what the impacts would be to their respective organizations.

Steve Durbin: [00:25:59] I think step one is, you know, determine whether or not it's applicable to you. Do you handle data? If you don't, in this particular space, then you can breathe a sigh of relief. So, assess applicability. Do we process personal data about EU residents? That's the first question. If the answer is yes, then you have to look at the controls. Do you require a data protection officer? Do you have a risk assessment process that looks at data protection impact, for instance? Can you demonstrate that? Do you really understand where and how you transfer data? And that includes your third parties.

Steve Durbin: [00:26:33] Then I think you need to look at the legal basis within your enterprise, as well, to make sure that you're covered from that standpoint. And just review, as well, some of your breach reporting requirements. So, some fairly basic things that I think that organizations in the US could be doing to really get in line with the regulations.

Brett Hansen: [00:26:53] This can't be an IT or a compliance officer exercise in a vacuum. This has to be a company business conversation. I have run up across way too many companies, where I meet with the CSO, or I meet with their compliance officer, and they have these great plans, and I say, great, go for it. And I get a call from them six months later, and they say, holy cow, you know, we were going, you know, west, and my CEO took us east, and our cybersecurity plans are off the rails.

Darron Gibbard: [00:27:21] In a lot of cases, with things like privacy by design and privacy impact assessments, security teams have been left out of the project management, of future development strategy conversations with their respective organizations. And I think this is an opportunity for the security industry to mature, and to grow up, and to finally have that C-level, C-suite presence. Because what the cyber - the security teams, the CISOs, the CIOs are going to be protecting the organizations and protecting the CEO from breach, from massive regulatory fines.

Darron Gibbard: [00:28:04] So I think - you know, I've been in this industry for twenty-five years now - I think it's now finally, with the incoming GDPR, the regulation, I think it's going to actually improve. And I think it's going to make the CISO's role a lot more important within organizations.

Brett Hansen: [00:28:26] And so, there has to be a meaningful conversation between those folks who have to do this and the line-of-business teams who are actually going to be the ones who are going to be collecting the data, utilizing the data, storing the data. You've got to find that balance between the different routes. And so, having that meaningful conversation is absolutely essential, but it all starts with the first question, which is, know your data.

Dave Bittner: [00:28:51] Our thanks to Brett Hanson, Steve Durbin, and Darron Gibbard for sharing their views on the GDPR. And thank you for listening. Don't forget to check out our website, thecyberwire.com, where you can sign up for our daily news brief, read interviews, event reports, and more.

Dave Bittner: [00:29:06] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.