With so much emphasis on impending obligations under the federal government’s Notifiable Data Breaches (NDB) regime, many Australian companies are yet to appreciate their obligations under new European privacy guidelines that will go into effect just 3 months after the NDB.
The new European Union GDPR (General Data Protection Regulation) is an extensive rewrite of the EU’s privacy laws that emphasises protection of personally identifiable information (PII) and rights including the right for consumers to access data about them; the ‘right to be forgotten’; breach notification requirements; data portability requirements; design of systems using ‘privacy by design’ principles; and the formal appointment of Data Protection Officers (DPOs) to manage data practices within companies whose operations “require regular and systemic monitoring of data subjects on a large scale”.
Any CIO or CSO who hasn’t carefully read through the changes may be up for an unpleasant shock when they do – and even more so, Symantec’s APJ director of government affairs Brian Fletcher told CSO Australia, because the GDPR is both binding on many Australian companies and does not feature exemptions for small businesses like the NDB does.
This means if small Australian businesses (with revenues under the NDB’s $3m per annum threshold) are serving customers in Europe – something that has become commonplace for anybody doing business online – they need to develop formal policies for breach notification within 72 hours of the breach even though such policies are not required under the new Australian legislation.
“There is very little recognition that the GDPR is going to be extraterritorial,” Fletcher explained. “It defines a particular structure around privacy, and you have to bring your products to market in a privacy-default way. And anyone who collects anything that is private data needs to comply.”
The need to appoint a formal DPO is, Fletcher warned, designed to escalate the privacy discussion to the board level and keep it there – something that has been challenging for many cybersecurity leaders whose employers aren’t necessarily as engaged with their cybersecurity practices as they should be.
“Australian companies need to be careful of the fact that these restrictions impact along the entire length of their data supply chain,” he said. “Anything that could identify a person needs to be treated as privacy data under the GDPR. You need to prove that you’re doing the right thing all the time.”
Many companies are demonstrably doing the right thing, all the time. Threat-management firm RiskIQ, for one, recently audited 99,467 Web sites belonging to FTSE 30 companies and found that 34 percent of the 13,194 pages collecting PII aren’t even bothering to secure it. This includes 3.5 percent that are using old, crackable encryption algorithms; 1.5 percent with expired digital certificates; and 29 percent that are not using any encryption at all.
“Insecure collection of PII is not just a GDPR compliance violation,” the firm warned in a statement in which it also highlighted the regulations’ need for companies to obtain explicit opt-in from EU citizens. “The loss of personal data, profit, and reputation resulting from the use of insecure forms is a legitimate concern for consumers, as well as shareholders.”
Licensing and contractual agreements will need to be reviewed, Fletcher warns, with privacy controls explicitly addressed in a GDPR-compliant way. This includes simplifying end user licensing agreements (EULAs): “an 80-page EULA is neither specific nor could you argue that someone is informed” about their rights under GDPR controls, he said.
Despite having nearly a year left to go before non-compliance threatens them with fines as large as 4% of global annual turnover, Fletcher expects many businesses will drag their feet on GDPR compliance until the last days before the new regulations kick in.
“I’ve worked in regulation for a number of years and I’m relatively pessimistic about people’s ability to get in well in advance of deadlines,” he said. “But Europe is a big market and Australian companies can’t afford to lose access to that market.”
Boards know that, but they may not intrinsically appreciate the importance of engaging information-security specialists at the highest level. The magnitude of the attitude shift that GDPR requires is reflected in the results of the recent NUIX Black Report, which surveyed dozens of ethical hackers about their practices and included questions about their perception of boards’ security attitudes, and what those hackers would tell their boards if they had the chance.
Just 44 percent believed their boards see security as being crucial to the future success of the business, while 30 percent said it was seen as a compliance requirement and 15 percent believed boards do “just enough to show we think it’s important but no more”.
Advice from hackers for security decision-makers included reinforcing the importance of staff training – “you need to turn your weakest link into your greatest asset” – as well as marrying people and technology; assuming humans will fail; and understanding that security is “a journey, not a destination”.
Respondents recommended that boards “trust your security professionals”; understand that there is a ROI for security and that “it is not a waste of time or money”; empower their CISO because “nothing is worse than a CISO with no ability to effect change”; and that it’s more important to detect an attack than to deflect one.
This last point will be crucial for compliance with the GDPR, which is as much about openness around privacy breaches as it is about preventing them in the first place. Companies that are circumspect about admitting their compromises may quickly find themselves feted as examples by an EU that has become increasingly tired of fighting over privacy with US-based Internet giants.
Under the GDPR, “fines are so large that they could be an existential threat to your company,” Fletcher said. “We see people on security teams that are essentially divorced from the rest of the risk management of the business. They’re making decisions on behalf of the business that were potentially putting their entire reason to exist at risk.”
It would seem to be a slam-dunk – but many companies are still struggling to change their culture to provide the kind of openness that the NDB and GDPR require. The key, said Charles Henderson, head of IBM’s X-Force Red ethical-hacking arm, is for all businesses to move past old and arbitrary divisions and change their security culture to be responsive at every level of the business.
“Companies that think of security as a fixed destination are not successful”, Henderson recently told CSO Australia. “Agility is key not just in business but also in security. But if security testing becomes an obstacle to the business, guess who wins that battle – the business. If we can integrate security testing into the business lifecycle, we set up that business for success down the road.”