In May 2016, the European Union (“EU”) published the EU General Data Protection Regulation (“GDPR”) which became effective throughout all Member States in 2018. For U.S. companies operating in the EU, or holding themselves out to EU citizens, GDPR expands the concept of “personal data” that is protected. Business contact information and other things that identify specific people, such as emails and IP addresses, are all captured by GDPR. There are also stricter network and information security requirements.
Organizations need to implement and demonstrate appropriate technical and organizational measures to ensure an appropriate level of security. For many companies, this means that security measures must include pseudonymization and encryption, the ability to restore personal data in a timely manner, and regular testing and assessment. Those requirements should be detailed in an incident response plan, which is tested regularly, so that a company can detect breaches.
Under GDPR, if a cybersecurity event that amounts to a data breach has occurred, GDPR requires organizations to report the breach within 72 hours from the time they have become aware of it. What this means is that a company needs to be able – at a minimum – to understand its network and therefore differentiate cybersecurity events across several dimensions:
Large Potential for Administrative Fines
There are two types of administrative fines that can be imposed on a company. The lower level first fine is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. This is for violations of GDPR Article 83(4), which covers, amongst other things, security of processing data. The second fine is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. This is for Article 83(5) violations, which covers actions like the basic processing of data and consent. In determining whether to assess an administrative fine, a company’s technical and organizational measures will be examined – this will likely include an examination of a company’s security stack and incident response processes.
Fines for failing to comply with the above are based upon 10 general criteria, with two of the most important mitigating factors being: (a) did the company take actions to mitigate damage to the data subjects; and (b) did the company take actions to prevent the damage, which examines technical and operational preparedness. Inevitably this requires a company to maintain an accurate data inventory and a formal incident and breach response policy/plan. This is also why the use of products/services that do not allow for appropriate detection and response time would expose an enterprise.
Using Fidelis in Conjunction with Cyber Terrain Mapping, Crown Jewels Identification, and Tagging
GDPR requires a company to understand what data it collects, how that data is used, and how it is transmitted to and from the company. This is called data mapping. Data mapping is also essential for maintaining a secure network – if you don’t know what data you have and where it is, it is impossible to protect. The first step requires some pre-planning in the form of identifying the IT systems where such data will be placed. Through Fidelis’ ability to map, monitor, and assess any change in cyber terrain, organizations can quickly determine if data has been exfiltrated. Coupled with the ability to perform robust data loss prevention (DLP) through carefully inspecting headers and footers in data, the Fidelis platform offers the ability to integrate deep visibility for data in transit with the ability to replay events in the past. DLP, terrain mapping, deep visibility, and network playback are the four-fold approach toward supporting an organization’s ability to quickly identify the type of data exfiltrated in a breach. If sensitive data characteristics are known, i.e. the headers and footers, data exfiltration can be blocked and alerted. This can offer additional handling steps that offer pre-breach protections.