As U.S. companies scramble to meet the European Union's General Data Protection Regulation, security professionals question whether they can implement changes in time for the May 25, 2018, deadline. It's not clear whether they have the tools and processes in place to properly respond to the 72-hour GDPR breach notification requirement.
"I think the 72-hour time period is a really quick turnaround," said Bob West, CEO of consultancy Echelon One. "Even many of the banks I worked with on this were in a reactionary mode. And if the banks are reactionary, think about everyone else."
The mandatory 72-hour GDPR breach notification period has security professionals concerned because the U.S. has no national data breach notification requirement, and the hodgepodge of 48 state laws that exist typically require notification within 30 to 45 days. With potential sanctions and fines of up to $20 million or 4% of global revenue, companies are on alert.
GDPR replaces the Data Protection Directive of 1995. The GDPR breach notification requirement caught the attention of CISOs after the new regulations passed in April 2016, because compliance sets a high bar for data inventory, a defined risk management process and mandatory notification of the data protection authorities.
"Breach notification is a very big task and needs to have involvement from everyone inside the organization," said Neil Thacker, deputy CISO at Forcepoint, in a video interview last April, "Main GDPR Challenges for CISOs." In it, Thacker said, "CISOs need to get a very good understanding of data breaches and the data breach notification requirements, and make sure it is pervasive across the organization, so they are prepared to respond to security incidents."
Carolyn Holcombpartner in PwC's National Data Privacy Practice
GDPR applies to any company that does business in Europe and collects the personally identifiable information of European citizens. And it's not only for large global companies; midsize businesses that have 250 or more employees must meet the GDPR requirements. Smaller companies are exempt, however, unless the data processing is "likely to result in a risk to the rights and freedoms of data subjects, … is not occasional, or the processing includes special categories of data … relating to criminal convictions and offenses."
Many global banks reached for comment declined.
However, one large U.S.-based bank said it has been preparing for GDPR for about a year now. The bank, which requested to remain anonymous, has assigned a governance team of senior level people across departments.
When asked about the GDPR breach notification requirement, a spokesperson for the bank said that they were not worried about it: "As a financial institution, we are accustomed to notifying regulators and have the existing infrastructure to respond," in part because the banking industry has been heavily regulated since the 2007-2008 financial crisis.
Five-step action plan for GDPR
PwC's Carolyn Holcomb offers five steps companies should take to comply with the General Data Protection Regulation.
- Do a data inventory. Companies need to understand where personally identifiable information resides. This includes the geographic locations, data in the cloud and the various databases that are storing the data.
- Run a gap analysis. Once CISOs know where sensitive data resides, they should perform a gap assessment to understand the GDPR regulations and to what extent they are in compliance.
- Make a plan. Determine who in the organization is responsible for the detailed documentation. Which people are in the trenches doing the actual work? Do tabletop exercises to decide how your plan will work, then set timelines and milestone markers.
- Focus on privacy. Companies really need to consider hiring a data protection officer. Remember that "the right to be forgotten" means that consumers have the right to have their data erased.
- Document and monitor everything. So much of being in compliance will be the ability to demonstrate that the organization has done its due diligence when it comes to privacy. In the event of a breach, it can document its incident response plan and that in-depth security program.
What's the norm?
International banks have more resources than most organizations, so they may be more likely to have the people and processes in place to meet the 72-hour GDPR breach notification period and the vast majority of the GDPR regulations.
But that's not the norm. Last fall, a PwC study found that 36% of companies surveyed have only recently started the assessment process. This means that they have just started with GDPR compliance. The reality is that many of these companies have no chance of being compliant when the regulations go into effect this May.
Carolyn Holcomb, a partner in PwC's National Data Protection & Privacy Practice, pointed out that CISOs need to understand that the EU is serious.
"Failure to comply with the new regulations may result in hefty fines of up to 4% of global revenues," she said. "Companies are also going to have to prepare for the reality that employees and consumers will also be able to file class-action suits against them for noncompliance. Companies also need to be thinking about their vendors upstream and downstream. The result is that everyone is rewriting their contracts."
Moreover, the EU is likely to impose a hefty fine against a major company not long after the new regulations go into effect, security experts warned.
"I think the EU will make an example of a company within the first 90 days," consultant West said.
"A lot of people are burying their heads in the sand, thinking that GDPR doesn't apply to them," he said. "Many are just taking the chance that it won't be them that gets hit with the fine. But anybody doing e-commerce over the web has to take a serious look at GDPR.
"Much of the problem is a lack of education," he added. "Security people have many priorities today, and many have just not found the time to focus on this."
Technology's role in compliance
Enterprise Strategy Group senior analyst Jon Oltsik concurred with West that the EU will make an example of a large global company by late summer 2018.
Given this backdrop, he advised companies to focus on the positive aspects of GDPR and take the opportunity it presents to formalize incident response plans. As a general rule, organizations that have met most of the International Organization for Standardization information security requirements should be in pretty good shape.
"Many companies have formal disaster recovery plans for events like a hurricane," Oltsik said. "What can happen is that people will get scared and just start buying products. Unfortunately, too many companies waited until now to focus on GDPR, and their service providers can't really help them."
On the technology front, Oltsik said organizations need to have a broad-based security posture to comply with GDPR, underscoring that GDPR protection "doesn't come in a kit." Data loss prevention will be important, as well as encryption, key management and user behavior monitoring -- all technologies that work to secure and protect against unauthorized access to sensitive information.
DLP software can handle data classification and discovery, while analytics can eliminate much of the manual work and give security teams pertinent information quickly. "That kind of data can get very noisy," said Oltsik, who noted some vendor partnerships. "The analytics sits above the DLP and distinguishes between the noise and truly suspicious behavior."
The "right to be forgotten" is an important part of the GDPR requirements. This means that consumers will have the right to ask that their data be erased. Companies will need tools that can document that certain files were erased and show an audit trail to back it up, according to Oltsik.
How GDPR is different from U.S. law
Everett Monroe, an attorney at San Francisco law firm Hanson Bridgett LLP in the firm's data security and privacy practice, has been consulting with many tech companies on the European Union's General Data Protection Regulation. Here are his views on the subject.
Do you think American companies have taken these new GDPR requirements seriously enough?
Everett Monroe: I think the response has varied widely among American companies. Larger enterprises, especially those that regularly do business in the EU, have been seeing this on the horizon for a while and have taken advantage of the two-year implementation period to seriously prepare for GDPR. However, other companies don't believe that GDPR applies to them at all, despite the expanded scope of the GDPR. There is also significant pressure and increasing awareness on the part of supply chain partners who are somewhat taken by surprise when the issues are raised by a client company.
What kind of specialized talent do companies need to look at to meet the regulations?
Monroe: It will vary from company to company, but achieving compliance will require input from IT, legal teams and organization-wide management. But mostly what will be needed is legal counsel on exactly what the GDPR requires. Information governance and records management teams will be critical to help develop data retention policies that are in line with GDPR requirements.
Some companies say they can meet the EU's 72-hour notification period for a data breach. A global financial services company said because they are heavily regulated, they would have no problem meeting the 72-hour GDPR breach notification period. Does that ring true to you, at least for large financials?
Monroe: I think that makes sense because the GDPR notification requirement is somewhat less onerous than a U.S. data breach notification. Unlike U.S. data breach notification laws, where the notice goes to all affected persons, the GDPR only requires companies to notify the national data protection authority, unless the data breach would result in a high risk to the rights or freedoms of the data subject. Even where notification to individuals is necessary, the individual notification is not subject to the 72-hour rule. The content requirements for the notice to the data protection authority are also significantly more flexible and allow companies to provide later updates if [they don't] have all the information at hand at once.
One thing is certain: During the first few months of 2018, CISOs can expect to be hit from all sides by vendors claiming to have "the solution" to GDPR. Be very discriminating -- and don't panic. Start by asking pertinent questions: Is the company's incident response plan robust enough? Does the organization have the people it needs to respond to GDPR breach notification and do the nitty-gritty compliance work? Should the company consider hiring a data protection officer to head up the GDPR effort?
Time may be short, and the experts are right that many CISOs spent the last two years putting out fires and haven't had the time to focus on GDPR. But as we get deeper into 2018, the tide should turn, and companies will begin to focus on GDPR compliance. After all, nobody wants to be the one hit with a 4% fine.