Nomad_Soul - Fotolia

Compliance costs expected to rise as EU GDPR advances

News roundup: As EU's Global Data Protection Regulation advances, businesses anticipate higher penalties and compliance costs. Also, malware roundup.

The European Union's new Global Data Protection Regulation (GDPR) passed another legislative hurdle this week, and businesses need to steel themselves to cope with those new rules and for fiscal pain over penalties and added compliance costs.

New data protection rules in EU

This week saw the European Union's regulation for data privacy standards, GDPR, move one step closer to becoming law. The regulation is expected to pass a vote in the full European Parliament, scheduled for early 2016, and take effect in early 2018.

Replacing the EU Data Protection Directive (Directive 95/46/EC), established in 1995 to protect the privacy of personal data collected for or about citizens of the EU, GDPR reforms and updates data protection rules. Key points of the new regulation include rights for individuals to manage their own personal data, be notified of data breaches, as well as a clarified "right to be forgotten."

Individual rights are enforced under GDPR through fines for non-compliance. According to the final draft of the GDPR, businesses that fail to comply with the regulation can be subject to administrative fines of "up to €20 million, or as much as 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher."

According to the European Commission (EC) press release, Věra Jourová, commissioner for justice, consumers and gender equality, said of the regulation, "These new pan-European rules are good for citizens and good for businesses. Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market. And harmonized data protection rules for police and criminal justice authorities will ease law enforcement cooperation between Member States based on mutual trust, contributing to the European Agenda for Security."

According to the EC's press release, the new regulation consists of two parts, the General Data Protection Regulation, which "will enable people to better control their personal data;" and the Data Protection Directive, for the police and criminal justice sector, which "will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action."

According to "Data privacy laws: Cutting the red tape," a report released by Ovum last week, the anxiety level is ratcheting up for firms doing business in the EU because of the overturn of the safe harbor agreement in October and the prospects of a quick replacement update framework looking frail.

Ovum found that 52% of the IT decision makers surveyed expect that GDPR will "result in business fines for their company, and two-thirds expect it to force changes in their European business strategy." Even if they aren't fined, Ovum reported that "over 70% of respondents expect to increase spending in order to meet data sovereignty requirements, and over 30% expect budgets to rise by more than 10% over the next two years."

However, companies based outside of the EU "have largely ignored the data privacy debate taking place in the European Commission" according to Sanjay Beri, CEO of Netskope. He said that the GDPR "requires organizations to safeguard personal data, which may include anything from data about political viewpoints to health history," adding that "this applies to all systems used to process the data, including cloud apps."

The difficulty in complying, according to Beri, is "that many, if not most, personal data for which the organization is legally responsible are data not found in structured formats like databases, but things like email [messages] and random documents created using Office 365 and Box, and in cloud apps not sanctioned by IT." He went on to say that BYOD "worsens the problem, leaving businesses to wonder how they can even begin to comply with GDPR if they don't know what data they have and where they reside?"

Malware roundup

  • First announced in October, Cisco reported this week that their new Product Security Incident Response Team (PSIRT) openVuln API is now available for immediate use. "The Cisco PSIRT openVuln API is a RESTful API that allows customers to obtain Cisco security vulnerability information in different machine-consumable formats. It supports industry-wide security standards such as the Common Vulnerability Reporting Framework, Open Vulnerability and Assessment Language, Common Vulnerability and Exposure identifiers, and the Common Vulnerability Scoring System." Cisco's principal engineer Omar Santos wrote in October: "The intent is to make it easier for customers and partners to access information about all security vulnerabilities in Cisco products."
  • John Matherly, creator of the Shodan search engine for the Internet of Things, reported that a recent scan found over 35,000 MongoDB databases that were publicly accessible, exposing a total of 684.8 TB of data. The scan, conducted this week, showed an increase of more than 5,000 accessible databases and almost 90 TB more data over a scan performed in July. Matherly noted that there were "widespread installations that might've been misconfigured or otherwise exposed. There are a lot of instances that have some sort of administrative database, so the app that uses MongoDB probably has authentication but the database itself doesn't." Matherly said this week: "Finally, I can't stress enough that this problem is not unique to MongoDB: Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations."
  • Google Project Zero finds FireEye fixes, a vulnerability that affects FireEye's Web, mail and file transfer scanning products, including the NX, EX, FX and AX Series. According to Google researcher Tavis Ormandy: "For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap -- the recipient wouldn't even have to read the email, just receiving it would be enough." FireEye has released a patch for the vulnerability.
  • Security firm Sucuri reported a "critical remote command execution vulnerability that affects all versions of Joomla from 1.5 to 3.4." Worse, they reported: "This vulnerability is already being exploited in the wild and has been for the last two days. Repeat: This has been in the wild as a zero-day for two days before there was a patch available." The vulnerability was patched within two days.

Next Steps

Learn more about the GDPR's mandatory breach notification regulations.

Find out how to prepare for the new data protection regulation.

Learn how the GDPR will affect cloud users.

Dig Deeper on Data privacy issues and compliance