One Year After GDPR: Significant rise on Data Breach reporting from European Businesses


It’s been one year since the European Union (EU) enforced the General Data Protection Regulation (GDPR)¹, a legislation designed to protect the personal data of EU citizens and lay specific rules and guidelines on how their data is collected, stored, processed and deleted by various entities. GDPR requires that organizations must disclose to national Data Protection Agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.

Penalties for organizations failing to comply with the new notification requirements of the regulation include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. A lot of studies at the time showed that companies would not be ready for the 25th of May 2018 which led a lot of privacy professionals to assume the worst when they tried to hypothesize about what could happen when the new European legislation would come into effect.

Rise in the number of data breaches

The European Data Protection Board (EDPB)², the EU body in charge of the application of GDPR still hasn’t developed any official standards to clarify how independent EU DPAs will publicly report specific statistics/numbers about GDPR, and this currently makes collecting and analyzing data on GDPR compliance somewhat challenging. A number of European DPAs have voluntarily confirmed in recent months that the new regulation has led to a significant rise in reported data breaches, clearly demonstrating the impact GDPR has had on raising awareness with the general public as well as organizations regarding their rights and obligations under EU data protection law.

So far, the most reliable data regarding the number of data breaches currently available seems to be from some of the DPAs as well as the overview reports³ published by the EU’s Commission on the implementation of the GDPR. From the data we can deduct that EU DPAs received more than 95,000 complaints from EU citizens since May 2018 and from these complaints nearly 65,000 were data breach notifications.

The law firm DLA Piper analyzed data breach reports⁴ that have been filed by 23 of the 28 EU member states since GDPR came into full force and at the end of January 2019 also the European Commission reported that EU data protection regulators had collectively received 41,502 data breach notifications⁵.

“The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively.” DLA Piper says in its report and that the Netherlands recorded the most data breach reports per capita, followed by Ireland and Denmark. “The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita,” the report says.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of the “one-stop shop” mechanism and with numerous U.S. high-profile technology leaders like Facebook, Microsoft, Twitter and Google choosing to have their European headquarters in Ireland, it will be very interesting to study the yearly data breaches report from Ireland’s DPA when it comes out.

With the EU elections approaching in a few weeks it will be very thought-provoking to analyze how imposed safeguards from EU DPAs and GDPR on the use of political data during elections will affect political parties and how this will influence the collection of personal data related to political opinions and communicating political views to target audiences during the election period.

Anyhow we must be prudent with current data because we are still in a transitional year and with most EU DPAs having a median time for investigating a data breach from 12 to 15 months (or even more), a lot of cases that currently are under investigation are incidents that happened under older Data Protection laws.

GDPR Penalties

Germany is the leading country currently in the number of fines with German organizations receiving 64 of the GDPR fines that have been imposed so far. This includes the two largest fines to date, an organization that published health data on the internet (€80,000) and the second a chat platform (€20,000 for failing to hash stored passwords). “So far 91 reported fines have been imposed under the new GDPR regime,” DLA Piper reports, “But, not all of the fines imposed relate to personal data breaches.”

The largest fine to date is €50 million against Google by France’s Data Protection Authority, but the fine did not relate to a data breach, but to the processing of personal data from Google without authorization from its users. The remaining fines from countries like Austria and Cyprus were comparatively low in value.

Looking into the future

The objective of GDPR was to bring uniformity to data protection laws across EU member states and control how organizations should store personal data and how they must respond in the event of a data breach, emphasizing the importance of creating trust that allows the digital economy to grow inside the European community.

As GDPR reaches its first birthday in a few days, it is clear that the regulation is still young and both regulators and companies are still figuring out its impact and importance. Data Protection Authorities across the EU will soon be publishing annual reports, which should give us a wider and better picture of the level of compliance.

Transparency is a necessity that will help the EU further increase awareness of GDPR and let’s not forget that the rest of the world, especially countries that are very close partners with the EU like the United States, are closely observing in order to better understand the effects and the strengths and weaknesses of the regulation.

References

1. General Data Protection Regulation (GDPR)
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

2. European Data Protection Board (EDPB)
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/enforcement/what-european-data-protection-board-edpb_en

3. First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities.
http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

4. DLA Piper GDPR Data Breach Survey
https://www.dlapiper.com/~/media/files/insights/publications/2019/02/dla-piper-gdpr-data-breach-survey-february-2019.pdf

5. GDPR in numbers Infographic
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf

 

This post first appeared on the Gemalto blog here. 

Infosecurity – Encryption is Often Poorly Deployed, if Deployed at All

 infosecurityEncryption continues to be a challenge for companies, as only a quarter of organizations admit to using it for at-rest data, and for emails and data centers.

According to research by Thales and IDC, encryption for email is only adopted by around 27% of the European respondents, while the numbers decline for data at rest, data centers, Big Data environments and full disk encryption. The only instance of European respondents ranking higher than a global number was in the instance of using cloud-native provider encryption.

Jason Hart, security evangelist at Thales, said that there is a wider problem of nothing changing in the last 25 years, except that we are creating more and more data. That has become a commodity, and “because of the acceleration of cloud I say to a company ‘what are you trying to protect?’ and after an hour we may get to a conversation about data and two hours later we may get to the type of data that they deem to be valuable.”

However, Hart argued that companies do not understand the risks that they are trying to mitigate, “and information security is really simple, it is about people, data and process.”

Speaking to Infosecurity, Hart said that if you look at every major breach that has occurred, there are too many instances of companies not deploying encryption properly, and also people do not look at the risk.

“You encrypted the data in the database, but what talks to the database? The application, so the data now transverses into the application’s code text and then from the application it goes into the cloud,” he said. “So they do it in silos and elements, but when people do it wrong, there is a false sense of security.”

To read the full article click here.

 

CyberWire Podcast Part 2 – Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace

CyberWire Podcast Part 2 – Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace

In the second episode of their new, four-part series, called “Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace,” Cyberwire take a look at the impact GDPR has had since its implementation in May 2018. Joining them are Emily Mossburg from Deloitte, Caleb Barlow from IBM, and Steve Durbin from ISF and Jason Hart, CTO for enterprise and cybersecurity at Gemalto..

 

 

techradar – The true cost of a data breach

techradarFalling victim to a data breach hurts your business’ bottom line as well as its reputation

From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.

One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occurred, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.

To read the full article click here.

Computer Business Review – The True Cost of a Data Breach

cbr-logo“Encrypting data at rest and in motion, securely managing the encryption keys and storing them securely, while also managing and controlling user access, are vital steps for businesses to take to protect themselves”

From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.

One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occured, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.

To read the full article click here.

Lack of confidence in data security can cost you more than you think

engnewszaThis article originally appeared in Engineering News, South Africa here.

By Jason Hart, Chief Technology Officer (CTO) of Data Protection at Gemalto

The European Union’s General Data Protection Regulation (GDPR) came into effect almost two months ago. Leading the way to a new era of data protection, the long-awaited GDPR has emphasized the importance of data security more than ever before. Besides tarnishing their reputation, businesses face the risk of encountering large fines if they don’t align with the regulation.

Although cybersecurity is top of mind for most organizations with the new law, they still feel uncertain about their data protection practices. Recent research from Gemalto, its fifth-annual Data Security Confidence Index, which surveyed 1,050 IT professionals and 10,500 consumers globally, revealed that businesses differ in their capability to study data that has been collected. Shockingly, two in three companies (65%) admit they don’t have the proper resources to analyze data and therefore are unable to do so.

This finding forces me to think – the majority of companies don’t understand the value of their data, because they aren’t taking the necessary steps to study the information they are gathering from customers. That’s why organizations are stunted in the process of applying appropriate security controls to protect the valuable information they possess. Unsecured data is a hacker’s dream. Attackers can offer it up to the dark web or use ransomware, causing financial loss and reputation damage.

It can take years to uncover data manipulation, which can put everything from an organization’s business strategy to product development at risk. In today’s digital world, data informs everything, so its value cannot be underestimated. We’ve all seen our fair share of breaches this past year that illustrate how detrimental they can be to an organization.

Organizations have gaps in confidence levels

Almost half of IT professionals say perimeter security is effective at keeping unauthorized users out of their networks. However, two thirds of them believe unauthorized users can access their corporate networks and less than half are confident in the security of their data once cyberhackers are inside.

With that being said, more than half of companies don’t know where all of their data is stored. Moreover, more than two thirds admit they don’t carry out all the processes aligned with data protection guidelines such as GDPR.

This gap in people’s confidence in their organization’s data protection policies indicates the reason for continuous breaches: twenty-seven percent of organizations reported their perimeter security was breached last year. Of those that had suffered an attack, only 10% of the compromised data was protected by encryption, leaving the rest exposed. In order to secure their networks IT professionals need to use encryption, which, paired with other solutions, will provide an essential security base for a robust system needed to guard sensitive information.

Crucial steps for strong security

When it comes to cybersecurity it’s a valid question to ask, “Who’s in charge?” It’s crucial for organizations to get their houses in order, starting with determining who will be responsible for overseeing security measures. Every executive board needs to have a Data Protection Officer, a chief individual who leads data security from the top down. Second, organizations must organize and study collected data to properly protect it and make informed business decisions. Lastly, IT pros need to change their outlook on security as a whole.

It’s no longer a case of if, but when a breach occurs. Therefore, organizations should implement a comprehensive approach to cybersecurity, using methods such as encryption, two-factor authentication, and key management in addition to perimeter protection.

These critical steps aren’t solely for the sake of companies, but also for consumers who have data records tied to these businesses. The vast majority of consumers say it’s imperative that organizations comply with data regulations due to their growing understanding of breaches and communications around GDPR. Actually, fifty-four percent of consumers are aware of what encryption is, which shows knowledge of how data should be protected.

Cost of poor data security

Over the years, security experts’ predictions about potential costs of a breach have been increasing. Cybersecurity Ventures estimates the costs related to cybercrime damages to reach $6 trillion by 2021. From upgrading IT infrastructure to paying legal fees and government fines – many costs are either tangible or intangible.

We’ve now reached the tipping point on the implications of data breaches, that can negatively affect company’s market value and ruin the reputation of the corporate and management teams.

With pressure to ensure consumer data is protected and the risks and costs of breaches growing, organizations need to take immediate steps to transform their approach to data security. Companies need to have confidence in how they gather, analyze, and store their information. Only having this understanding and ensuring compliance, they will be able to adopt effective security measures.

 

Lack of confidence in data security can cost you more than you think

csoonline(This article first appeared on CSO Online here.)

The majority of companies don’t understand the value of their data, because they aren’t taking the necessary steps to study the information they are gathering from customers.

The European Union’s General Data Protection Regulation (GDPR) came into effect almost two months ago. Leading the way to a new era of data protection, the long-awaited GDPR has emphasized the importance of data security more than ever before. Besides tarnishing their reputation, businesses face the risk of encountering large fines if they don’t align with the regulation.

Although cybersecurity is top of mind for most organizations with the new law, they still feel uncertain about their data protection practices. Recent research from Gemalto, its fifth-annual Data Security Confidence Index, which surveyed 1,050 IT professionals and 10,500 consumers globally, revealed that businesses differ in their capability to study data that has been collected. Shockingly, two in three companies (65%) admit they don’t have the proper resources to analyze data and therefore are unable to do so.

The European Union’s General Data Protection Regulation (GDPR) came into effect almost two months ago. Leading the way to a new era of data protection, the long-awaited GDPR has emphasized the importance of data security more than ever before. Besides tarnishing their reputation, businesses face the risk of encountering large fines if they don’t align with the regulation.

Although cybersecurity is top of mind for most organizations with the new law, they still feel uncertain about their data protection practices. Recent research from Gemalto, its fifth-annual Data Security Confidence Index, which surveyed 1,050 IT professionals and 10,500 consumers globally, revealed that businesses differ in their capability to study data that has been collected. Shockingly, two in three companies (65%) admit they don’t have the proper resources to analyze data and therefore are unable to do so.

This finding forces me to think – the majority of companies don’t understand the value of their data, because they aren’t taking the necessary steps to study the information they are gathering from customers. That’s why organizations are stunted in the process of applying appropriate security controls to protect the valuable information they possess. Unsecured data is a hacker’s dream. Attackers can offer it up to the dark web or use ransomware, causing financial loss and reputation damage. It can take years to uncover data manipulation, which can put everything from an organization’s business strategy to product development at risk. In today’s digital world, data informs everything, so its value cannot be underestimated. We’ve all seen our fair share of breaches this past year that illustrate how detrimental they can be to an organization.

Organizations have gaps in confidence levels

Almost half of IT professionals say perimeter security is effective at keeping unauthorized users out of their networks. However, two thirds of them believe unauthorized users can access their corporate networks and less than half are confident in the security of their data once cyberhackers are inside.

With that being said, more than half of companies don’t know where all of their data is stored. Moreover, more than two thirds admit they don’t carry out all the processes aligned with data protection guidelines such as GDPR.

This gap in people’s confidence in their organization’s data protection policies indicates the reason for continuous breaches: twenty-seven percent of organizations reported their perimeter security was breached last year. Of those that had suffered an attack, only 10% of the compromised data was protected by encryption, leaving the rest exposed. In order to secure their networks IT professionals, need to use encryption, which, paired with other solutions, will provide an essential security base for a robust system needed to guard sensitive information.

Crucial steps for strong security

When it comes to cybersecurity it’s a valid question to ask, “Who’s in charge?”It’s crucial for organizations to get their houses in order, starting with determining who will be responsible for overseeing security measures. Every executive board needs to have a Data Protection Officer, a chief individual who leads data security from the top down. Second, organizations must organize, and study collected data to properly protect it and make informed business decisions. Lastly, IT pros need to change their outlook on security as a whole. It’s no longer a case of if, but when a breach occurs. Therefore, organizations should implement a comprehensive approach to cybersecurity, using methods such as encryption, two-factor authentication, and key management in addition to perimeter protection.

These critical steps aren’t solely for the sake of companies, but also for consumers who have data records tied to these businesses. The vast majority of consumers say it’s imperative that organizations comply with data regulations due to their growing understanding of breaches and communications around GDPR. Actually, fifty-four percent of consumers are aware of what encryption is, which shows knowledge of how data should be protected.

Cost of poor data security

Over the years, security experts’ predictions about potential costs of a breach have been increasing. Cybersecurity Ventures estimates the costs related to cybercrime damages to reach $6 trillion by 2021. From upgrading IT infrastructure to paying legal fees and government fines – many costs are either tangible or intangible. We’ve now reached the tipping point on the implications of data breaches, that can negatively affect company’s market value and ruin the reputation of the corporate and management teams.

With pressure to ensure consumer data is protected and the risks and costs of breaches growing, organizations need to take immediate steps to transform their approach to data security. Companies need to have confidence in how they gather, analyze, and store their information. Only having this understanding and ensuring compliance, they will be able to adopt effective security measures.

This article first appeared on CSO Online here.

CSO Online – GDPR: Where we were…and where we’re going

It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach

csoonline(This article first appeared in CSO Online here.)

The plethora of data breaches within the past few years have set off alarms for organizations, especially their IT managers. We’ve seen that many attacks weren’t secured with the appropriate controls and protection, which left sensitive data vulnerable to hackers. As a result of these countless attacks, last month, the General Data Protection Regulation (GDPR) was finally enacted in the EU to ensure that if breaches occur, then consumer information would be guarded.

The law represents the most substantial modification to data protection in the Union since 1995. Replacing the previously adopted directive, the regulation has authority over all EU states to provide uniformed data protection. However, member states of the Union aren’t the only ones impacted by this regulation, any company doing business in the region must comply. Companies based in the United States are being held accountable along with other non-EU countries, and so, many companies have been making internal alterations to avoid the severe penalties for non-compliance.

Taking a look at the past

If there’s one thing we’ve learned from recent history, it’s that we have a growing data security crisis. According to the Breach Level Index (BLI), 2.6 billion records were stolen, lost or exposed globally in 2017. Since the BLI began tracking breaches five years ago, nearly 10 billion records have been compromised. Between 2016 and 2017 alone, we witnessed an 87.5 percent jump in the number of breached records. There is a chance that these numbers will increase, because there are still breaches that go unreported.

It’s difficult to turn a blind eye to the news as there is a story about a major security breach where consumer data is either accessed or stolen every week. The BLI revealed that 1,453 data incidents occurred in the United States last year. Even well-known companies that we all trust with our personal and financial information have been affected, including Facebook, Uber, and Equifax.

The most distressing thing is not the number of incidents but the scale of the attacks that affects thousands and sometimes millions of users. While the reporting requirements of GDPR make the problem more visible, it becomes apparent that conventional data security and breach prevention measures would not be able to provide adequate defense against pervasive cyberthreats.

GDPR is here

One of the most important obligations in the new law is to alert authorities and affected individuals when a data breach takes place. Organizations with careless security procedures will be exposed in time and might face financial penalties. The level of transparency that is mandatory as stated in the disclosure documents, opens the door for organizations to be publicly shamed after suffering a data breach. Service providers who manage consumer data, such as cloud providers, will be held responsible. Companies are also being forced to adopt certain security measures to mitigate threats and possible consequences after experiencing an attack.

What companies should be doing if they haven’t already

Before its implementation, GDPR was changing attitudes and brought data protection to the forefront of a business’ priority checklist. Now that the regulation is active, what steps do businesses need to keep in mind while ensuring they are compliant? We’ve included our three-step approach to data protection below:

1. Sensitive data must be encrypted

Encryption has been mentioned by the European Union Agency for Network and Information Security (ENISA) as a critical and effective base to reach legal benchmarks for security and control in rendering data unintelligible. In other words, companies should secure data at the application level, while it is in motion, and when it is stored. This approach shouldn’t be limited to financial data but should be used for all valuable data of involved parties.

2. Encryption keys are stored and managed

A common error that companies commit is storing the keys where the data dwells. In doing so, they leave private information at risk of being exposed. Organizations must remember that their data is only as secure and accessible as the keys used to encrypt the information. Crypto management platforms consider this risk and are able to create, rotate and delete keys. Using hardware security modules, extra trust anchors for encryption keys are provided.

3. Controlled access

Evaluating current risks in an organization can help align entry controls with specific data processing situations. An authentication strategy must be established to safeguard user identities and allow authorized users to access systems and other data. Efficient controls use systems like multi-factor authentication that require an added level of verification, a passcode sent to a cell phone for example.

Looking ahead

Today, being breached is not a question of “if” but “when.” Therefore, security professionals always need to think about conducting risk analysis to prevent, detect, and block data breaches. A necessary foundation to reach this level of security is provided by encryption solutions. When encryption is combined with other protection measures, these appliances form a robust basis for achieving compliance with GDPR.

Now that the regulation is effective, it’s time to move quickly (if you haven’t already). Companies need to start taking steps to change their outlook on security when protecting user data. It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach.

This article first appeared in CSO Online here.

GDPR Report – More than 2.5 billion records stolen or compromised in 2017

gdprreport-logogNew findings of the Breach Level Index were released today by Gemalto, revealing that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88% increase from 2016. While data breach incidents decreased by 11%, 2017 was the first year publicly disclosed breaches surpassed more than two billion compromised data records since the Breach Level Index began tracking data breaches in 2013.

“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organisations to combat than simple data theft, as it can allow hackers to alter anything from sales numbers to intellectual property. By nature, data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. In the event that the confidentiality, or privacy, of the data is breached, an organisation must have controls, such as encryption, key management and user access management, in place to ensure that integrity of the data isn’t tampered with and it can still be trusted. Regardless of any concerns around manipulation, these controls would protect the data in situ and render it useless the moment it’s stolen.”

To read the full article click here.

GDPR Report – GDPR Summit London: Should you be worried about a data breach?

gdprreport-logogReports of business data breaches have unfortunately become commonplace. This week, the corporate finance giant Deloitte has suffered a cyber-attack that compromised confidential data, including the private emails of some of its clients.

More than ever, businesses need to ensure their data is protected from outside threats. Jason Hart, CTO of Data Protection at Gemalto said about the news of the Deloitte breach:

“Today’s announcement that Deloitte was hacked is not a surprise. Breaches will – and ARE continuing to happen—to expect otherwise would be unrealistic. As an industry, we need to truly know our surroundings, meaning knowing exactly where data resides, who has access to it, how it is transferred, when it is encrypted/decrypted – really the entire supply change of digital users and the data. Of the 1.9 billion data records compromised worldwide in the first half of 2017, less than 1% used encryption to render the information useless.

“We need a data-centric view of threats means using better identity and access control techniques, multi-factor authentication and encryption and key management to secure sensitive data. This is, even more, pressing with new and updated government mandates like the 2015 Digital Privacy Act in Canada, the GDPR in Europe, as well as U.S state-based and APAC country-based breach disclosure laws.”

To read the full article click here.