EU GDPR, Mandatory Data Breach Notification and How Centrify Helps

Breach notification rules in the upcoming EU GDPR (General Data Protection Regulation) will mean data breaches are far more likely to become public, where today it is possible (although probably ill-advised) to try and sweep them under the carpet. The 2016 Verizon Data Breach Investigations Report stated “63% of confirmed data breaches involved weak, default or stolen passwords.” Centrify protects against the leading point of attack used in data breaches – compromised credentials – and can therefore reduce the risk of breaches taking place.

data-flying-up-xxxlarge

EU GDPR Background

The EU GDPR will apply from 25th May 2018, and although that seems like a long time from now, companies may find they have a lot to do before then to comply. If you are reading this in the U.K,. do not hope Brexit will save you — the U.K. is extremely unlikely to have exited the EU by May 2018, and even if it has, most U.K. companies will still need to comply with the GDPR because they will want to continue dealing with the EU.

The GDPR updates the EU Data Protection Directive (DPD) created in the mid-90’s and although that was a good start to safeguarding personal data, the fact it was a Directive rather than a Regulation led to each EU member implementing slightly different versions of the DPD in their laws (the 1998 UK Data Protection Act is the UK’s version). The GDPR, being a regulation, will be the same in law across the whole of the EU.

The GDPR improves legislation around transferring of personal data outside the EU, implements the “Right To Be Forgotten” for data subjects, updates what defines consent by users to allow companies to use their data and introduces requirements around personal data breach notification. Companies must also be able to provide a data subject with the data they hold about them in a “machine-readable and interoperable format” (which I can see will often end up as a manual process involving spreadsheets). Also included are some very heavy fines for non-compliance and the requirement for “Data Protection by Design and Default.”

Breach Notification

Breach notification is an important part of the GDPR, as the EU has not previously had widespread mandatory breach notification regulations. Within 72 hours of becoming aware that a breach of personal data has happened, companies must notify their supervisory authority, unless the company can show the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” If the breach is also “likely to result in a high risk to the rights and freedoms of natural persons,” then the people whose data has been breached must be notified too and given recommendations as to how they can mitigate possible repercussions of the breach (such as changing their passwords, monitoring their bank account for suspicious activity and so on).

There may be a “get-out-of-jail” card for notifying the data subjects themselves. If “appropriate technical and organisational protection measures” render the data useless when stolen, such as being encrypted or pseudonymised, then personal notification may not be needed.

Fines

There are two levels of fine, the lower up to €10m and 2% of worldwide turnover, and the higher up to €20m and 4% of worldwide turnover. Contrasting these amounts to the relatively small (but record-breaking) £400,000 fine imposed in the U.K. by the ICO (the U.K.’s supervisory authority) after a data breach at TalkTalk, you can see how serious data breaches are becoming, not only for the amount of the fines but also for damage to a businesses’s reputation and future loss of customers.

How Does Centrify Help?

Today, both end-users and privileged users are at risk of attack, and quite often an initial breach is carried out via the network of a third party contractor, service provider or business partner. Once inside the target network, and effectively through the front door, attackers move laterally until they find a privileged user they can compromise. They then have the necessary access to do the damage they came for, be it exfiltrating personal data or some other mischief.

Centrify helps reduce risk across hybrid IT environments where today people often have too many passwords, use basic authentication and have too much privilege on too many resources. Risk is reduced by establishing identity assurance through multi-factor authentication, identity consolidation and providing SSO for SaaS applications, IaaS systems and traditional on-premises infrastructure. Limiting lateral movement, by providing secure remote point-to-point access to apps and resources without the need for a VPN, integrating approval workflows and automating application provisioning and de-provisioning further lessens risk. Enforcement of a least-privilege approach on UNIX, Linux and Windows systems, and providing management of shared account passwords, for the small number of situations they will be needed, also reduces the attack surface.

By securing access to apps and infrastructure from any device, for all users, Centrify can help in the constant battle against being breached and may save you the embarrassment and damage to reputation of such an event taking place.

Learn more about Centrify and start a free trial of its products here.