At the end of May, the European Union (EU) rolled out the General Data Protection Regulation (GDPR) that was marked, for many, by inboxes being flooded with emails about companies updating their privacy policies. Although the influx of emails may have been annoying, they contained important and necessary information on how organizations must handle private information after May 20. The GDPR is specifically for companies located within the EU and those that offer products or services in the EU.
For months people have been complaining about the implementation of GDPR by saying it’s bad for business, but is it really that bad? So far, in the very early life of GDPR, it seems to be working well in terms of its goals: keeping private data private. Specifically, the U.S. has already seen more transparency and faster reporting with data breaches. With the recent hack at MyHeritage, we are able to see GDPR come to life and see that, at the end of the day, it isn’t bad for business and might even make some much-needed change in terms of reporting breaches for organizations that don’t fall under the GDPR umbrella.
People talk about GDPR frequently, but let’s discuss what it actually is and what it means. Simply GDPR is an updated framework that sets solid and common standards for data protection. While doing this, GDPR aims to simplify the regulatory environment for organizations so that these organizations and consumers that must adhere to the GDPR requirements can be on the same page and benefit from the digital economy. With implementing and using this new framework came a new set of rules on data protection. Those that must abide by these rules are the ones that deal with sensitive information. According to ZDNet, there are two types of data handlers:
The description of data handlers sounds similar to enterprise organization and third-party vendors. With GDPR in place, it places legal obligations on the processor to maintain records of personal data and how it’s processed (e.g. encrypting files), while providing a much higher level of legal liability on the processor should a breach occur. Under GDPR, some of the sensitive information that is protected include name, address, photos, IP addresses, genetic data, and biometric data.
GDPR and breaches
Data breaches are becoming part of the daily breakdown on social media outlets and nightly news broadcasts. For the organizations that must adhere to GDPR ruling (i.e. those in the EU and those who offer goods and services in the EU), Experian explains just how the GDPR is changing the data breach reporting game. To begin, organizations are required to notify the Data Protection Authority (DPA) within 72 hours of discovering the breach. The goal for this requirement is to make it a top priority for organizations to coordinate how they will go about reporting a breach to the public; the GDPR promotes the idea of being proactive instead of retroactive. When going public within the 72-hour window, companies must also include that impacted parties will receive notifications in the correct language, as well as access to secure and multilingual call centers for any questions they may have.
A company that fails to notify a breach in accordance with what the GDPR requires may result in a fine of 4% of an organization’s global annual turnover, or 20 million Euros, whichever is greater. While many feel like the GDPR is too much, it shows that the EU is taking steps to protect both its data and its citizens. It makes companies be proactive since they must think through a response plan for protecting both consumers and a brand’s reputation.
GDPR in action: MyHeritage
We are already seeing the GDPR in action with a breach that MyHeritage went through in October 2017, but was not found until early July. MyHeritage, a DNA and genealogy firm, had over 92 million unique access credentials compromised. Adhering to the GDPR rules and requirements, MyHeritage actually went public about the breach on the same day that they found out about the breach with as much as they had. As of today, MyHeritage isn’t certain how the breach occurred and they only found out about the breach because a security researcher informed the company that he found a file named “myheritage” stored outside of the MyHeritage network.
MyHeritage was on top of the reporting situation by releasing information on the breach only eight hours after it found out about it, but it struggled in other areas. According to SecurityWeek, MyHeritage didn’t have their network protected as well as they could, or should, have. To begin, they’re still “working” on two-factor authentication for their website, when in reality, they should have implemented multi-factor authentication from the get-go since they’re dealing with highly sensitive information, like DNA. Things don’t get better with their idea of using two-factor authentication since it will only be added as a recommendation and not a requirement.
MyHeritage has already posted two blog posts on their website about the breach and how they plan to handle everything moving forward. They have completed the GDPR reporting process, and only time will tell with how the GDPR and the affected community, will respond to this massive breach of sensitive data. Specifically for the GDPR, it is known that organizations need to ensure that personal data is protected from misuse and exploitation, as well as respect the rights of data owners.
At SecureLink, our sole focus is secure third-party remote support. For highly regulated enterprise organizations, SecureLink has pioneered a secure, remote access enterprise platform: SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.