The deadline for complying with the European Union’s General Data Protection Regulation (GDPR) is May 25th. According to Bryant G. Tow, Managing Partner of CyberRisk Solutions LLC, the buzz in the cybersecurity industry is that auditors plan to come out “hot and heavy” to make examples out of companies that aren’t in GDPR compliance.
As a value-added reseller (VAR) doing business in the United States, you may think GDPR doesn’t apply to you, but, according to Business Insider, it not only will impact EU member states, but also any business that collects EU citizens’ data. Tow says that includes vendors or vendor solutions with locations or employees in the EU.
“If you use a supplier or have a business partner that falls under GDPR requirements, have any technology touchpoints or any integration with them at all, that partner will expect you to be GDPR compliant,” Tow explained. “We actually are seeing businesses requiring other businesses to be compliant from a risk management and prevention perspective. It’s not just the regulators who are preparing.”
However, before you start getting overly panicked, Tow says that any organization that already practices the Ring of Security, good cyber hygiene or is following other compliance targets such as PCI compliant should not be overly concerned about GDPR. That is apart from one critical area: Breach notification. GDPR requires companies to inform authorities and customers of data breaches within 72 hours. That’s a notable change to many current U.S. State laws, which often give businesses 30-60 days to report breaches, and it differs because it covers inaccessibility to data.
“For businesses that already have comprehensive security programs in place, GDPR won’t require a lot of heavy lifting for them to become GDPR compliant, but there will be some things they will want to pay attention to,” Tow said. “The GDPR requirement is that if your data becomes inaccessible. In the U.S., there has to be a clear suspicion or sign of a breach or unauthorized access to PII or PHI to trigger a breach notification, in most cases.
“GDPR widens the scope in that it says if you lose accessibility to data in a ransomware attack, for example, you must report it to your users within 72 hours. Even if there is no forensic proof of exfiltration, you must report it,” he explained. “With most of the major ransomware attacks we deal with, it takes longer than 72 hours to simply negotiate with the terrorists.”
Tow also said that many ransomware attacks happen late, before known time off such as on Friday or before a holiday, so some companies may not even discover their lack of access to data until Monday, meaning they would already have missed the GDPR window.
“But let me go back to my opening point, which is that good cybersecurity practices should already be in place. If you have everything else in place, then you only need to be aware of a few of the GDPR requirements, such as incident response, and make sure you map your cyber policy correctly to it,” Tow continued. “In fact, some of the reports out there now are saying if you want to shoot for GDPR, then start with PCI.”
Companies with solid security practices in place that have a framework to cover all aspects of the business, including people, processes, technology, and facilities, will find that GDPR is primarily an exercise in mapping existing controls to GDPR requirements and updating a few things, such as incident response.
“If you are already doing things right, then GDPR is just another cyber exercise for you,” Tow said. “If you don’t, you are probably in trouble, and the auditors are ready and waiting to find those companies that aren’t in compliance.”
