Breaches ain’t getting better — can GDPR help?

The recent revelation from Equifax that 143M identity records were stolen once again put PII insecurity in focus. What makes Identity Data so nettlesome is that its loss or abuse invites all kinds negative consequences – from loss of business to reputational damage to regulator fine to invariably some form of civil class action.

Artificial intelligence and digital identity
Thinkstock

The recent revelation from Equifax that 143M identity records were stolen once again put PII insecurity in focus. For most organizations, ID data is arguably the most valuable and simultaneously sensitive data they possess (with IP data running a close second). What makes Identity Data so nettlesome is that its loss or abuse invites all kinds negative consequences from loss of business to reputational damage to regulator fine to invariably some form of civil class action. Now, of course, Equifax is far from the first organization to be compromised and I won’t be going out on a limb to predict they won’t be the last. But the sheer size of the loss encourages some reflection on the broader problem of PII protection and the basic question of why we still have a problem.

Detection and defense are not enough

Protection against identity data theft, it can be argued is the majority mission of most security products. Whether the products focus on protecting the endpoint, the network, the database or the application - save concerns around availability and integrity - defense against data exfiltration or abuse ranks high among every CISO’s end concern when they buy a security tool. And yet despite two decades of innovation around threat detection and defense spanning Silicon Valley, Israel and everywhere in between the problem of PII loss and abuse has grown worse, not better.

So what’s missing? Clearly smarter detection and defense technologies can help outsmart some bad guys. The only problem is that bad guys are not sitting still as they themselves become smarter at finding and using exploits whether machine or human. Now you can argue that removing exploits will remedy the prospect of data breaches. But sadly as software grows more complex it’s becoming harder for organizations to find and repair zero data vulnerabilities. Yes, new code review and scanning tech alongside better intelligence sharing, faster patching, and various anti-phishing approaches make it harder for bad guys to take advantage of machine or man but these are all more or less incremental improvements on existing protections. To change the game you need to change the rules; you need to try something different.

So can a privacy regulation like GDPR be that something different? As it turns out, perhaps.

I’m from the government and I’m here to help

These words, famously uttered by Ronald Reagan reflect the popular wisdom that government intervention only serves to hinder business by introducing unneeded bureaucracy. But rules can curb bad habits that sometimes lead to bad outcomes. Nowhere perhaps is there better exampled than accounting.

Over the past century, various regulations have come into being to protect investors and consumers from financial error or malfeasance. For many of us, the example that stands out the most because it is both recent and straddles financial accounting and technology is Sarbanes-Oxley or SOX for short. SOX was a reaction to repeated accounting frauds in the 90’s that took down companies like Worldcom, Tyco, Anderson and perhaps most famously Enron. It introduced a set of new audit controls that companies had to comply with to ensure the integrity of financial data. These controls included access restrictions that would give rise to whole categories of security technology like identity governance and SIEM.

What’s instructive about SOX is that for the most part it’s worked. Better visibility, tracking, and control of sensitive financial data have led to a dramatic drop of catastrophic frauds. Better accounting has let to better accountability. So can this be extended to other classes of data?

GDPR as data accounting regulation

So what does this have to do with GDPR? Well GDPR has both explicit and implicit breach requirements. Explicitly GDPR like most state and country data breach regulations has explicit notification requirements for notifying regulators and affected people of a breach. Where GDPR arguably differs from many national and state codes is the size of penalty which can reach up to 4% of global revenue.

Now the explicit requirement does force companies to rethink how they detect and identify a breach. Traditional approaches rely on forensic firms making a connection between stolen data and company data and inferring the residency of affected users. New products automate this process ensuring faster and more precise response. And this new capability hints at the broader effect of GDPR to data breach prevention and not just response.

GDPR at its heart is an accounting regulation. For the first time, it requires companies to accurately account for their PII. Historically companies would only perform the most cursory data accounting to ensure compliance with regulations like PCI or HIPAA that required identification of payment card or health data. GDPR takes this further. Under GDPR every organization that collects European citizen or resident data must know where every person’s data resides because it promulgates the concept that the person has a legal right to their data (access, portability, erasure, rectification). GDPR envisions companies as legal custodians of the PII data they collect and process. And it’s this new accounting requirement that promises a fresh approach to PII protection and breach prevention.

An apple a day

A basic tenant of security is that you can’t protect what you can’t find. GDPR mandates that companies find their data. Knowing your data gives organizations a better understanding of their data risk so that they can de-risk their sensitive data long before there is an incident. This could take many forms including data minimization (deleted unused, unneeded data), backup data past its retention date, deduplicate the most sensitive attributes, de-centralize high-risk PII data stores that over-concentrate sensitive information, mask confidential information, anonymize and de-identify data before sharing or analyzing, encrypt data at rest etc. Knowing what data you have and how that data is being used gives organizations an ability to stay ahead of the bad guys; make the data safe before it can be compromised reducing both the risk of theft and minimize potential fallout.

But if data knowledge is so important to prevention why has it not been the standard before. The simple answer is that it’s not easy and the technology does not really exist. However new regulations help to focus the mind by prioritizing the spend and this, of course, gives birth to new classes of technology that help companies meet obligations like GDPR. Sure GDPR places more burdens on companies around compliance but when you unpack the full meaning of the regulation it could lead to a fresh approach to PII breach prevention and response. Customers buy from companies they trust. GDPR helps companies safeguard customer data thus preserving customer trust and loyalty.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.