In May 2016, the European Union (“EU”) published the EU General Data Protection Regulation (“GDPR”) which became effective throughout all Member States in 2018. For U.S. companies operating in the EU, or holding themselves out to EU citizens, GDPR expands the concept of “personal data” that is protected. Business contact information and other things that identify specific people, such as emails and IP addresses, are all captured by GDPR. There are also stricter network and information security requirements.
Organizations need to implement and demonstrate appropriate technical and organizational measures to ensure an appropriate level of security. For many companies, this means that security measures must include pseudonymization and encryption, the ability to restore personal data in a timely manner, and regular testing and assessment. Those requirements should be detailed in an incident response plan, which is tested regularly, so that a company can detect breaches.
Under GDPR, if a cybersecurity event that amounts to a data breach has occurred, GDPR requires organizations to report the breach within 72 hours from the time they have become aware of it. What this means is that a company needs to be able – at a minimum – to understand its network and therefore differentiate cybersecurity events across several dimensions:
- Data & Cyber Terrain – Has the Company properly assessed where it has data? This is one of the most detailed requirements implicit under GDPR. A company needs to know (a) what data it has and the data classification (I.e., is the data “personal data” under the regulation); and (b) where that data resides within a company’s network.
- Character – Once the data has been mapped and characterized, if an event occurs, a company needs to know the type of event. Tactics, techniques, and procedures (TTP) used to gain access to an environment can provide useful information on the attacker. The type of data targeted along with the type of event can give useful information into how access was gained, the paths used to exfiltrate data, and the TTPs used to exploit the environment. The character of the event matters as it will help a company determine reporting obligations.
- Time – Know when a cybersecurity incident has occurred. Understanding the time windows associated to when a data breach occurs can be a daunting task. Often these efforts are forensic in nature. It requires extensive research to pinpoint exactly when a breach may have occurred. Using a combination of information from a variety of sources with possibly varying timestamps, it is possible to determine the range in time when a breach could have happened. Anticipating such events will impose requirements on an organization to ensure this temporal aspect can be determined without much difficulty.
- Location – Know where the event happened and therefore what country’s law applies – is this a Global data incident? Geographic properties map directly into viable paths for gaining access into (ingress) and out of (egress) of an organization. These mappings provide useful information about probable paths for how an adversary could conduct a data breach. The forensic data can utilize this information as an overlay to build greater understanding of the event.
- Mitigation – Stop the event/breach from continuing. Mitigation of the event can be challenging if the attackers have covered their tracks well. Further, if the breach occurred just once, it is possible to forensically diagnose what happened. However, if the attacker has gained control of the environment, lateral movement may seriously impede mitigation efforts.
- Effects – Determine if a breach is one involved personal data and reportable and then report it with adequate details within the time period required under the law(s) that apply. The character, time, and location of the data all support the determination if personal data has been compromised or breached. Forensic analysis typically requires all or some aspects of each types of data to validate this finding.
Large Potential for Administrative Fines
There are two types of administrative fines that can be imposed on a company. The lower level first fine is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. This is for violations of GDPR Article 83(4), which covers, amongst other things, security of processing data. The second fine is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. This is for Article 83(5) violations, which covers actions like the basic processing of data and consent. In determining whether to assess an administrative fine, a company’s technical and organizational measures will be examined – this will likely include an examination of a company’s security stack and incident response processes.
Fines for failing to comply with the above are based upon 10 general criteria, with two of the most important mitigating factors being: (a) did the company take actions to mitigate damage to the data subjects; and (b) did the company take actions to prevent the damage, which examines technical and operational preparedness. Inevitably this requires a company to maintain an accurate data inventory and a formal incident and breach response policy/plan. This is also why the use of products/services that do not allow for appropriate detection and response time would expose an enterprise.
Using Fidelis in Conjunction with Cyber Terrain Mapping, Crown Jewels Identification, and Tagging
GDPR requires a company to understand what data it collects, how that data is used, and how it is transmitted to and from the company. This is called data mapping. Data mapping is also essential for maintaining a secure network – if you don’t know what data you have and where it is, it is impossible to protect. The first step requires some pre-planning in the form of identifying the IT systems where such data will be placed. Through Fidelis’ ability to map, monitor, and assess any change in cyber terrain, organizations can quickly determine if data has been exfiltrated. Coupled with the ability to perform robust data loss prevention (DLP) through carefully inspecting headers and footers in data, the Fidelis platform offers the ability to integrate deep visibility for data in transit with the ability to replay events in the past. DLP, terrain mapping, deep visibility, and network playback are the four-fold approach toward supporting an organization’s ability to quickly identify the type of data exfiltrated in a breach. If sensitive data characteristics are known, i.e. the headers and footers, data exfiltration can be blocked and alerted. This can offer additional handling steps that offer pre-breach protections.