Sophos Cloud Optix
Back in January the European Commission proposed an update to the data protection laws in the EU with the goal of unifying data breach notifications and clarifying their application throughout Europe.
There was a lot on the table, including defining which countries have jurisdiction for multinational organizations, rules for European companies performing data processing outside of the EU and hefty penalties for non-compliance.
Some of the more important things for individuals include a “right to be forgetten” provision and a clear definition that consent means people must opt-in, not opt-out. It would also eliminate the fees for getting access to the data a company is storing about you.
Naked Security is a big supporter of opt-in policies with regard to privacy issues and the idea of a right to be forgotten sounds great, but what does it mean and how would you implement that?
The most controversial change is the requirement to report data breaches within 24 hours of discovery.
The European Network and Information Security Agency (ENISA) expressed concerns about this policy changing the way organizations prioritize resources post-exploitation.
Rather than work on closing the holes and mitigating further risk to users and data, organizations will spend their time and energy on filling out reports and managing the PR fallout of the incident.
These are valid concerns. Upon discovery of a breach limiting the damage should be rule number one. 24 hours isn’t even enough time to determine the extent of the damage and find out who might have been impacted.
ENISA suggests this might be better managed by requiring organizations to have so-called “cyber insurance”. An organization would be incented to improve its security to achieve lower premiums.
While the idea is good, I don’t see it working out that way. To develop proper actuary tables for something like information security is nearly impossible.
What is the value of a record? How were you compromised and what resources are required to recover? Who is responsible for the mistakes that led to the information being leaked?
These questions don’t even take into consideration the reckless behaviors organizations might engage in if they feel they are somewhat shielded from liability when hacked.
Unification of laws across Europe with a focus on strong privacy protections is a noble goal. This law needs a lot more work to accomplish its intent.
Hopefully there will be a healthy debate that fixes some of the oddities in the version available today.
Sorry ENISA, securing user data isn’t as simple as buying an insurance policy and achieving a series of certification tick boxes. It is a process that is never finished and requires passion and hard work.
Insurance globe image courtesy of Shutterstock.
Insurance is a last resort. The first line of defense in securing data is protecting it against unauthorized access in the first place. That's a technological function, and it requires innovation. The same innovative technology that detects an intrusion can identify the intruder. If any data is lost, the insurance policy covers it, and then recovers its costs from the bad guy. Doing jail time at public expense doesn't cut it. And it doesn't work. If these jerks had to pay for the damage they cause, that would be a real deterrent.
The phrase "required to have insurance" epitomizes the kind of upside down mentality for which politico-bureaucratic hacks are famous. Insurance is a real government function because it protects property and is voluntary. Leave it to the pseudo-government state to turn it into a weapon, shoved down people's throat at gunpoint. Maximum irony there.
There must be the development and enforcement of reliable standards imposed upon
industry of all kinds, with fines and other penalties for non-compliance.
Same thing for PCI 2.0 at the server side. The newer HTML 5.0 would be another use
of security and user standards imposed upon government, business, and individual
users of systems.
Mandatory encryption of server data to minimum standards like AES 256 bit would be
another area of forced complaince, otherwise fines imposed and Security Certificates
would be revoked. With the speed of present and future connections and equipment
this is not much of an issue, cost or performance-based to use as an excuse not to.
Software can be installed to monitor compliance conditions and impose them, or be
forced to comply by shutting websites and servers down until compliance is met and
the standards and specifications are satisfied.
nice post. happy blogging 🙂
The newer HTML 5.0 would be another use this is not much of an issue, cost or performance-based to use as an excuse not to.