Europe’s General Data Protection Regulation (GDPR) is meant to combat a reality experienced by everyone on the internet: Data isn’t private or safe. The latter is obvious given the stunning breaches suffered by entities like Equifax. Millions of people are still dealing with the fallout from this catastrophic event, and businesses want to avoid compromising their own clients’ data in such a way. Though it was Europe to put its foot down first, the world wide web is borderless, and so these new regulations have implications far beyond the EU. A company in Fiji that serves European customers must also get on board, for example, but it’s harder than merely installing new software. (For more on data privacy, see Internet Browsing and Security – Is Online Privacy Just a Myth?)
GDPR regulates how companies track users, which data to keep, and how to keep this data. It makes all businesses comply with customer requests for access to their data, and it imposes fines for failure. With GDPR the U.K.’s Information Commissioner’s Office (ICO) is able to charge larger fines to companies that allow themselves to be breached, and the Office has already demonstrated its willingness to use these expanded powers. While this technically only applies to Europeans, the cost and sweat equity of updating an international company’s data practices and tools for its EU customers justifies an across-the-board renovation.
These taxing and comprehensive new standards are tough on the bottom line, but they’ve also changed the game for fraudsters and hackers. Companies that invest in their GDPR efforts will be able to defend against attacks on the “low-hanging fruit,” so many hackers will be starved of their bread-and-butter methods for stealing information. However, those who devote time to high-value targets – and specifically firms which are not yet fully compliant – have much more to gain. The new regulations are responsible for a phenomenon termed “GDPR extortion,” and it has raised the stakes for both sides of the battle for data.
Weaponizing GDPR
Part of GDPR is the establishment of new rules for punishing companies that expose customer data. ICO has boosted its maximum fine for companies which have been found in breach (no pun intended) of their data protection responsibility: the higher of 4 percent of global annual turnover or €20 million. This is a steep price for getting hacked, despite the costs the company might have already sunk into GDPR compliance efforts. Companies that are hacked – compliant ones and otherwise – are supposed to report it to the proper authorities. If the hack stemmed from their own negligence, a fine is forthcoming.
Recognizing an opportunity in the increased ICO fines for noncompliance, enterprising hackers have begun to target not-quite-compliant firms and then ransom the company’s data for a price lesser than what the fine would be if the breach was made public. This has become a lucrative practice when their target’s alternative might be to fork over €20 million. Some have even begun to pay these ransoms, hoping to keep the hack under wraps, and avoid the ire of the ICO long enough to quietly integrate all remaining data standards and hope it doesn’t happen again.
Companies will also have to hope that the hacker doesn’t decide to accept the ransom (usually in cryptocurrency) and release the data anyway. This is why there is also a fine for enduring a hack and not reporting it, if it’s found out. There are many other holes in GDPR that also demonstrate its imperfection. Another problem is that the new requirements disrupt the Internet Corporation for Assigned Names and Numbers (ICANN) from organizing and publishing the names of website and domain owners. This has wreaked havoc on investigators of internet crime who have typically relied on WHOIS databases to pursue suspects.
Is There a Magic Bullet to GDPR?
GDPR isn’t meant to be a one-size-fits-all solution, it’s merely the first attempt at addressing rampant data threats that have gone unanswered over the last decade. However, it’s also prohibitively expensive for the entire industry. For businesses, GDPR is a lose-lose situation because it requires time and money to address, but the alternatives are worse. Even an impenetrable, compliant, and transparent business will need to be prepared to comply with (what some experts expect to be) a veritable tsunami of personal data requests from customers and activists.
This is why it’s crucial to find a turnkey compliance solution that helps a firm prepare itself on both sides of the fence – for hackers, but also for the ICO and a company’s own customers. GDPR has spawned an industry that exists to help companies join the new status quo, and some of the most trusted names in IT security are all-in. (For some security fundamentals, check out The 7 Basic Principles of IT Security.)
To help prevent data breaches from occurring, it’s essential to have full control of a business’s technological environment. Solutions like Cloud Management Suite, for example, offer a holistic data security platform that keeps an eye out for any attempted attacks, and squashes them in real time. Others, like Auth0, have developed systems that are built specifically to deal with the new requirements set by GDPR in terms of identity. These solutions offer a more comprehensive approach to IT security, and with the growing need to protect users’ privacy while still remaining secure.
It’s inspiring that technology companies have already come up with ways to accelerate the adoption of these new regulations. The path towards better data protection online is long, but comprehensive data management platforms make it easier for all the internet’s beneficiaries to keep up the pace. No doubt in just a few years’ time hackers will have already adapted and begun widening cracks elsewhere, and as always we will do all in our powers to fight against these heinous criminals from getting in our way.