On May 25, 2018, a major new piece of data protection regulation will come into effect across the European Union (EU), and with it comes the potential for hefty fines or penalties for your organization. Even if you do not directly operate in the EU, chances are that the General Data Protection Regulation (GDPR) still pertains to your company.
The regulation covers any entity that processes the personal data of EU citizens (referred to as “data subjects”), even if the organization does not provide goods or services to EU citizens and only handles or processes their data. Unless you are categorically sure that your organization does not and will not process EU citizens’ personal data, compliance is not optional.
The fine for an infringement can be €20 million (approximately $23 million at today’s exchange rate), or 4 percent of your worldwide annual turnover, depending on which is the higher amount. It is essential for directors to pay attention to the data and information security practices in place to ensure that the organization is prepared and compliant.
The Policy Details of GDPR
The GDPR was written to ensure that organizations:
protect the personal data of ‘EU Natural Persons’ (i.e. living people);
are transparent, fair, and lawful about the processing of personal data;
only request and process necessary personal data;
do not share data with third parties or countries unless the correct legal agreements and processes are implemented; and
gain consent from data subjects to process their data.
Personal data is defined in the policy as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
There are six principles that apply to the processing of personal data. According to the policy, personal data shall be:
processed lawfully, fairly, and in a transparent manner;
collected for specified, explicit, and legitimate purposes;
adequate, relevant, and limited to what is necessary;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
processed in a manner that ensures appropriate security of the personal data.
Data subjects are provided with a set of legal rights under GDPR, including the right:
Each EU member state has a designated supervisory authority. These regulatory bodies are responsible for monitoring the application of GDPR, and have the power to audit organizations and determine relevant warnings, reprimands, and fines for violations of the organization. When breaches of personal data occur, companies will be subject to a high level of scrutiny, and will have only a 72-hour window to report on the breach. A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
There is a requirement for some organizations to appoint a data protection officer (DPO), whose responsibility it is to advise and inform on GDPR and to monitor compliance within the organization. The DPO acts as the main contact for both data subjects and the supervisory authority, must report to the highest level of management within the organization, and cannot perform any tasks or duties which result in a conflict of interest.
You need to ensure your organization has fully investigated the nuances of the requirements to ascertain whether you need to appoint such a role or prepare to meet other personnel or technical demands.
Where do we start?
Your organization first needs to define the team that will drive GDPR compliance and management. Within the C-suite this should include the chief information officer and the chief information security officer, in addition to representatives from legal counsel, human resources, risk and compliance, and privacy. Determine if you need to appoint a DPO. Once your team is assembled, assess your current state, so that you can plan next steps accordingly. This team should present results at least to your board’s audit committee, if not the full board, given the financial and reputational risks involved.
Understand your personal data retention
You should ask your GDPR team the following questions to determine what categories of personal data your organization is dealing with:
To whom does data you collect and retain pertain?
Is it necessary to collect and keep this data?
If so, how long do you need to keep it?
Do you have permission from the data subject to process the data?
How is consent obtained from data subjects for each method of personal data collection?
Encourage your team to follow others’ personal data on its journey through and beyond the organization. Doing so will help the GDPR team understand how the data is collected, stored, transmitted, accessed, and secured, and understand where and how it is passed on to any third parties.
Review how your organization collects consent from individuals to process their personal data
EU citizens must be able to give and rescind consent for their personal data to be processed. Consent means any “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In a contractual situation, the provision of a service may require personal data to be processed in order for the service to function correctly. In this case, this has to be made clear to the data subject when they register for the service.
Identify partner and supplier risk
Review third party legal agreements to ensure the EU citizen’s personal data provided to a third party is handled in a compliant manner. Otherwise, your organization will be held accountable for vendors’ data breaches or a data loss scenario. If you process personal data on behalf of another organization, you will need to demonstrate your compliance with GDPR, and ensure your legal agreements reflect this accordingly.
Ensure your cybersecurity programs are up to par
Your security posture and processes impact the journey and security of personal data, and should be assessed accordingly. GDPR Article 32 stipulates that you must ensure a level of security appropriate to the risk involved with the data. This might require adjustments to your security program, especially if you have weighted your security setup to focus primarily on prevention and are lighter in the areas of detection and correction. Visibility across your ecosystem is vital for determining risk. Knowing your weak points will help you understand where to bolster your security, and testing out your processes will determine whether they are fit for purpose.
Get regular updates on progress and status
As individual reviews are completed, have each leader report back to the core and leadership teams with a set of prioritized actions and milestones. Set up a frequent cycle of reporting to understand the progress of your GDPR compliance status. The spring of 2018 is clearly too late to be finding problems.
If your organization employs, partners with, or serves people who are citizens of the European Union, you are subject to GDPR. Given the detailed stipulations of the regulation, along with the threatening risk of steep fines, it’s not something you can get away with ignoring or procrastinating. As a board member, you’ll want to ensure the organizations you serve are prepared to meet the challenge and reduce the risk.
Corey E. Thomas is president and CEO of Rapid7. He is director of Blue Cross Blue Shield of Massachusetts and the Greater Boston Chamber of Commerce.
Robert P. Silvers is a respected expert on Internet of Things security and effective corporate planning and response to cybersecurity incidents. Silvers is a partner at Paul Hastings and previously served as the Obama administration’s assistant secretary for cyber policy at the U.S. Department of Homeland Security. Silvers will speak at NACD’s 2017 Global Board Leaders’ Summit in October and NACD’s Technology Symposium in July.
Robert P. Silvers
Cybersecurity breaches pose a growing threat to any organization. As we’ve seen in recent years, and indeed in recent weeks, the most sophisticated companies and even governments aren’t immune from cyberattack. Ransomware has become a global menace, and payment data and customers’ personal information are routinely swiped and sold on the “dark web” in bulk. Next-generation Internet of Things devices are wowing consumers, but they are also targets, as Internet connectivity becomes standard-issue in more and more product lines.
How do directors prepare for this landscape? Everyone now acknowledges the importance of cybersecurity, but it is daunting to begin to think about implementing a cybersecurity plan because it’s technical, fast-moving, and has no “silver-bullet” solutions. Most boards now consult regularly with the organization’s information security team, but the discussions can be frustrating because it’s hard to gauge readiness and where the organization really stands in comparison to its peers. Sometimes directors confide in me, quietly and on the sidelines, that their real cybersecurity strategy is one of hope and prayer.
There are steps directors can take now to prepare for incidents so that when they occur the company’s response is well oiled. With the right resources and preparation, boards can safely navigate these difficult and unforeseen situations. Three key strategies can assist directors as they provide oversight for cybersecurity risks:
Building relationships with law enforcement officials
Having incident response plans in place (and practicing them)
Staying educated on cybersecurity trends
1. Building Relationships With Law Enforcement Officials
It’s no secret that relationships are central to success. Building the right relationships now, before your worst-case scenario happens, will help manage the situation. The Federal Bureau of Investigation is generally the lead federal investigative agency when it comes to cybercrime, and the United States Secret Service also plays an important role in the financial services and payment systems sectors.
Boards should ensure company management educates law enforcement officials from these agencies about the company’s business and potential risks. In turn, the company should ask law enforcement to keep it apprised of emergent threats in real time. There should also be designated points of contact on each side to allow for ongoing communications and make it clear whom to contact during an incident. This is critical to ensuring that the company has allies already in place in the event that a cyberattack occurs.
2. Having—and Practicing—Incident Response Plans
Directors should ask to see copies of the company’s written cyberbreach response plan. This document is essential. A good incident response plan addresses the many parallel efforts that will need to take place during a cyberattack, including:
a. Technical investigation and remediation;
b. Public relations messaging;
c. Managing customer concern and fallout;
d. Managing human resources issues, particularly if employee data has been stolen or if the perpetrator of the attack is a rogue employee;
e. Coordination with law enforcement; and
f. Coordination with regulators and preparedness for the civil litigation that increasingly follows cyberattacks.
An incident response plan is only valuable if it is updated, if all the relevant divisions within a company are familiar with it, and if these divisions have “buy in” to the process. If the plan is old or a key division doesn’t feel bound by it, the plan isn’t going to work. Directors should insist the plan be updated regularly and that the company’s divisions exercise the plan through simulated cyber incidents, often called “table-top exercises.” Indeed, table-top exercises for the board itself can be an excellent way to familiarize directors with the company’s incident response plan and its cyber posture more generally.
3. Staying educated on cyber security trends
As your board is building relationships with law enforcement officials and preparing an incident response plan, directors should also be educating themselves on cyber risk. Cybersecurity becomes more approachable as you invest the time to learn—and it’s a fascinating subject that directors enjoy thinking about. Do you know what a breach will look like for your company? What protocols do you have in place in case something happens?
According to the 2016–2017 NACD Public Company Governance Survey, 89 percent of public company directors said cybersecurity is discussed regularly during board meetings. Since a majority of directors in the room agree that cybersecurity is worth discussing, directors should collectively and individually prioritize learning the ins and outs of cyber risks.
One easy way to stay up to date on the latest is to ask the company’s information technology security team for periodic reports of the most significant security events that the company has encountered. This will give directors a feel for the rhythm of threats the company faces day in and day out.
Another option is for directors to take a professional course and get certified. The NACD Cyber-Risk Oversight Program is a great example of a course designed to help directors enhance their cybersecurity literacy and strengthen the board’s role in providing oversight for cyber preparedness. Consider these options to keep yourself as educated and informed as possible.
The more you can prepare individually, the better off you will be when you have to provide oversight for a cybersecurity breach at your company.
My introduction to cybercrime came seven years ago as a bolt from the blue. I Googled myself and found that four of the top five search results showed I was on the Federal Bureau of Investigation’s (FBI) Top Ten Most Wanted List.
The attack came as a bolt from the blue.
After checking outside my front door to make sure no FBI agents were lining up to arrest me, I researched what had happened. I was the victim of an Internet stalker—a previous business associate looking to mar reputations of people this person had had no contact with for nearly two decades.
This experience personally taught me the harm that could be done through the Internet and the unique nature of the risks involved, and sparked my commitment to practicing sound cyber-risk oversight.
Cybersecurity as a Risk
Cyber risks have unique characteristics that not many of the more than 60 different risks reported in public companies’ 10-K reporting share. Most other risks and the damage they cause, although highly detrimental to a company, can be assessed and quantified (consider, for example, the cost of rebuilding after a fire). Cyber risk is different because a victim of a cyberattack may never be able to find out who attacked the company or person, where the attack came from, what was taken, or how long the attack had been going on for.
The most striking feature of cyberattacks is their anonymity. It is very difficult to trace an attacker who wants to stay anonymous. An attacker can create dummy corporations, hijack e-mail accounts, and use multiple servers to become virtually untraceable. Another method that hackers use to hide themselves is the virtual private network, which make it very challenging to track where the attack originated. Say the intrusion appears to have come through a server in Singapore. The attacker actually could be in Estonia. Even if you can trace the perpetrator, getting redress would mean international ligation.
What are they taking? Unless the attacker is confronting you with a ransom demand for your data, you may not know what is being taken or corrupted without extensive and time-consuming forensics.
Lastly, how long has this been going on? For the same reasons that it is difficult to identify what is being stolen, the time of the origination of the attack is hard to assess. Often known as “Logic Bombs,” malicious software can lie dormant for long periods, and sometimes years, before it is activated. The classic example is the disgruntled employee who leaves malware that activates itself on the anniversary of his firing.
You Are Not Invulnerable
One of the worse mistakes a board can make is to assume that they are at a lower state of cyber risk, as their corporation is not a bank or does not store credit card information. If the company transfers money and is connected to the Internet, which means just about every company in the United States and many around the world, the company is at high risk for being attacked. Banks and retailers are at extremely high risk. Low risk simply does not exist in the cyber-risk spectrum.
For most companies, the principal vulnerability is economic. Simply put, attackers are trying to make money. Besides stealing information such as employee health care data, or social security numbers that can be sold on the black market, an increasingly popular form of attack is to lock out the company from its data, or encrypt it and charge a ransom to release it or decrypt it.
Brand and reputation attacks are another vulnerability done more to discredit a company’s reputation for either competitive or political motives. To take an obvious example, imagine the damage to a cybersecurity company’s reputation if its own firewalls were breached. Such an attack would deeply harm the core promise that a cybersecurity company makes to its customers to secure its enterprise.
Hacktivism, as the name connotes, is an attack launched based on the attacker’s beliefs and ideologies. For instance, a company that tests its products on animals could find itself as a hacktivism target. Typically, the attacker will post messages about the cause on the company’s website or contact its customers and suppliers.
Lastly, malicious attacks can be launched to inconvenience and disrupt the company such as in the Logic Bomb attack described above. There is usually no economic effect—vengeance is the principal motive.
Since her “arrival” on the FBI’s Top Ten Most Wanted list, Wendy Luscombe has led a real estate investment trust as CEO, served as a director on European and American boards, and studied cybersecurity and cyber-reputation management. All views and opinions expressed here are the author’s own.