More information is hidden in plain sight than ever before. When the success of the global economy is hinged on the secure ownership of intellectual property and data, it behooves those who govern in the global company to understand how this information is being protected—and how it could be compromised. To that end, the National Association of Corporate Directors convened directors and cyber risk experts in Geneva, Switzerland, for its first Global Cyber Forum.
Dr. Simon Singh demonstrates the inner workings of an Enigma machine (Credit: Les Studios Casagrande).
Attendees from nearly every continent made their way to the Hotel President Wilson to confront the challenges of securing data across borders in light of complex and sometimes competing regulations. The European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, will be a watchword during each session. The complex and potentially costly regulation is likely to affect most companies that do business with or employ Europeans.
GDPR defines protected data far more broadly than the protections set by most country regulators. (Click here to learn more about the implications of GDPR.) Experts from international KPMG offices, cybersecurity firm Rapid7, AIG together with NACD cohosts Ridge Global and the Internet Security Alliance, will proffer their best advice on the interconnected challenges and solutions of cybersecurity oversight for today’s board directors.
NACD’s Global Cyber Forum commenced Tuesday night with a keynote presentation by popular scientist and author Dr. Simon Singh.
A particle physicist who completed his degree at Cambridge University while working at the European Organization for Nuclear Research (CERN), Singh has committed himself to helping everyday people understand some of the most complex concepts in modern math and science. He is the author of several books and won a BAFTA award for producing Fermat’s Last Theorem, a documentary based on the search to prove one of the most difficult mathematical theories in history.
Singh’s presentation in Geneva turned directors’ attention to “the history of secrecy,” a topic that he covers in his 1999 book, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (Doubleday). He pointed to writers of the popular TV programs, The Simpsons and Futurama, to highlight how unexpected points about mathematics and science hidden in plain sight and how susceptible we are to finding patterns that may have absolutely no meaning.
He cited several instances of codes being found in popular texts or songs, including in the rock band Led Zeppelin’s “Stairway to Heaven,” which when played in reverse has been interpreted to contain an evil message. When Singh queued up the song, at first no one in the audience heard any discernable words. Then he pointed to the lyrics on a slide deck and almost half of the audience “heard” the words. His point? To challenge the audience to be more skeptical and open to believing that which can be proven—or disproven—with rigorous evidence.
When the science of cryptography was introduced to the audience. Singh noted that messages can be found as a pattern almost anywhere—including in Moby-Dick, where one author found an inordinate number of passages pointing to history that had coincidentally happened since its publication in 1851. The human mind, however, has been able over the millennia to form some truly remarkable codes that have eluded prying eyes and minds for hundreds of years.
While some of the earliest computing machines, such as Enigma, developed during the First World War present nearly insurmountable odds against being deciphered, Singh reminded the audience that all ciphers are created by humans, and where there are humans, there is bound to be error. The same human curiosity and propensity to find patterns in behavior has led some skilled code-breakers such as those at the UK’s Bletchley Park who turned the tide of World War II by breaking codes.
Directors in the audience were challenged to think of the technologies that could protect their company’s own secrets while also considering the power—and foibles—of human error. Singh brought with him a prized possession: his very own Enigma machine.
When he turned to the audience to see if they had any questions about it after a brief demonstration, one attendee asked how the next frontier of quantum encryption would impact businesses. Singh pointed to the fact that scientists in Geneva were already sending messages encrypted at the quantum level within cities, and that others had sent quantum-secured messages via satellite. Quantum computing itself could make all encryption obsolete, he said. Such a development would render useless our current understanding of how to protect corporate assets, such as customer information and other data. He also noted that no one really knows what governments around the world have already achieved regarding this next frontier in information security.
Coverage of the full day of programming at the Global Cyber Forum is forthcoming in another installment of the blog and in the May/June issue of NACD Directorship magazine.
The European Union’s (EU) General Data Protection Regulation (GDPR) is causing a seismic shift in the digital information space, and, whether your company has a presence in Europe or not, the sweeping regulation likely applies. As a director in the era of bet-the-farm digital transformation, familiarity with the basics of GDPR is a must. To that end, Michael Walter and Joel Wuesthoff, experts from Protiviti and Robert Half Legal, respectively, recently presented the ins and outs of the regulation at an NACD Atlanta Chapter program.
Does GDPR even apply to my company?
Effective May 25, 2018, it probably does. The regulation is borderless and applies to all organizations—regardless of size and regardless of whether they have a physical European location—that collect and process personal data of data subjects in the EU. An EU data subject is anyone from whom personal data is collected while in the EU (i.e. data subject is not limited to someone with EU “citizenship”). For example, a skier from Colorado who buys a snowboard online while in the EU may subject the product seller to the GDPR. The rules apply to both data controllers and data processors. The range of information that is protected is quite broad, ranging from vehicle identification numbers to photos to employment information to IP addresses.
If GDPR applies, what’s the big deal?
In the U.S., personal information is often collected as a matter of course, with only an “opt out” offered to consumers. By contrast, GDPR requires that in order to collect information from EU data subjects, an affirmative “opt in” consent must be obtained that clearly specifies how the data will be used. Privacy policies must match. Then, once information is obtained, the EU data subject has the right to request that his or her data be deleted; that is, to invoke the right “to be forgotten.” Incorrect information must be corrected upon request. These rights may seem simple enough, but when data is held in multiple locations, developing a process to handle such requests may be quite difficult.
The burdens of GDPR cannot be outsourced, as companies have joint and several liability with third-party vendors. Due diligence requirements for vendors therefore will be heightened, and all in scope data processors will need to be GDPR compliant.
What if my company has a data breach or fails to comply?
In the event of a data breach involving an EU subject, the breached company has 72 hours to notify regulators and must notify EU data subjects without undue delay under certain conditions.
Fines for failure to comply with GDPR can be up to 20M Euros or four percent of an organization’s annual global turnover, whichever is higher. Further, data subjects can claim compensation for damages from breaches of their personal data.
GDPR won’t be enforced right away, will it?
The expectation is that GDPR likely will be enforced right away against global organizations that collect large volumes of personal data. However, beware. EU countries continue to hire people for enforcement of the GDPR. Also, since individuals have a right of action, it is unclear whether GDPR will be used as a manner of protest against companies that are unpopular with EU data subjects.
What should I be asking management?
The path to compliance with GDPR will require a multi-functional task force, including information technology, legal, human resources, privacy, and other functions. Directors may consider asking about the key phases of compliance:
Discovery and inventory: Have we identified high risk areas to ensure a focused approach?
Gap analysis: Have we determined exposure and prioritized compliance activities?
Compliance remediation: Are we implementing changes to achieve compliance?
Ongoing compliance: Are we prepared to provide evidence of accountability and compliance?
Boards may also want to discuss the appointment of—and ramifications of having—a data protection officer (DPO), required under GDPR for companies processing large scale data; however, bear in mind that the DPO is a unique intermediary between the regulators, the organization and the data subjects who is required to be an independent actor within the organization reporting up to the highest levels of the organization. Care must be taken prior to appointing a DPO as significant obligations attach once this decision is made.
In short, GDPR’s long reach and substantial requirements merit fulsome discussions in the boardroom, even of U.S. companies. Is your company ready?
Looking to learn more about how your board will be impacted by GDPR? Stay tuned. NACD will release an FAQ brief in May.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
On May 25, 2018, a major new piece of data protection regulation will come into effect across the European Union (EU), and with it comes the potential for hefty fines or penalties for your organization. Even if you do not directly operate in the EU, chances are that the General Data Protection Regulation (GDPR) still pertains to your company.
The regulation covers any entity that processes the personal data of EU citizens (referred to as “data subjects”), even if the organization does not provide goods or services to EU citizens and only handles or processes their data. Unless you are categorically sure that your organization does not and will not process EU citizens’ personal data, compliance is not optional.
The fine for an infringement can be €20 million (approximately $23 million at today’s exchange rate), or 4 percent of your worldwide annual turnover, depending on which is the higher amount. It is essential for directors to pay attention to the data and information security practices in place to ensure that the organization is prepared and compliant.
The Policy Details of GDPR
The GDPR was written to ensure that organizations:
protect the personal data of ‘EU Natural Persons’ (i.e. living people);
are transparent, fair, and lawful about the processing of personal data;
only request and process necessary personal data;
do not share data with third parties or countries unless the correct legal agreements and processes are implemented; and
gain consent from data subjects to process their data.
Personal data is defined in the policy as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
There are six principles that apply to the processing of personal data. According to the policy, personal data shall be:
processed lawfully, fairly, and in a transparent manner;
collected for specified, explicit, and legitimate purposes;
adequate, relevant, and limited to what is necessary;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
processed in a manner that ensures appropriate security of the personal data.
Data subjects are provided with a set of legal rights under GDPR, including the right:
Each EU member state has a designated supervisory authority. These regulatory bodies are responsible for monitoring the application of GDPR, and have the power to audit organizations and determine relevant warnings, reprimands, and fines for violations of the organization. When breaches of personal data occur, companies will be subject to a high level of scrutiny, and will have only a 72-hour window to report on the breach. A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
There is a requirement for some organizations to appoint a data protection officer (DPO), whose responsibility it is to advise and inform on GDPR and to monitor compliance within the organization. The DPO acts as the main contact for both data subjects and the supervisory authority, must report to the highest level of management within the organization, and cannot perform any tasks or duties which result in a conflict of interest.
You need to ensure your organization has fully investigated the nuances of the requirements to ascertain whether you need to appoint such a role or prepare to meet other personnel or technical demands.
Where do we start?
Your organization first needs to define the team that will drive GDPR compliance and management. Within the C-suite this should include the chief information officer and the chief information security officer, in addition to representatives from legal counsel, human resources, risk and compliance, and privacy. Determine if you need to appoint a DPO. Once your team is assembled, assess your current state, so that you can plan next steps accordingly. This team should present results at least to your board’s audit committee, if not the full board, given the financial and reputational risks involved.
Understand your personal data retention
You should ask your GDPR team the following questions to determine what categories of personal data your organization is dealing with:
To whom does data you collect and retain pertain?
Is it necessary to collect and keep this data?
If so, how long do you need to keep it?
Do you have permission from the data subject to process the data?
How is consent obtained from data subjects for each method of personal data collection?
Encourage your team to follow others’ personal data on its journey through and beyond the organization. Doing so will help the GDPR team understand how the data is collected, stored, transmitted, accessed, and secured, and understand where and how it is passed on to any third parties.
Review how your organization collects consent from individuals to process their personal data
EU citizens must be able to give and rescind consent for their personal data to be processed. Consent means any “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In a contractual situation, the provision of a service may require personal data to be processed in order for the service to function correctly. In this case, this has to be made clear to the data subject when they register for the service.
Identify partner and supplier risk
Review third party legal agreements to ensure the EU citizen’s personal data provided to a third party is handled in a compliant manner. Otherwise, your organization will be held accountable for vendors’ data breaches or a data loss scenario. If you process personal data on behalf of another organization, you will need to demonstrate your compliance with GDPR, and ensure your legal agreements reflect this accordingly.
Ensure your cybersecurity programs are up to par
Your security posture and processes impact the journey and security of personal data, and should be assessed accordingly. GDPR Article 32 stipulates that you must ensure a level of security appropriate to the risk involved with the data. This might require adjustments to your security program, especially if you have weighted your security setup to focus primarily on prevention and are lighter in the areas of detection and correction. Visibility across your ecosystem is vital for determining risk. Knowing your weak points will help you understand where to bolster your security, and testing out your processes will determine whether they are fit for purpose.
Get regular updates on progress and status
As individual reviews are completed, have each leader report back to the core and leadership teams with a set of prioritized actions and milestones. Set up a frequent cycle of reporting to understand the progress of your GDPR compliance status. The spring of 2018 is clearly too late to be finding problems.
If your organization employs, partners with, or serves people who are citizens of the European Union, you are subject to GDPR. Given the detailed stipulations of the regulation, along with the threatening risk of steep fines, it’s not something you can get away with ignoring or procrastinating. As a board member, you’ll want to ensure the organizations you serve are prepared to meet the challenge and reduce the risk.
Corey E. Thomas is president and CEO of Rapid7. He is director of Blue Cross Blue Shield of Massachusetts and the Greater Boston Chamber of Commerce.