When you think of data security and data breaches many company executives who are not familiar with this topic think that a high fence, cameras and a security guard at the entrance will do the job. But as many cases and the most recent ransomaware attacs have shown, this is definitely not enough. And not having a bullet-prove data security process in effect, is even more risky than ever! The reason is the General Data Protection Regulation (GDPR).
Much has been written about the effects on companies from the upcoming GDPR regulation which will finally be in full effect by the End of May this year. Since the last two years we have published some articles in this blog about the need the securely erase personal data of partners, clients or other individuals that is not needed for any upoming business or when the person damands its deletion.
But GDPR is a lot more than just „the right to be forgotten“: It also applies to the prevention of data leaks by all enterprises that either do business within the European Union or from outside with a EU company.
In two months ends the two year long introduction period of this new regulation. In § 32 the new regulation demands companies to „introduce a procedure to to introduce and maintain regular reviews and evaluations of the effectiveness of technical and organizational measures to ensure the safety of processing of personal data within the company“. Implementing a proper procedure is not only valid for data processing but also for the selection and procurement process of the IT solutions (both software and hardware) in use.
For the selection process GDPR orders the companies to „take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk“. But additionally the EU lawmakers did state that the solutions should be „state of the art“.
In plain english that means that the IT representative has to take all neccesary measures to ensure that no personal data can leak outside the company. Measures according to the new law are for example:
- Pseudonymization and encryption of personal data,
- the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis;
- the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident;
- a process for periodically reviewing and evaluating the effectiveness of technical and organizational measures to ensure the safety of processing.
Another very important point was implemented in § 35 of the new regulation, too:
„In particular, the risks associated with the processing – in particular destruction, loss or alteration, whether inadvertent or unlawful, or unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise – must be taken into account when assessing the appropriate level of protection“.
In short § 35 demands a proper analysis of the risks that a special procedure with a certain technology holds for personal data. The responsible employee has to make a data protection impact assessment before and make sure that a certain procedure – especially when using a new technology – poses a small or big risk to the (data) rights of individuals.
One of the main changes and addition to the former national laws oft he member states, is that now companies have to report a data leak within 72 hours after the leak occured.
And here again – the fines are severe and the same as with an unauthorised usage of personal data: either fines of up to €20 million or 4% of global annual turnover (whichever is greater) when it occured in a business that is most improtant to data protection or fines up to €10m or 2% of global annual turnover, whichever is greater.
Small or overlooked devices can make a data leak happen, too!
Being GDPR compliant means that IT adminstrators have to take all measures neccesary to ensure that a data leak will not occur. But this is easier said than done. Data security has been an issue for a long time even before this new European law, but now with only a few months left and the upcoming fines that high, many people get nervous. They are affraid that they might have forgotten something…. Like for example printers…
What a lot of people forget about is that a modern network printer can also contain or distribute personal data. Therefore it is a perfect piece of hardware for hackers to attack and to obtain sensitive or business related data.
One of the best videos to explain such an attack was produced by HP and is starring Hollywood actor Christian Slater. In this scenario he shows who a possible attack by a hacker can lead to a breach of millions of medical files from a hospital group. While in this story Slater had to steal and change the identity of a high ranking manager of the company twice and almost poisoning him, the main fact is that he was able to intrude the network by just using an USB interface of a modern network printer.
While this scenario is very much Hollywood-like, the idea of hacking a company through a printer or any other periphery hardware device that can be connected to your network. Besides that even when your printer is not connected to the whole company it still can hold various sensitive information. What many people still do not know, is that a business printer or copier might have a hard disk inside that stores the last documents until the disk is full. This poses a severe security and data breach challenge: When such a device is leased or rented and the period is over, this disk should be securely erased otherwise sensitive personal information can leak out of the company and – in this case – is reliable for it as set in the GDPR framework.
Therefore with only 2 months to go, all representatives currently engaged in making the company policies GDPR compliant should now also check for minor hardware that might have been forgotten by now and add them in their data security processes. It is not to late, but time is running out…