[BreachExchange] Email data leaks just got riskier

[Audrey McNeil]

http://www.pressreleasepoint.com/email-data-leaks-just-got-riskier

The General Data Protection Regulation (GDPR) became enforceable at the end
of May, and organizations that fall under its provisions – which includes
any company that collects, stores, or processes the data of anyone who
resides in the European Union – are realizing that its impacts reach into
many aspects of their operations.

Article 32 of the GDPR addresses the security of processing personal data,
but what exactly do we mean by “processing,” anyway?  Article 4 makes that
clear; it defines “processing” as “any operation or set of operations which
is performed on personal data or on sets of personal data, whether or not
by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction.”

Thus basically anything that you do with the data constitutes processing in
this context. That includes transmitting it to someone else, either within
or outside your organization.

There are times when, in the course of doing business, employees might want
to discuss customers’ personal information with a colleague or even with
the customer him/herself, via email. This can present security issues if
the information is not encrypted and/or pseudonymized. Users may also
include personal info when it’s not necessary, or include more personal
data than is necessary. Thus email can be a common source of data leaks
that could put data subjects’ privacy in jeopardy, and put your org at risk
for penalties that can be imposed if you violate the GDPR provisions.

Those in the healthcare and financial services sectors have long been aware
that there are legal issues involved in exchanging email messages that
include personal information, but the GDPR now extends the restrictions and
ramifications to companies in pretty much all fields and industries. So
let’s look at some ways to keep company email in compliance with the GDPR,
HIPAA, GLBA and other laws that govern the security of specified types of
data.

Step one: Know the law

Before you can comply with the law, you have to know and understand the
law. Being able to recite the text of the GDPR isn’t enough; you must also
know what it means and how it applies (and doesn’t) to your organization
and your processes.

If you aren’t an attorney – or even if you are, but European privacy law
and regulatory compliance aren’t your areas of specialty – the safest plan
is to hire someone who can expertly interpret the GDPR and advise you on
what you need to do to ensure that you comply, in respect to email as well
as all other aspects of processing personal data.

It’s possible that because of the nature of your business and clientele,
you don’t even have to worry about the GDPR, but don’t assume that’s true
just because your company is based outside of the EU. Remember that it
applies if you process (by the very broad definition quoted above) any
personal data of any EU resident (who might not necessarily be a citizen of
an EU country). Paying for good legal advice up front could potentially
save you many times that cost if you make mistaken assumptions that come to
the attention of the EU authorities later.

Step two: Know your processes

Take to heart the old adage “know thyself,” or in this case, thine
organization. In addition to knowing the law (or getting someone on board
who does), it’s essential that you understand your company’s own processes.
Your attorney might be a leading expert on the regulation itself, but
he/she doesn’t necessarily know the who, what, when, where, and how of your
org’s operations. And yes, it matters.

You need to be able to answer the following questions:

- Who do you deal with? This includes anyone whose personal information you
handle in any way – customers, potential customers, employees, contract
workers, users of your free services, etc. Also who in your org has access
to the personal data?
- What information relating to those people do you collect, store, or
process?  Even a person’s name or IP address can be considered personal
data. Article 4 of the GDPR specifically states that personal data includes
“any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of
that natural person.”
- When did you collect the data? Is it up to date? Is there a reason to
continue storing it? Article 5(1)(d) requires that you keep it updated and
accurate, and Article 5(1)(e) states that it should be “kept in a form
which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed”
(although archiving may be permitted for certain purposes). When was
consent given? If pre-GDPR, it may be safest to obtain consent again –
following the guidelines for consent given in Article 7.
- Where do those customers, potential customers, workers, and users
reside?  This is the crux of the matter when it comes to applicability of
the GDPR.  Even if they are only temporarily in the EU, that makes them
data subjects under the auspices of the GDPR. See Article 3 regarding the
territorial scope of the GDPR. Where are your workers physically located
when they deal with personal data? Do you have remote workers who access
this data from home or when on the road?
- How is the personal data collected? How is it stored (physical location,
format, etc.)? How is it secured (physical security, firewalls, access
controls, encryption, etc.)? How is it shared within and outside of the
company? How is it determined who can access it and how is that access
restricted? How was consent obtained? How is it disposed of when it’s no
longer of use?

You also want to look at how those within the company tend to communicate,
especially when it comes to discussing matters that include personal data.
If this commonly happens via internal email (which is true of many
organizations), then you will want to pay special attention to securing
those email messages.

Only when you have a thorough understanding of what personal data your
company has and handles and the paths that data takes through your network
will you be able to properly protect its privacy.

Step three: Establish written policies and training procedures

Once you do have that thorough understanding, you can develop written
policies to govern the handling of the personal data. These policies should
be distributed to all personnel who have access to the data and they should
be required to sign off that they have read and understand the policies.

The policies should lay out very explicitly what is and is not permitted in
handling personal data, including:

- It can be obtained only in accordance with the lawful purposes laid out
in Article 6 of the GDPR.
- If relying on consent as the lawful purpose, that consent must be
obtained in accordance with the provisions in Article 7 of the GDPR.
- The data can be used only for the purposes for which it was originally
obtained.
- The data must be secured through standard data security best practices,
including encryption.
- Steps must be taken to ensure the data is accurate at all times.
- The rights of data subjects, as outlined in Articles 12-23 of the GDPR,
must be respected at all times.
- The data should be retained no longer than necessary for the purposes for
which it was given.

Your policies should specifically address the inclusion of personal data in
email messages, both within and outside the company, whether in the text of
the message or sent as an attachment. You should also have policies
specifically addressing the security of data sent or accessed over the
Internet, including in the case of telecommuters or traveling employees.

To be effective, policies should have penalties for violation, and those
penalties should be clearly stated in the policy itself. The penalties
should be severe enough to act as a deterrent but should take into account
the nature of the breach, its consequences or potential consequences to the
data subject and the company, and the level of culpability (ignorance,
neglect, recklessness or intent) of the violator.

In addition to written policies, employees, contract workers and volunteers
who will handle personal data should undergo classroom, online, and/or
individualized training to ensure that they understand the requirements and
know how to adhere to these rules.

Step four: Implement technological enforcement measures

No matter how many written policies you enact or how much training you
provide, and regardless of penalties for violation, there will be some
people who will misunderstand, forget, or deliberately disregard the rules.
Technological controls are the most effective way to enforce your policies.

Users often get complacent with email, especially when it’s quick and
informal exchanges with fellow workers within the company – even if those
messages travel over the Internet. Two of the most important ways to
protect personal data that must be transmitted this way are:

- Email encryption
- Email content monitoring

For any company that handles personal data that’s subject to the GDPR (or
other government regulatory compliance requirements), a comprehensive email
security solution (for example, GFI MailEssentials) is no longer a luxury;
it’s a necessity.  A good email security solution will give you the
capability to police what goes in and out via email, based on keywords,
file types, and regular expressions. This can help prevent a personal data
breach that could be costly to your organization not only in the form of EU
fines, but also in terms of reputational damage that can be difficult or
impossible to overcome.

Summary

The GDPR brings some big changes to the way companies must handle data, and
that includes data in email messages. Email may be the weak spot in your
data security strategy, but it doesn’t have to be. The appropriate written
policies, adequate education and training of workers, and good
technological solutions can help keep your email messages in compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180709/e59ac86b/attachment.html>