[BreachExchange] Is GDPR Actually Causing More Data Hacks?

Wed Apr 11 22:18:36 EDT 2018

https://www.lawyer-monthly.com/2018/04/is-gdpr-actually-
causing-more-data-hacks/

Like bank robbery, data hacks, ransomware and cyber-attacks are already
against the law. So, in the same way that a bank robber is unlikely to be
put off by the sentence they will receive if they get caught, hackers are
unlikely to see GDPR as a deterrent to their “work”.

The behavioural and attitudinal differences between the two felonies are
stark. Bank robberies require guts, but little skill. Hackers are clever,
but thanks to the cover of the dark web and encryption they are spineless
in comparison. The capture/conviction rate is vastly different too,
cyber-attacks are “untraceable” compared to a “good old” bank robbery. So
GDPR is unlikely to affect the conviction rates for data hacks and
cyber-related crime.

It is unlikely that the hacking rate will increase in a post-GDPR world.
However, thanks to the new regulations, data breaches are likely to become
more widely publicised. GDPR regulations will require that data breaches
are disclosed within 72 hours of being discovered. This means that recent
examples, such as Equifax’s slow disclosure of a large data hack won’t wash
with the ICO. And post-May, the new rules will increase the chances of
incurring large fines if you try to brush a breach under the carpet.

It is worth noting at this point that being hacked isn’t going to
automatically incur a fine – a data breach is not a violation of GDPR
itself. However, a breach caused by inadequate IT-security is highly likely
to be subject to GDPR fines. Therefore, companies will need to ensure that
they have followed due process to protect and inform customers in the
unfortunate event of a hack.

Personal data poorly stored and leaked or hacked is a violation of GDPR, so
organisations must improve data management and protection processes to
ensure compliance with the new regulations. These improvements, in theory,
will decrease the risk of a data breach, whether accidental or due to a
cyber-attack.

So if you haven’t started already, now is the time to ensure that your data
architecting as well as IT security is compliant. Internal education to
remove sensitive data from random areas of the business is just as
important as sorting out the bigger IT infrastructure issues.

The number of robberies on British bank branches dropped by 90% between
2001 & 2011. This wasn’t due to the increasing number that have been turned
into coffee shops, or even heavier sentences, but rather a raft of
innovative technologies that made it extremely difficult for “traditional”
robbery tactics to work. Anyone trying to rob a bank now faces much better
CCTV, protective screens that can rise in less than a second and special
smoke screens designed to confuse and disperse criminals.

The increased precautions we are all taking with customer data are thanks
in part to GDPR, and will mean that longer term there are likely to be
fewer breaches. Like the banks, we will use technology and GDPR best
practice to comply, and more importantly, protect customers. But don’t let
complacency set in, the hackers will keep improving their skills at a
similar rate to the good guys.

There is one final watch out. It is likely that the increased publicity
around GDPR will lead to it becoming a ransomware and phishing topic,
potentially making customers more susceptible to attacks. Cybercriminals
will use GDPR as a social engineering tactic in the same way they try to
obtain a response to fake fraud communications posing as your bank.

The regulations will help make all our data safer in the future, but the
hackers are still going to hack. There will still be a similar number of
breaches post-GDPR, but thanks to more press coverage with
headline-grabbing fines, we are going to hear more about them giving the
perception that hacking is getting worse.

That is not necessarily a bad thing, the quicker the public find out, the
faster they can act to protect their data. We need to ensure that we build
trust, transparency and joint accountability with customers to ensure that
the volume of data hacks doesn’t increase in a post-GDPR world.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180411/42c57d3c/attachment.html>