[BreachExchange] Is Data Compliance Equal to Data Security?

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 8 10:25:39 EST 2019


The European General Data Protection Regulation (GDPR) came into effect on
May 25, 2018, ushering in a new era of data compliance regulation across
the world. GDPR-like regulations have emerged in Brazil, Australia, Japan
and South Korea, as well as U.S. states such as New York and California.

The GDPR was introduced to protect EU individuals’ personal information,
collected by organizations, through regulation on how the data can be
collected and used. Even though it is European law, the scope of the
legislation effects organizations around the world.

Despite a two-year phase-in period (May 24, 2016 to May 25, 2018), many
organizations around the globe remain noncompliant. A GDPR pulse survey by
PwC in November 2017 revealed only 28 percent of U.S. companies had begun
preparing for GDPR, and only 10 percent responded saying they were

Just a few weeks before the May 25 deadline, a Cloud Security Alliance’s
GDPR preparation and challenges survey report revealed that 83 percent of
companies did not feel prepared for GDPR. Moving into 2019, the $57 million
fine for violations of the GDPR handed out to Google indicates that even
the biggest corporations are struggling to adhere to GDPR compliance

To avoid potential fines and the cost of compliance, some non-EU companies
have opted to withdraw from the EU market entirely. For example, every
U.S.-based online newspaper managed by Tribune Publishing Company has been
routing all EU IP addresses to pages that say something to the effect of
“our website is currently unavailable in most European Countries.’”
However, this is not a long-term solution, as more and more major economic
hubs around the world introduce GDPR-like compliance regulations. As a
result, many organizations are scrambling to improve their data security
with the objective of becoming compliant and preventing cyber criminals
from stealing precious customer data.

The GDPR has led to the question: “Does having adequate security also mean
my organization is GDPR compliant?”

Data Compliance: A Security Solution?

Looking back on 2018, organizations suffering data breaches continued to be
a regular occurrence with several high-profile data breaches – including
Amazon, Facebook, Marriott Hotels and Google+ – stealing the headlines.

What’s most notable about these breaches: They highlight that adhering to
data compliance regulations does not necessarily protect against bad actors
breaching your systems and stealing data. Therefore, GDPR and other data
compliance regulations shouldn’t be positioned as a sufficient
cybersecurity strategy; instead, they should provide the impetus for
proactive investment in data protection.

The GDPR provides a framework for comprehensive data security that includes
standards for breach management, data protection, vendor management, data
minimization and so on. As a result, the GDPR and other data compliance
legislation provide organizations with a great foundation to start
addressing cybersecurity risks.

The advanced and dynamic nature of cyber threats means that businesses need
to adopt enterprise security architecture that can manage the objectives
and risk challenges organizations face. Unfortunately, this means
organizations cannot rely on purely being compliant with data protection

Compliance or Security – Which Should Take Priority?

Cybercriminals are constantly advancing and changing their attack
methodologies. As a result, being compliant and secure is not a task with
an end point. Instead, these are ongoing projects that require continued
vigilance through maintaining and updating IT infrastructure. Data
compliance regulations, such as the GDPR, are a great starting place for
organizations wanting to address data protection. However, they are only an
elementary step to addressing security.

With compliance regulations taking hold across the globe, compliance and
security are increasingly becoming two sides of the same coin. Security and
privacy need to be instrumental parts of organizations’ systems, and if
organizations cannot determine whether compliance or security should take
priority, they should work toward implementing a strategy that intertwines
the two. This helps to reduce risk, particularly when it comes to unlawful
access to critical data.

What is the Solution?

Organizations are increasingly adopting a layered approach to data security
that involves investing in various solutions to defend against a range of
threats. This has resulted in organizations wasting resources on
unnecessary solutions – a problematic approach considering the
often-limited security budgets many security teams have.

A data-centric security strategy is the solution to organizations’
compliance and security woes. This strategy protects the data throughout
its life cycle, whether data is in motion, at rest or in use.

Tokenization is an essential aspect of this strategy. This process
“de-toxifies” sensitive data by replacing it with a unique, randomly
generated placeholder, anonymizing the information so that it can’t be
linked together. This gives organizations the ability to use data while
still protecting its original characteristics, helping them to
simultaneously meet compliance and security requirements.

In the event of a breach, organizations will not necessarily be penalized
if they can demonstrate their security apparatus was up to par (e.g., if
sensitive data was breached but had been protected with the appropriate
measures, such as tokenization or encryption).

The spread of GDPR-like compliance across the world and within the U.S.
provides businesses with the perfect opportunity to review their security
posture and implement effective strategies that will protect their business
from nefarious actors, as well as fines for noncompliance with data privacy
regulation. In today’s world, data compliance and security are essential
for survival.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190308/c811d75c/attachment.html>

More information about the BreachExchange mailing list