If you have even a passing interest in GDPR, you will have known that 25th May 2017 was a significant date because it meant we're just a year away from GDPR becoming law across Europe. This of course sparked a lot of activity from vendors, analysts, regulators and just about anyone involved in the privacy or information governance world. However, a couple of weeks before, on May 12th there was another momentous incident to consider as a notorious Ransomware attack took hold across the world. Quite a few organisations were compromised by this and struggled to react but of course many others had already taken action to avoid becoming a victim of this latest attack. As stories of businesses and hospitals struggling to respond emerged, it made me wonder about the relevance of Ransomware attacks and GDPR. Obviously, there's a cybersecurity angle to Ransomware but there is also a question about making sure data, especially personal data is protected from malicious activity regardless of where an attack comes from.
This also reminded me of a conversation I had at an event earlier this year with an insurance company. My first question was, "why is an insurance company here" but they explained that they have a service to help customers respond to data breach incidents and they've been pretty busy recently. In fact, one of the leading companies in this field is Beazley and reported in their quarterly update in April that Ransomware attacks quadrupled in 2016 and were up 35% in the first quarter of 2017.
This might explain why demand for Cybersecurity Insurance is on the increase; Allianz are predicting the global market to be worth $20B by 2025. They could be right, given that demand has mainly been driven by the US because many states require organisations to publish details about data breaches. When GDPR kicks in next year, it's pretty much a given that more organisations will have to react to data breaches more formally because the regulations have specific requirements around this. I'm not saying breaches will increase because of GDPR, I hope they don't but I think it's inevitable that organisations will want to respond appropriately and ensure they work with their regulator to help minimise potential fines.
This brings me back to Ransomware, because it would be easy to take a view that organisations who suffer attacks aren't thinking about Article 25 of the GDPR which talks about data protection by design and default. It uses the simple phrase of "Taking into account the state of the art" to emphasise the point that if you are handling personal data then you had better make sure you are using up to date technology. Arguably anyone running out of date Windows software or delays installing patches certainly aren’t thinking about "state of the art". This has made me wonder that as more organisations seek insurance to mitigate the risk posed by malware, Ransomware and data breach; will insurance companies start to look at regulations like GDPR and demand that their customers adopt appropriate technology and best practices before insuring them. Given how insurance works in other areas of our lives I'm sure they might well play a part in endorsing the need to follow regulations. So back to the subject of this post, "Does GDPR make you want to cry”, we'll have to wait to see how punitive the GDPR fines will be but it's quite possible there will be tears at some organisations as a result of future Ransomware attack.
Of course, many key applications that drive important business functions rely on databases which are less likely to be effected by Ransomware. But we all know that file servers are still so key to how people work. The many "special" Excel files used by finance, the Word templates used by sales or the PDF documentation used by engineering. These will be spread around the filer infrastructure and will be a vital part of running the business. Some might be more than vital, they could also be confidential or contain personal data. So, what if some of your key customer data is impacted by Ransomware, how would you know the extent of damage or gauge what files were effected. These are certainly questions you would need to know, not just for the internal response but if you also had to notify the regulator as the attack turns into a data breach. The UK regulator has already issued advice about how they view an attack in terms of an organisations responsibilities for data protection; they expect appropriate technical & security measures to be in place to mitigate the risk of a breach.
In summary, from a GDPR point of view it’s clear that regulators will expect organisations to use the best tools they can to minimise data protection risks and perhaps so will insurance companies if organisations want to insure that risk. Our own GDPR Research shows that about 40% of organisations just don't have tools to help them comply with GDPR. But having tools like Data Insight or Information Map can help organisations manage their data to quickly visualise and understand who it belongs to, where it is and what type of data it is. You can also leverage the security features of Data Insight to monitor sensitive files and detect access anomalies, make sure that your file shares are secure, understand who owns the data, classify it to find sensitive or personal data and spot liabilities such as a database dump of your CRM system on a public share. I could go on, but my point is that there all sorts of reasons to ensure you're accountable for any personal data you keep.
So, whether it's Ransomware or GDPR; just make sure you have the right tools in place (taking into account the state of the art) so you can demonstrate accountability for the data that you keep. For more information about Veritas 360 Data Management for GDPR follow this link.