With devastating data breaches reported seemingly every day, consumers in the EU are choosing not to tolerate having their data messed around with any longer. To improve privacy standards and enforce the rights of individual users to have control over the personally identifiable information that they share with organizations around the world, the General Data Protection Regulation (GDPR), will go into effect this May.
But there's a big problem—despite evidence of violations and negligence of the GDPR potentially incurring heavy fines, Forrester predicts that 80 percent of firms affected will not comply with the regulation by the May 2018 deadline, of which 30 percent will try and fail. Why? For organizations with a large digital presence, identifying all the places where PII is collected can be nothing short of daunting. In fact, when RiskIQ looked at the public-facing websites of the top-30 UK companies (FT 30), our research identified an average of 400 pages per organization collecting PII.
Despite the recent hand-wringing, the GDPR has been a long time coming. The industry has been frowning on insecure data collection for a long time, viewing it as a passe relic of the early days of the internet, and no longer an acceptable practice in today’s threat landscape. As of this writing, Google is proactively addressing this issue by alerting Chrome users when they are entering data into insecure forms with an embarrassing “Not Secure” label for login and payment card data and eventually extending to any data input into HTTP.
Unfortunately, when examining the overall level of preparedness for the GDPR and broadening the scope beyond the EU, there’s even greater cause for concern. The regulation is unique in that its PII collection requirements apply to any business that collects data about EU citizens, including those that have no physical presence in an EU nation. For multinational companies with expansive web infrastructure, compiling and assessing site details is often fraught with gaps and inaccuracies. When looking at 25 of the 50 largest banks in the U.S. (2017), the RiskIQ Threat Research team discovered that 68% of the banks had significant security gaps in PII collection, a percentage that may be consistent with other U.S. companies with dealings in the EU.
Preparing for the GDPR leads to many questions for compliance teams, like, can we identify and monitor all websites collecting PII on behalf of our company? Are those collection points secure? Are they accompanied by compliance statements and controls?
But where to begin?
To support GDPR specifications, organizations need a comprehensive understanding of their digital footprint—all of the various internet-exposed assets that belong to them. They must be able to discover which external assets collect personally identifiable information (PII), including a user’s name, phone number, address, social media presence, photos, lifestyle preferences, location data, and even their IP address. If you decide to bring in a vendor to help your organization prepare for the era of secure data collection, be sure to ask if they can accomplish these six items:
- Discover, inventory, and assess websites, apps, and infrastructure where PII is captured and processed
- Identify and assess PII-collecting website exposures: notices, forms, SSL certificates, frameworks
- Verify security of the PII-collecting websites with SSL certificates and encryption
- Comply with persistent cookie requirements on websites (expiration of less than one year)
- Identify where PII is captured by third-parties using your company/brand as a lure (such as Fake Ads)
- Highlight security and policy violation exposures enabling security and governance and risk and compliance (GRC) teams to better understand, and in some cases, reduce their attack surface and achieve compliance.
About Sam Curcuruto
Sam Curcuruto drives efforts centered around RiskIQ's platform and product offerings for Digital Threat Management. RiskIQ is nimble, fast-paced startup, and he is in charge of sales enablement, content creation, presentations, case studies, corporate messaging, and its buyer journey.