Industry Insights with Richard Henderson

CISO Trainings , Incident & Breach Response , Security Operations

EU GDPR: The Why and How for Financial Services

The Enforcement Deadline of the EU General Data Protection Regulation Looms
EU GDPR: The Why and How for Financial Services

As data protection breaches have become daily headline news and everyone becomes increasingly sensitive about privacy, the regulatory regime is getting tougher. Data protection laws in Europe are more important than ever before - especially as the enforcement deadline of the EU General Data Protection Regulation looms.

See Also: Breaking Free from VPN Limitations: Simplifying Remote Access Security

Subsequently, regulators have been increasingly concerned about the ways in which financial services organizations hold and manage data - particularly where the actions of a financial services organization could expose customers to identity theft. But according to a a new study by Veritas Technologies, just 2 percent of organizations are GDPR compliant today, with less than a year to go before full compliance will be enforced in May 2018.

The overall aim of GDPR is to make privacy laws fit the needs of the 21st century. There is major emphasis on enforcement as the new regime has increased penalties for breaches, with fines of up to 4 percent of a corporation's annual global turnover. In addition, it introduces mandatory data breach reporting requirements similar to those that exist in most U.S. states, but with a requirement to report a breach usually within 72 hours.

To describe the new rules as an update or a refinement in the current data protection regime is not accurate. This is not a fine-tuning of the law; a far more fundamental change is taking place. The new rules are much more detailed, demanding and onerous. GDPR is a recognition that there is a political impetus in having new and tougher laws. Many in Europe care much more about data - and especially data breaches - than they did 20 years ago.

Achieving the 72 Hour Reporting Window

To have a realistic chance of reporting a breach in 72 hours (under the new rules) it would be necessary for a security vendor to advise of the breach within 24 hours. The primary responsibility to report a security breach will be on the data controller but most of the breaches we see are the responsibility of a vendor. Firms will need a contractual obligation to make sure the vendor tells them in time so that they can deal with their reporting obligations. Even when you know of a breach you still have work to do to get it into the right format to make a report.

As a vulnerable sector, financial services will have to take special care to put in place adequate policies, procedures and training to ensure breaches are reported within the 72-hour period. Bear in mind that as well as reporting a breach to data protection regulators they may also need to tell financial services regulators, other financial services companies (for example because of contractual requirements you have agreed to) as well as the individuals affected.

The Need for a DPO

Another important result of the new rules is that organizations may need to have a data protection officer (DPO) to deal with data protection compliance issues.

In the past, some organizations have not applied enough rigor in their approach to data protection. A few people may have had some training within the company but it's now likely that organizations will feel obliged to appoint a properly trained DPO. The appointment of a good DPO will be useful when dealing with data breach issues and ensuring that an organization takes a proportionate view of its risk to keep its customers and reputation safe. The DPO should be independent in the performance of their tasks and report directly to the highest level of management.

We know that the new data protection regime will bring considerable responsibility and sanctions for companies that handle data, and financial services businesses are more at risk than most. As such, there will be considerable challenges to comply with the new rules and it will take some time to implement the necessary policies and infrastructure. What is certain today is that organizations must start now in order to be properly compliant when the new rules are in place.

About the Author

Richard Henderson

Richard Henderson

Head of Global Threat Intelligence, Lastline

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline's technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an "insightful view" on the current state of cybersecurity. Henderson was one of the first researchers in the world to defeat Apple's TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Henderson is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.