GDPR privacy GDPR privacy-mask

Privacy Anyone?

GDPR is here! Are you ready? Cymulate is here to help.

As you know, on May 25, 2018, the General Data Protection Regulation (GDPR) came into force, impacting organizations around the globe.

As with any new regulation, not all organizations comply (yet). In case of GDPR, this should not be underestimated, especially in light of the fines that can be imposed.

The height of these fines depends (among other factors) on the number of people affected, the damages they suffered, and the duration of the data breach. Furthermore, the height also depends if the data breach was intentional or resulted from negligence. Efforts for mitigation are also taken into account, as are preventative measures.

When it comes to the amounts that need to be paid, the regulation makes a distinction between lower-level fines (up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher), and upper-level fines (up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher).

After the GDPR came into effect, it did not take long for the first complaints of infringements to be filed. Facebook and Google are already on the receiving end of complaints that could result in fines amounting to $8b dollars.

Organizations of all sizes and regardless of location, have good reason to be worried – in May 2018 alone, there were a number of data breaches jeopardizing personal identifiable information (PII):

  • On May 17, Corporation Service Company (CSC) announced that hackers stole the personally identifiable information of 5,678 of its customers.
  • At the end of May, it was reported that the Los Angeles County 211 service left about 3.2 million call records on an exposed AWS server that included a wide variety of personally indefinable information on callers along with the sometimes very personal reason they called looking for help.
  • On May 19, the University of Buffalo announced that its CISO was investigating and responding to a breach of external third-party accounts that appears to have compromised the login information for a large number of UB students, faculty, staff and alumni.

Although these breaches mainly affected US citizens, it illustrates how attractive PII remains for cybercriminals.

Authorities take GDPR very seriously. Ahead of the GDPR, the UK fined the University of Greenwich £120,000 over a data breach when information belonging to almost 20,000 staff and students was exposed in a security incident.

It is important to understand that the imposed fines come on top of the cost of the data breach itself. This means that under GDPR, the impact of WannaCry and similar cyberattacks will be twofold for the victimized enterprise. First, there are the damages of the data breach itself (e.g., stolen information, mitigation costs), followed by a crippling GDPR privacy breach fine. For organizations that lack proper network security, this could mean ruin.

It’s not too late to become GDPR compliant. In our blog post of April 4, we described various strategies to address the multiple challenges that organizations face to be GDPR compliant. Furthermore, there are several sections of the legislation where Cymulate can assist organizations, in particular Provisions 74 and 76 as well as Article 24, paragraph 1, Article 32, paragraph 1, and Article 35, paragraph 1.

Provision (74) stipulates: “The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context, and purposes of the processing and the risk to the rights and freedoms of natural persons”. This entails that controllers have the legal obligation to conduct a Data Protection Impact Assessment.

With Cymulate’s assessment platform, it is easy for controllers to automate the Data Protection Impact Assessment and conduct such an assessment at any time.

Provision (76) details what the mandatory risk assessment entails: “The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context, and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.

Cymulate’s assessment platform pinpoints weaknesses in the context of endpoint, network, and cloud relationships to reveal how an actual attack could play out and how far it could go.

Article 24, paragraph 1, states: “Taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary”.

Cymulate’s breach and attack simulation (BAS) platform can assist the controller with the reviewing and updating of the technical and organizational measures since it provides actionable insights without any false positives.

Article 32, paragraph 1 stipulates: “Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”

Article 32, paragraph 1, sub d, details “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing”.

For such testing, assessing, and evaluating by the controller and processor, Cymulate’s SaaS-based, on-demand assessment platform is the perfect tool for regular testing and assessment of the organization’s security posture and true preparedness to handle cybersecurity threats.

In Article 35 (Data protection impact assessment), paragraph 1, the GDPR states: “Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”

Using Cymulate’s assessment platform enables carrying out such an assessment anytime. The on-demand simulations deliver immediate results, with a full picture of an organization’s security posture.

In short, Cymulate assists organizations in intelligently implementing fixes to mitigate vulnerabilities in the infrastructure and prevent actual breaches. This is especially valuable for organizations of all sizes that still need to meet the stringent information security and privacy standards associated with the GDPR.

Want to find out if your security posture truly complies with the GDPR? If yes, sign up for our FREE assessment without any obligation. See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues so you will be GDPR compliant.

Start a Free Trial