Data breaches and more data breaches—oh my!

It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from [24]7.ai. The [24]7.ai breach then expanded to include Kmart and Best Buy a few days later.

Of course, these data breaches are all playing out against the backdrop of Facebook, Cambridge Analytica, and the 2016 U.S. elections. As I write this post, Facebook CEO Mark Zuckerberg is before the U.S. Congress answering questions from legislators seeking to understand how to best regulate information sharing in the digital age.

Protecting information in the digital age

If you’ve become a bit desensitized by the continuing flood of new disclosures, you’re not alone. Brace yourself though, because you’re also about to be subject to new waves of disclosures within the next couple of months. This is due to a European Union regulation known as the General Data Protection Regulation (GDPR). GDPR takes effect on May 25. It states that in the event of a breach, an organization has 72 hours to disclose the breach to regulators—and that there be no “undue delay” in notifying impacted individuals. There are severe penalties for failing to disclose breaches, so we expect that compliant organizations will disclose quickly.

Who is impacted by GDPR?

As part of my job, I travel and speak at events globally, so I’ve heard a lot of buzz about GDPR for the better part of the last year. While I focus more on open source and application security, I’ve been paying close attention to how the EU is handling data privacy and protection. One of the best questions I’ve heard asked was “I don’t do business in the EU, so I’m safe, right?” The answer was enlightening for me—“Unless you ensure no EU users are in your dataset, you’re likely impacted.” Put another way, if you have an online presence and save personal data on users, you might have an EU user. Even if you do business only in non-EU countries, there’s nothing to say that an EU citizen isn’t doing business with you. For that matter, you could have existing customers who move to the EU and become EU residents. In other words, GDPR is complicated. Seek out responsible legal advice to make a proper determination of the risks at your organization to ensure that you’re following the guidelines laid out.

RELATED: The 7 elements of GDPR software security compliance

GDPR and data breaches

Looking at GDPR through the lens of these recent data breaches, we can make a few conclusions:

• Data sharing between organizations is the norm today, and users are unlikely to know what business relationships their data is party to.
• When a breach occurs, notification of impacted users may be challenging due to the lack of a relationship between the breached organization and the end user. Furthermore, the breached organization may not have authorization to use the personal data that was exfiltrated, even to contact impacted users.
• Regulatory requirements to disclose breaches will likely increase the quantity of breaches in the news media. While well-intentioned, an increase in disclosures could well result in increased user stress as they struggle to protect their personal information.