It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from 7.ai. The 7.ai breach then expanded to include Kmart and Best Buy a few days later.
Of course, these data breaches are all playing out against the backdrop of Facebook, Cambridge Analytica, and the 2016 U.S. elections. As I write this post, Facebook CEO Mark Zuckerberg is before the U.S. Congress answering questions from legislators seeking to understand how to best regulate information sharing in the digital age.
If you’ve become a bit desensitized by the continuing flood of new disclosures, you’re not alone. Brace yourself though, because you’re also about to be subject to new waves of disclosures within the next couple of months. This is due to a European Union regulation known as the General Data Protection Regulation (GDPR). GDPR takes effect on May 25. It states that in the event of a breach, an organization has 72 hours to disclose the breach to regulators—and that there be no “undue delay” in notifying impacted individuals. There are severe penalties for failing to disclose breaches, so we expect that compliant organizations will disclose quickly.
As part of my job, I travel and speak at events globally, so I’ve heard a lot of buzz about GDPR for the better part of the last year. While I focus more on open source and application security, I’ve been paying close attention to how the EU is handling data privacy and protection. One of the best questions I’ve heard asked was “I don’t do business in the EU, so I’m safe, right?” The answer was enlightening for me—“Unless you ensure no EU users are in your dataset, you’re likely impacted.” Put another way, if you have an online presence and save personal data on users, you might have an EU user. Even if you do business only in non-EU countries, there’s nothing to say that an EU citizen isn’t doing business with you. For that matter, you could have existing customers who move to the EU and become EU residents. In other words, GDPR is complicated. Seek out responsible legal advice to make a proper determination of the risks at your organization to ensure that you’re following the guidelines laid out.
Looking at GDPR through the lens of these recent data breaches, we can make a few conclusions:
Preparing for increased regulations means understanding the security implications of your applications in the face of those regulations. It’s not an easy job to keep on top of this changing regulatory climate, but with the right partner, the process is easier. Synopsys and Black Duck are your security partners in this journey. RSA is next week, and if you are an attendee, please do stop by our booths in the South Expo Hall and ask the team how we can help you secure your applications and production containers so your organization isn’t the next one making headlines for yet another data breach.