Starting in May 2018, any organization that operates in Europe or has European resident data could be subject to severe penalties of up to 4 percent of global turnover or €20 Million if they fail to protect the data of European Union residents. This is per the directive of the European Union General Data Protection Regulation, (EU GDPR) which was proposed in 2012, and finalized in April 2016, with enforcement going into effect on May 25, 2018. GDPR will become law in 2018 across all 28 EU member states.
A distributed denial of service (DDoS) attack can often result in a damaging, costly breach of sensitive data. It is now well-known that hackers often use sub-saturating, low-threshold DDoS attacks as a means to detract attention from their real motive – usually data theft and network infiltration. Such smokescreen DDoS attacks are designed not to deny service but to allow cyber criminals to test for vulnerabilities within a network and monitor the success of new methods, without being detected.
According to the EU GDPR website, personal data is “Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Organizational Data Protection Responsibility
In the United States there are already numerous regulations to protect confidential and sensitive data, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). This EU Parliament protection mechanism adds a new layer of organizational compliance responsibility.
The EU GDPR states: “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Financial and Legal Impacts of Breaches
In this global economy there are many organizations across the globe that have customers or constituents who reside in Europe. Imagine a scenario in which your customer database is raided by hackers; theft of PCI or HIPAA data is becoming much more common, and companies are “on the hook” for protecting that data. The financial and legal ramifications are enormous.
With EU GDPR on the horizon, the financial and legal risks associated with a sensitive data breach are extremely serious. Claiming to be ignorant of malicious activity on your network will not substitute a defense. To keep up with the growing sophistication and organization of well-equipped and well-funded threat actors, it’s essential that organizations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise.
According to ComputerWeekly.com, “Organisations that have failed to heed advice not to wait until the publication of the final text of the GDPR before taking action will face the challenge of having only two years to implement all the necessary changes to their systems and operations to meet the new compliance requirements.”
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater. Individuals may also sue entities for compensation, if they have been distressed by an entity’s lack of compliance with the data regulations.
There’s a stopwatch ticking on the EU GDPR website; as of this writing, organizations have 323 days to become compliant. The clock is ticking, so be sure to tighten up your network security before then. Not doing so could cost you a lot of money in penalty fees and lawsuits from individuals.
For more information, contact us.