This article originally appeared as a byline by Fortinet's Jonathan Nguyen-Duy in Security Magazine as, “A Year Later, Has GDPR Raised the Bar on “Reasonable Security”? on May 24, 2019.
Privacy laws have historically had a number of challenges, such as they have only applied to a single sector, (retail, healthcare, finance), were too specific, or they used a “check box” approach that failed to anticipate digital transformation well enough to provide real protection.
“The EU’s 1995 Data Protection Directive (which the GDPR replaced) allowed individual member nations to write and pass their own breach-notification laws. Not only did these laws sometimes tend to be incomplete, the enforcement and requirements were inconsistent. Multi-national companies were especially challenged as data gathered in a specific country had to be managed differently than data collected in a neighboring one.”
The GDPR solved many of these previous issues by establishing a common and broader definition of personal data, including things like biometric data, mobile device identifiers, and other data that could be used to identify an individual, determine their location, or track their activities. This has not only provided better protection for individuals, it has also expanded our visibility into what types of breaches are occurring and what countermeasures need to be in place.
It has also been a catalyst for other privacy laws to be created. The California Consumer Privacy Act (CCPA) enhances the privacy rights of residents of the state of California. All companies that serve California residents with at least $25 million in annual revenue, personal data on at least 50,000 people, or generate more than half of their revenue from the sale of personal data fall under the law. And like the GDPR, companies don't have to be based in California or have a physical presence there to fall under the law.
The CCPA also has a broader definition of what constitutes private data than the GDPR, adding such things as IP addresses, geolocation data, and shopping, browsing, and search histories—placing additional pressure on organizations to locate and secure that private data.
One of the challenges with complying with regulations is that they tend to use vague terminology such as “reasonable security” or “due care.” These are used in most legislation because specific technology requirements can literally become obsolete between the time a bill is proposed and when it becomes law.
It is also necessary because these laws may span a variety of markets and industries. Due care and reasonable security for the financial sector may be very different than for a healthcare provider. As a result, standards are usually vague and provide general guidance. This forces organizations to review their controls, processes, and technologies to determine what constitutes a reasonable level of due care for their industry, network framework, and use case to mitigate risk.
“And from a legal perspective, the notion of “reasonable security” often gets translated in court as to whether the organization met “professional standards of care,” such as NIST 800-53, which are more strict than the ordinary “prudent person” standard and have the potential to increase liability. And given the potential severity of the penalty for a breach, organizations are being advised to err on the side of caution.”
These new laws are also elevating the conversation from the wiring closet to the boardroom. Regulations with significant financial consequences are forcing the C-suite to not only ask, “have we implemented reasonable due care?” but “how do we know?” This is leading to conversations about how to prioritize security, how to fill gaps and ensure consistency, and make sure that security efforts are properly staffed and budgeted.
“Many experts believe that as many as 50 percent of companies covered by GDPR are still in the process of compliance, and that the transition will likely go on for another couple of years. But the most important thing is that companies in the EU are now expressing much higher levels of confidence that they will be able to address the GDPR’s data breach notification requirements.”
Privacy laws and similar regulations are about far more than simple securing PII. They are about helping organizations to raise their standards, engage in real conversations about security, and make difficult financial decisions that may have been neglected if there weren’t mandates, fees, and penalties attached.
Find out how Fortinet security products, solutions, and services can help organizations mitigate and manage security and data protection obligations under the GDPR.
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.