Addressing privacy concerns and bringing more disclosure to users is long overdue, but the 72-hour reporting rule might do more harm than good.
The past week was important for you and your personal information, whether or not you live in the EU.
GDPR, the General Data Protection Regulation that sets guidelines about how personal information of EU citizens is collected and processed, is now official. It’s a great idea — uniform rules about how your information is gathered, how it’s stored, and how you can take it back, are long overdue. There has been (and will continue to be) plenty of discussion over what’s good, bad and ugly about GDPR, but most people who work in information security agree that the goals are well-intentioned and will provide the kind of protections we all need in the 21st century.
A bunch of popular websites just aren’t available to European visitors because you aren’t GDPR-compliant.
The individual articles of GDPR, however, aren’t so universally praised. Having gone into effect Friday, May 25, we already see fallout: the New York Daily News, Chicago Tribune, LA Times and other high-profile websites are now unavailable in countries covered under GDPR regulations because they weren’t ready for the new rules. Many other websites and online services have bombarded users with new terms to agree to, and complaints have already been filed against notable tech giants Google and Facebook because they do not offer free services without allowing users to opt out of data collection.
Issues like these aren’t surprising. Neither is the sentiment that cloud-based services will lose revenue and be forced to raise prices as a result of GDPR, which half the attendees of Infosecurity Europe 2018 think will soon be happening. They also feel that GDPR will stifle innovation as small organizations will not be able to afford the necessary infrastructure to be compliant. This is good discussion by the people who need to be discussing it. Better privacy is worth the hours of back-and-forth needed to get it right.
But there’s one part of GDPR that I think is going to do more harm than good — Article 33’s 72-hour reporting rule. You can read the full text here, but the gist of it is that a company which keeps personal identification of EU citizens is fully responsible for any breach of security, no matter the reason, and must provide full disclosure to a supervisory committee within 72 hours of a breach. There is nothing great about this rule, but two parts are going to lead to service providers covering up data breaches rather than responsibly reporting them.
The first is the supervisory committee. Different countries have different ways of governing their citizens, but one thing they all have in common is preferential treatment when it comes to creating and staffing any official committee. A friend of a friend or that third cousin who can’t stop asking for a handout are prime candidates for any committee seat, and when the primary goal is protecting user data, only the most qualified individuals should be considered. Let’s hope that’s exactly whats done here and regulations can be adapted and enforced by people who have our best interests at heart and are qualified.
Small companies without the resources necessary to do a full breach investigation may choose to cover them up.
A bigger issue is the forced 72-hour reporting. Even a fully staffed Fortune 500 organization is not going to know enough about a data breach to start filing reports with a government agency. Given such a short time, expect little more than a company’s information security officer saying there was a breach and we’re not yet sure of any details. That’s little more than a waste of time for everyone involved, and I’d rather that time be spent trying to find out the why, the how, the when, and the who surrounding any type of data breach.
A smaller company who may already be struggling to meet GDPR compliance will be tempted to investigate if it can contain the breach and mitigate the damages on its own without any reports. When you’re under pressure and understaffed, a cover-up can sound like the right option.
Clearly, it never is. But companies great and small have been known to choose the wrong option time and time again when it comes down to the wire. Any regulation designed to protect users from companies making poor decisions is better without a rule that may push them to do just that.
Responsible and prompt reporting of a data heist is a must. Forcing companies that harvest and hold our data to do the right thing isn’t of much use without it. Creating the right oversight committee filled with the right people to revise how break-ins are treated — or even offering assistance when they happen — would go a long way to making GDPR a template for the rest of the world to follow.
May 26, 2018 at 04:00AM