Bring out the big guns of data law
Channel opportunities will ensue from the latest and toughest EU salvo on data protection, says Bruce Green
On 25 January, the European justice commissioner Viviane Reding outlined the latest European data protection directive designed to safeguard personally identifiable information stored by private and public sector organisations.
All 27 European member states will be governed by the new laws, which could see companies being fined two per cent of their global turnover if their customers’ privacy is breached. UK firms will have to inform the information commissioner and affected customers within 24 hours of discovering a security breach. Those with more than 250 employees will also have to appoint a privacy officer.
Additionally, in a new “right to be forgotten’” ruling, customers can ask companies to amend or delete information held about them, even if they initially gave their permission for their information and images to be shared online.
In my view, the harmonisation of data privacy rules across Europe will inevitably increase the data management overhead for companies of all sizes. This is an opportunity for technology providers.
I believe that the prospect of being fined two per cent of turnover will change the economics of security. When the US Sarbanes-Oxley Act was introduced, anecdotes abounded of firms that had assessed the cost of bringing in new security measures, comparing it to potential fines for non-compliance, and opted to take the risk.
Now, with the prospect of substantial fines, the financial risk of a breach will outweigh the cost of compliance.
In addition to the EU fines, a breach can also affect a company’s brand, image and reputation. This will make information security a conversation for the boardroom, not just compliance specialists and privacy officers.
In fact, companies need to be watching constantly for untoward activity on servers, email and web channels. Security researchers find tens of thousands of new malware variants every week. These can disrupt security and operating systems, leak data and cost money. So we predict the European directive will drive a new wave of awareness and innovation in information protection and cyber security.
The latest cyber attacks are much more sophisticated and immediate, rendering traditional anti-malware technology less effective. The high-profile attacks on the customer databases of Zappos and Sony and the intellectual property of RSA were perpetrated using targeted malware that had never been seen before and managed to slip into the network undetected.
If this sort of attack were repeated on a European company, or a US company selling services to European customers, the firm would breach the new EU directive and be liable for the two per cent fine.
Most antivirus, web filtering, firewalls, IDS/IPS and web gateways rely on matching what is scanned on a web page to a list of previously encountered threats, or to a pattern of misbehaviour. Zero-day malware, of course, will not be on a signature list.
If a single infected computer is connected to a command-and-control server and sends back the login details to a corporate network or customer database, this could lead to a breach. Employee behaviour also plays a critical role in maintaining the privacy of the personally identifiable information with which organisations are entrusted.
There needs to be a culture of security where every employee understands their responsibility for the data that process. Resellers have always played an important role in raising awareness and in educating users as well as selling technology.
Bruce Green is chief operating officer at M86 Security