Data Breaches under the GDPR
Four months ago, the European Union enforced the General Data Protection Regulation (GDPR) which is a piece of legislation that has been designed for data protection of those living in the EU. The maximum potential fines have risen to £17.6 million or 4% of the global annual turnover.
Data privacy regulations introduced by the GDPR require that companies meet specific standards when personal data of EU citizens and residents are being handled, including the responsibility to notify the data commissioner’s office within a 72-hour slot of data breach discovery.
Source:
According to the GDPR, a data breach occurs anytime a customer’s data is unintentionally destroyed, lost, altered or disclosed to the wrong party. This can be by accident or even an act of malice by an attacker.
Data Breach Prior to GDPR
Until the enactment of GDPR in May, it was difficult to pinpoint what the exact cost is to any data breach experienced as companies aren’t too forthwith about the money spent in cleaning up the mess. Studies like the annual Ponemon Institute’s Cost of a Data Breach report helps paint a clear picture.
Equifax spent $242.7 million and more since their 2017 data breach. Their data breach exposed sensitive personal and financial information of a whopping 148 million customers! That is a huge hit and all caused by leaving consumer data unencrypted and welcome to hackers.
Post GDPR Data Breach
The Eir data breach occurred after GDPR was enforced and is a case that works as a great example of what to do to prevent a data breach and what to do if it still occurs.
Eir
Eir is the new name for eircom and has the most extensive telecommunications network in Ireland. They provide superfast fiber broadband, TV, 4G mobile and voice services to millions across Ireland. As the first company in Ireland to offer all four of these services together in a great value bundle, Eir became essential to Ireland.
The Data Breach
Source:
On August 12th, Irish telecoms company Eir suffered a data breach wherein a staff member’s unencrypted laptop was stolen and resulted in the potential exposure of personal information that belonged to 37,000 Eir customers. The laptop contained details like names, email addresses and account numbers of customers. The saving grace was that the laptop was password-protected. It was stolen during the small window in which a defective security update from the previous workday rendered the device decrypted and vulnerable.
Next Plan of Action
Eir did many things right in their response to the data breach.
- Following the procedure laid out by the GDPR, Eir, immediately informed the Office of the Data Protection Commissioner.
- Eir ensured their customers that they have stringent data protection rules and added that customers could add a secondary security question to their personal data in order to ensure their safety. Essentially, consumers should always take advantage of all security options to keep their user accounts more secure be it adding security questions or even changing passwords regularly.
- By adding password protection to the laptop, Eir integrated a robust, layered data security strategy giving their devices more than one line of defense. Encryption should serve as the centerpiece of any data security strategy.