Four months ago, the European Union enforced the General Data Protection Regulation (GDPR) which is a piece of legislation that has been designed for data protection of those living in the EU. The maximum potential fines have risen to £17.6 million or 4% of the global annual turnover.
Data privacy regulations introduced by the GDPR require that companies meet specific standards when personal data of EU citizens and residents are being handled, including the responsibility to notify the data commissioner’s office within a 72-hour slot of data breach discovery.
According to the GDPR, a data breach occurs anytime a customer’s data is unintentionally destroyed, lost, altered or disclosed to the wrong party. This can be by accident or even an act of malice by an attacker.
Data Breach Prior to GDPR
Until the enactment of GDPR in May, it was difficult to pinpoint what the exact cost is to any data breach experienced as companies aren’t too forthwith about the money spent in cleaning up the mess. Studies like the annual Ponemon Institute’s Cost of a Data Breach report helps paint a clear picture.
Equifax spent $242.7 million and more since their 2017 data breach. Their data breach exposed sensitive personal and financial information of a whopping 148 million customers! That is a huge hit and all caused by leaving consumer data unencrypted and welcome to hackers.
Post GDPR Data Breach
The Eir data breach occurred after GDPR was enforced and is a case that works as a great example of what to do to prevent a data breach and what to do if it still occurs.
Eir is the new name for eircom and has the most extensive telecommunications network in Ireland. They provide superfast fiber broadband, TV, 4G mobile and voice services to millions across Ireland. As the first company in Ireland to offer all four of these services together in a great value bundle, Eir became essential to Ireland.
The Data Breach
On August 12th, Irish telecoms company Eir suffered a data breach wherein a staff member’s unencrypted laptop was stolen and resulted in the potential exposure of personal information that belonged to 37,000 Eir customers. The laptop contained details like names, email addresses and account numbers of customers. The saving grace was that the laptop was password-protected. It was stolen during the small window in which a defective security update from the previous workday rendered the device decrypted and vulnerable.
Next Plan of Action
Eir did many things right in their response to the data breach.
- Following the procedure laid out by the GDPR, Eir, immediately informed the Office of the Data Protection Commissioner.
- Eir ensured their customers that they have stringent data protection rules and added that customers could add a secondary security question to their personal data in order to ensure their safety. Essentially, consumers should always take advantage of all security options to keep their user accounts more secure be it adding security questions or even changing passwords regularly.
- By adding password protection to the laptop, Eir integrated a robust, layered data security strategy giving their devices more than one line of defense. Encryption should serve as the centerpiece of any data security strategy.
Adding to these strategies, remote data deletion should be enabled as well in order to offer a reliable safeguard when encryption is made ineffective.
Almost every business uses the cloud and with the continued emergence of the Internet of Things, businesses have never had this much of an opportunity to grow. As much as this is great news, it also implies the possibility of an attack from more avenues that you would need to defend against. Laptops and other portable devices that have sensitive data access will always be a potential data breach risk to organizations. The worst-case scenarios can and will occur.
In the event of a data breach, it must be reported promptly, as specified under GDPR. When an official audit is conducted by regulators, each and every layer of security that is in place, apart from the usual encryption, demonstrates a genuine commitment to data privacy. In the eyes of both the auditors and the public, this level of commitment serves as a positive factor and they will be able to then continue trusting your organization with their data in the future.
By implementing solutions like encryption, businesses can adopt a secure-breach strategy that would make their data inaccessible, if attacked. For businesses to safeguard themselves from disrepute and the impending financial consequences, they would need to invest in such a strategy. The true cost of a data breach under the GDPR might not be too clear but companies should do all they can to never be put in a position where they might find out.