GDPR: Get Your Priorities Straight

GDPR: Forget the Damned Fines, Worry About Staying in Business!

How many ‘news’ articles / blogs / ads have you seen with titles like; “You could be fined up to 4% of your global revenue under GDPR!”  a.k.a “Be afraid and give us lots of money you clueless sap.

I’m seeing it from every online cybersecurity publication, lawyers, cybersecurity vendors / consultants, and increasingly from cyber insurance vendors. I’m even getting spammed from people I KNOW!

It’s more than a little irritating …frankly, it borders on unprofessional.

I can understand lawyers jumping on the bandwagon. The GDPR was written by lawyers, and if you don’t get a lawyer’s input to how GDPR will affect your business, you deserve a 4% fine. Yes, privacy lawyers are expensive, and yes, it’s bloody annoying to spend this money on something that adds absolutely nothing to the bottom line, but do it anyway. At the very least, piggy-back of a business partner that has spoken to a lawyer!

And no, asking your contacts on LinkedIn is not the same thing.

For cyber insurance vendors, I can fully appreciated how tough it’s been to find something to pin a marketing budgets on. Ambivalence towards cybersecurity is legendary. But what I cannot condone is using GDPR’s fine structure to scare organisations into buying a policy that will likely be completely inappropriate. Even choosing the right cyber insurance requires significant due diligence.

As for cybersecurity vendors, I’ve already addressed/redressed them in GDPR and Cybersecurity, a Very Limited Partnership. They simply have no right to bring up a 4% fine in a sales pitch when the maximum fine for data breach is 2%, not 4.

There is a lot more than fines in the GDPR of which you should be aware, but first…

About the Fines…

…borrowing heavily from my previous blog;

It can be assumed that if the maximum fine for ANY infringement, no matter how egregious, is 4% of the annual revenue from the previous year (in the case of an undertaking). That 4% is what the EU considers the maximum for a fine to qualify as “effective, proportionate and dissuasive” (per Article 83(1)). Therefore, a fine of €20,000,000 (for example) would be reserved for any organisation with revenue over €1,000,000,000 annually. Yes, that’s 1 BILLION.

It must follow that if 4% is the maximum, then fines will go down the less egregious the offence. Everything you need to determine the level of ‘egregiousness’ is contained in the 11 lines of Article 83(2)(a) – (k). Words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’ are bandied around, all of which can be answered by you.

In this spreadsheet, I have taken a stab at adding specific questions to each of the (a) – (k) line items. Answer them all truthfully and you’ll get an indication of what I consider to be an appropriate fine based on your annual revenue: GDPR Fine Worksheet. Note: This is based on data breaches only (2% fine structure), and is not based on anything resembling known fact or precedent.

Frankly, it’s not the fines you should be worrying about, as I get the feeling you have to REALLY screw up before they’ll even be considered in the first place.

Worry about the ‘Corrective Powers’

What no-one seems to be writing about are the other so-called ‘corrective powers’ as detailed in Article 58(2) that each member state’s supervisory body will wield. Some of these are far worse than fines, and from what I know of GDPR, far more likely to be put into effect first.

Article 58(2) starts out very reasonably; 58(2)(a), (b) and (c) are:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; [i.e. be careful]

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; [i.e. smack on the wrist]

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation; [i.e. now do it properly, we’re watching]

..then it gets a little more punitive in (d) and (e):

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; [i.e. now do it properly, or else]

(e) to order the controller to communicate a personal data breach to the data subject; [i.e. tell everyone with whom you do business that you f*&%ed up]

…then there’s the stuff that could put you out of business (assuming personal data is central to it) from (f)  through (h):

(f) to impose a temporary or definitive limitation including a ban on processing[i.e. stop everything you’re doing with personal data, now]

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; [i.e. you can’t do what you do with personal data the way you were doing it]

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; [i.e. good luck getting anyone in the EU to do business with you]

…and NOW the fines:

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; [i.e. not only can we stop you doing business, but we can also fine you]

…and finally, back to the potentially out of business:

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation. [i.e. specific to cross-border, but you’re screwed if this is relevant]

Now ask yourself; can a cybersecurity vendor help you in a scenario where the data is safe but you’re just not allowed to use it? Could cyber insurance replace your ENTIRE business and customer base?

Clearly not, so the only people you SHOULD be talking to right now are privacy experts. Not ones who passed a 75 question multiple choice exam to achieve a Certified Information Privacy Professional (CIPP) acronym, and/or the Certified GDPR Practitioner course, a lawyer. And not just any lawyer, a lawyer who specialises in privacy.

I’m not disparaging the CIPP/E or EU GDPR P certifications, they are actually very good foundations for anyone wanting to ask a true expert the right questions. And if, as per Recital 13; “…this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.”, you are small enough not to have to worry about recording your processing, maybe someone with these certs is good enough.

It’s up to you, you’re the ones betting your businesses on it.

[If you liked this article, please share! Want more like it, subscribe!]

Cyber Insurance

Is Cyber Insurance a Good Idea?

Yes …mostly.

Not that the question is even relevant, like it or not, cyber insurance is already here and will only continue to grow.  The number of regulations that reserve the right to levy  fines – some potentially astronomical – is growing to the point that they will feature large on any list of business risks. Or at least they should.

The challenges bringing this to market are numerous, but mostly on the insurance company side.  Security is almost the definition of risk, it’s incredibly diverse, and forever changing and expanding.  And not important enough yet.

With car insurance for example, the more cars you have in the road, the slower everyone has to go, so you actually REDUCE the risk.  What once was a few very costly collisions, is becoming more fender-benders.  So, just up your no-claims bonus and even those claims will reduce.

The more computers and smart phones on the Internet, the more data you have everywhere, and the risks grow almost exponentially.

How do you insure that?  If you don’t know security well, how do you write the policies?  How do you perform appropriate due diligence on a concept that’s new to everyone?  How do you perform PROPER due diligence in the face of stiff competition?

There are policies out there already, but these have been driven by specific regulations (PCI, or HIPAA for example), are aimed mostly at the smaller organisations, and are very much off-the-shelf affairs with limited – in some cases VERY limited – due diligence.  In fact, the pressure is on to make it as simple as possible or you’ll lose the deal; if your insurance company has a 12 page questionnaire, and your competition has only 1 (assuming price and T&Cs are the same), where will the buyers go?

Of course, the competition may end up regretting their stupidity later, but new insurance types are a very rare occurrence, and no-one wants to lose out on a revenue stream.

But what happens when VERY large organisations wish to insure themselves against the potential fines of the General Data Protection Regulation (GDPR), where 2% of global revenue is at stake?  When multi-millions are on the line, a one page questionnaire that asks nothing about security will not suffice.  What does that due diligence look like?

I believe it will run the gamut from some limited external vulnerability scanning in the case of smaller e-commerce, to an onsite audit in the case of a Fortune/FTSE 500.  The better your security, the cheaper your policy.  This may save pennies for smaller organisations, but would be of real significance to the larger ones.

However, I have always compared selling security to selling insurance; no-one wants to spend the money where there’s no positive ROI i.e. MAKING money.  But the ‘negative’ ROI can be just as important, where not LOSING money on fines, forensics, reputational damage, client loss etc can be every bit as meaningful.

Now combine selling insurance FOR security, and you’ve lost almost before you start.  That is of course until the costs of loss far outweigh the costs to insure.

Poor security drives the need for regulation, the regulatory fines will drive the cyber insurance market, which in turn will drive the security market.  Eventually I would hope that organisation understand that they have brought this on themselves by not taking security and privacy seriously. Until they do, the burden of regulatory audit and the associated cost of mitigation will continue to rise in the face of public demand.

Regulation and cyber insurance are just symptoms of poor security, and as I have stressed many times, this is a cultural issue stemming from the senior managements lack of involvement and/or caring;

Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [goal], its the CEOs fault, and no-one else’s.

Replace “goal” with “low security overhead”  and the rest is the same.

Sensing a theme here?

The CEO can single-handedly reduce the costs of security, I wonder why so few are paying attention…