Making a Big GDPR CCPA Issue a Small One

British Airways, now there is a big GDPR issue. 500,000 people were affected over 15 days. Reputation damaged, untold revenue lost and a $230 million dollar fine and that is before any damages are paid. In my former life, I thought GDPR was a boring tick box exercise, it really could not be further from the truth. It is a scare your pants off ride, one that needs to be taken very, very seriously. Your company’s existence is at stake.

We have had privacy laws across much of the world (What’s Data Privacy Law In Your Country?) for the last couple of decades but it’s not until recently the stakes have been raised considerably. The European Union’s General Data Protection Regulation (GDPR) released in 2018 and the update to the California Consumer Privacy Act (CCPA) released in January 2020. Never before have companies been under so much pressure to keep their customers’ data safe.

GDPR and CCPA may have different applications and qualifying principles, however, they make one thing clear: If you do not look after your customers data, you will be fined for the length and size of the breach. There is also the potential of compensatory action by the affected customers. The scale of the fine is related to how long you were compromised for, how big your business is and how many customers are affected. Therefore finding a data breach quickly is essential.

The fine alone is bad enough, but things become much worse when we factor in damages payments. Under Article 82 of the EU General Data Protection Regulation (EU-GDPR) you have a right to compensation for non-material damage. This means each affected party is entitled to compensation for inconvenience, distress and annoyance associated with the data leak.

British Airways will have to pay up to $2500 per customer. When we tally the total cost of the fine – plus damages payments upwards of $600 million dollars – the cost of the breach will be close to $1 billion dollars. Ouch.

Most frequently critical data losses occur client side, with data being stolen from the customer’s browser. This normally happens as customers input their private information into website accounts, login screens of payment pages. Criminal organisations (like the “Magecart” groups) compromise websites and then, unbeknown to the users or the organisation, skim payment and personal data to sell on the dark web. These are often described as “Web Skimming” or “Form-Jacking” attacks.

British Airways will employ talented security professionals and have a significant security budget. They generally have (or had) a well regarded technology function. However – even they were hacked. With even the biggest companies being compromised, the key is to take a layered approach to security. Adopt as many prevention tactics as possible but also ensure that, if the worst actually happens, you respond quickly and effectively.

How can I prevent these kinds of attacks?

Have Great Security Procedures (prevention)

Make sure you patch what you need to and you structure your websites properly aligned with best practice. Ensure you vet all 3rd parties before putting them live. Make data protection a part of your development practices and daily routine.

Employ Content Security Policies (prevention)

This is great practice and increases your baseline security. However it is very time consuming if you do it yourself, and can be expensive with a tool. It essentially slows you down as a business. However it’s also not foolproof as Google have declared in their research paper and detailed in security boulevard.

What can’t you account for in prevention?

Human errors happen all the time. Somebody somewhere will mess up, and it’s often not their fault. Technical debt, stretched timelines, not enough people and other human fallibilities all contribute to holes in your organisation. These are holes that you have no idea you have. This is how British Airways failed – the hacker got in via an unrelated site to hack the main site.

Hackers are constantly evolving their tactics, and many of the protocols that could not be hacked today could be hacked tomorrow. Vigilance is key. By accepting nothing is perfect and layering your security from initial build all the way to monitoring is the only way to ultimately be safe and protect your customers.

Can I detect attacks and what do I do if I find one?

Monitor for Data Breaches (detection)

If (most likely when!) your layered approach to security fails or someone messes up, you still need to monitor for an actual breach. This is key to reducing the size of your exposure. Detecting a breach in 15 minutes – as opposed to 15 days – reduces your exposure by 99.9%. It can greatly reduce your reputational damage too – the press aren’t interested in companies who actually have done their job properly!

Have a Data Breach Response Plan (detection)

When a breach occurs you need a plan. You need to be able to respond to the ICO (or whoever your country’s commissioner is). This disclosure should include all the steps you had in place to prevent a breach, and how fast you were able to detect it.

Both prevention and detection are essential to ensure you can make a big GDPR CCPA issue into a small one.