Edith Wharton, Identity Theft, and the GDPR
Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Tue, 05 Sep 2017 12:00:23 +0000
During one of my talks for Garter, I asked the audience, “How many of you have ever had anything stolen?” Many hands went up. Then I asked, “How did you know it was stolen?” The answers generally offered, “I looked for it, and it wasn’t there.” Data theft, and in particular identity theft, is different. The problem isn’t that you don’t have the data. The problem is that someone else, who should not have it, does.
In 1903 the novelist Edith Wharton was a victim of identity theft. A woman claiming to be Edith Wharton was charging money to deliver lectures on Edith Wharton’s novels. Her publisher asked Mrs. Wharton to provide a photograph, which they printed on her books, to deter this impersonator.
This authentication mechanism was effective, and the impersonations ceased.
The European Union’s GDPR (General Data Protection Requirement) obliges firms that hold personally identifiable information care for it appropriately. With roots in the 1890 Harvard Law Review article “The Concept of Privacy,” the GDPR provides that, for all citizens of European Union countries,
1) The individual knows what information is being collected about them,
2) The individual knows how that information is being used, and
3) The individual has the right to be left alone (i. e., they can “opt out”).
If the firm inadvertently releases personally identifiable information, they have to figure out what happened, make sure it stopped, inform the affected persons, and inform the National Data Protection Authority. The firm has 72 hours from the time the breach is discovered to make this notification.
Figure 1: The Real Edith Wharton
If a firm fails to achieve this, the fines can be substantial – up to 2% of annual revenue for each incident (global revenue, not just in the specific jurisdiction where the breach occurred) but not more than 4% of a firm’s total revenue.
If an individual wants to opt out, the process has to be as simple and effective as the process for opting in, with no obscure “legalese” in the way.
This Requirement replaces the earlier European Data Privacy Directive. Under the EDPR, non-European countries could negotiate alternative regimens. That led to the US Safe Harbor, which failed to provide the level of protection the EU felt was necessary. The GDPR will be in force as of May 25, 2018.
Any firm that holds personally identifying information of any European citizen must be ready to manage those identities effectively and comprehensively. Identity management tools exist to allow firms to achieve compliance and avoid fines.
Trend Micro does not make or sell Identity Management products; we use them to manage the identities of our employees, partners, and customers. Enhancing business processes to preserve compliance with the laws and regulations of various jurisdictions is part of the cost of doing business. (Earlier this year, in response to customer requests, our legal team redrafted our EULA so most customers can use it as-is, without requiring contract negotiations or alternative language.)
Your firm probably does business with European citizens. This regulation sets a much higher bar than existing US domain-specific regulations. Consider how you will comply with the GDPR by next spring.
The goal of an information security program is to insure that information is not lost, altered, or inadvertently disclosed. Deploying an identity management program is neither quick nor easy, but it is the law, and it is the right thing to do. Edith Wharton, the first female winner of the Pulitzer Prize, would be well pleased.
Tell me your thoughts by posting a comment below or tweeting me @WilliamMalikTM.