{"id":9079,"date":"2017-09-05T05:00:14","date_gmt":"2017-09-05T13:00:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/05\/news-2852\/"},"modified":"2017-09-05T05:00:14","modified_gmt":"2017-09-05T13:00:14","slug":"news-2852","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/05\/news-2852\/","title":{"rendered":"Edith Wharton, Identity Theft, and the GDPR"},"content":{"rendered":"

Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Tue, 05 Sep 2017 12:00:23 +0000<\/strong><\/p>\n

\"\"<\/p>\n

During one of my talks for Garter, I asked the audience, \u201cHow many of you have ever had anything stolen?\u201d Many hands went up. Then I asked, \u201cHow did you know it was stolen?\u201d The answers generally offered, \u201cI looked for it, and it wasn\u2019t there.\u201d Data theft, and in particular identity theft, is different. The problem isn\u2019t that you don\u2019t have the data. The problem is that someone else, who should not have it, does.<\/p>\n

In 1903 the novelist Edith Wharton was a victim of identity theft. A woman claiming to be Edith Wharton was charging money to deliver lectures on Edith Wharton\u2019s novels. Her publisher asked Mrs. Wharton to provide a photograph, which they printed on her books, to deter this impersonator.<\/p>\n

\"\"<\/p>\n

This authentication mechanism was effective, and the impersonations ceased.<\/p>\n

The European Union\u2019s GDPR (General Data Protection Requirement) obliges firms that hold personally identifiable information care for it appropriately. With roots in the 1890 Harvard Law Review article \u201cThe Concept of Privacy,\u201d the GDPR provides that, for all citizens of European Union countries,<\/p>\n

1) The individual knows what information is being collected about them,
2) The individual knows how that information is being used, and
3) The individual has the right to be left alone (i. e., they can \u201copt out\u201d).<\/p>\n

If the firm inadvertently releases personally identifiable information, they have to figure out what happened, make sure it stopped, inform the affected persons, and inform the National Data Protection Authority. The firm has 72 hours from the time the breach is discovered to make this notification.<\/p>\n

Figure 1: The Real Edith Wharton<\/em><\/p>\n

If a firm fails to achieve this, the fines can be substantial \u2013 up to 2% of annual revenue for each incident (global revenue, not just in the specific jurisdiction where the breach occurred) but not more than 4% of a firm\u2019s total revenue.<\/p>\n

If an individual wants to opt out, the process has to be as simple and effective as the process for opting in, with no obscure \u201clegalese\u201d in the way.<\/p>\n

This Requirement replaces the earlier European Data Privacy Directive. Under the EDPR, non-European countries could negotiate alternative regimens. That led to the US Safe Harbor, which failed to provide the level of protection the EU felt was necessary. The GDPR will be in force as of May 25, 2018.<\/p>\n

Any firm that holds personally identifying information of any European citizen must be ready to manage those identities effectively and comprehensively. Identity management tools exist to allow firms to achieve compliance and avoid fines.<\/p>\n

Trend Micro does not make or sell Identity Management products; we use them to manage the identities of our employees, partners, and customers. Enhancing business processes to preserve compliance with the laws and regulations of various jurisdictions is part of the cost of doing business. (Earlier this year, in response to customer requests, our legal team redrafted our EULA so most customers can use it as-is, without requiring contract negotiations or alternative language.)<\/p>\n

Your firm probably does business with European citizens. This regulation sets a much higher bar than existing US domain-specific regulations. Consider how you will comply with the GDPR by next spring.<\/p>\n

The goal of an information security program is to insure that information is not lost, altered, or inadvertently disclosed. Deploying an identity management program is neither quick nor easy, but it is the law, and it is the right thing to do. Edith Wharton, the first female winner of the Pulitzer Prize, would be well pleased.<\/p>\n

Tell me your thoughts by posting a comment below or tweeting me @WilliamMalikTM<\/a>.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Tue, 05 Sep 2017 12:00:23 +0000<\/strong><\/p>\n

\"\"During one of my talks for Garter, I asked the audience, \u201cHow many of you have ever had anything stolen?\u201d Many hands went up. Then I asked, \u201cHow did you know it was stolen?\u201d The answers generally offered, \u201cI looked for it, and it wasn\u2019t there.\u201d Data theft, and in particular identity theft, is different….<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[14364,714],"class_list":["post-9079","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-compliance-regulations","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9079"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9079\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9079"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}