GDPR May Not Apply to You. Follow it Anyway

I recently spoke at a small business event, and I asked for a show of hands for those governed by various common data privacy regulations (PCI, HIPAA, etc.). I saw giant smiles on the faces of those not raising their hands—a sense of relief for having avoided the extra discipline and effort that compliance requires. My advice to that relieved group: pick a data security regulation anyway—any one of them—and follow it.

With the GDPR deadline just days away, a lot of organizations in the U.S. are feeling like those lucky few small business owners, thrilled that they don’t fall under the new GDPR regulations. My advice: follow it anyway. Here’s why:

The U.S. will copy elements of GDPR—sooner than you think

The U.S. tends to follow rather than lead when it comes to data privacy regulations. If history repeats itself, U.S. regulators will follow the tenets of GDPR—and likely enhance it (read: make requirements more specific and stricter) based on how GDPR enforcements shake out in the coming months and years. By starting the process of achieving compliance today—before deadlines rush timelines—U.S. companies can take the time to make smart decisions, build future-proof strategies and spread the costs out over time.

U.S. consumers want GDPR-level privacy

We’re seeing a big change in public awareness of data privacy. Everyday people—not just data security pros and regulators—are tuning into the details of what data companies collect about them, and how that personal data is used. As consumers, we’re becoming aware of all the new and terrifying ways our privacy is up for sale. The headline example of this is the Facebook/Cambridge Analytica case. There’s huge value in showing your customers that you go above and beyond, and GDPR is centered on concepts that customers understand and love: consent and the “right to be forgotten.” Moreover, you definitely don’t want to look like you’re taking the easy way out at the expense of your customers’ privacy.

GDPR is good business practice

In board rooms around the country, CEOs are getting grilled on data privacy and data security. No company wants the same embarrassment, fines and costly brand damage that Facebook is enduring. The basic tenets of GDPR—privacy by design, privacy by default, etc.—aren’t really revolutionary. They’re now just best practice for any digital business.

Proactively adopting the tenets of GDPR forces a solution to the fact that most companies don’t have the data visibility needed to understand and implement next-generation data privacy. You need to consider all the vectors within your digital ecosystem—look at all the endpoints floating around your world, instead of just your networks and servers. And you can’t treat all data the same way. You have to be able to recognize your most valuable and sensitive data—and see where it lives and how it moves.

Of course, proactively going above and beyond to secure customer data is a big challenge, to say the least. But, I recently saw something on TV that looked like a much bigger hassle: Testifying in front of Congress. 

Is GDPR-Regulated Data Hiding in Pockets of Your Organization?

Data breaches that compromise critical customer information are the worry that keeps IT people up at night. Unfortunately, what’s considered critical customer information and what you must do to safeguard it has changed dramatically, thanks to GDPR. IT stakeholders at American companies who’ve assumed GDPR does not apply to them may want to take a closer look at what the implications are for U.S.-based companies. GDPR-regulated data can be found in places you might not expect, and the tools you’ve been using to keep track of that data may not provide the visibility you need in case of a breach.

Where does GDPR apply?

First off, don’t think because you’re an American company only doing business in the U.S. that you’re exempt. If you capture any data about an E.U. citizen, like one who stumbles across your website and sends a question through a contact form, you’re on the hook for GDPR.

So where does the data regulated by GDPR live in your organization? The short answer: everywhere your customer data lives and travels within your organization. That doesn’t just mean your CRM system. Employees routinely download and use personal customer information on their endpoint devices, even when company regulations forbid it. You may or may not be surprised to learn that the C-suite is the worst offender at this.

The scope of what is considered “personal information” under GDPR is much broader than you might expect. While most companies already take steps to protect sensitive information like credit card information or social security numbers, GDPR takes it much further and could signal a sea change in data collection. Specifically, any information that can be used to identify a person, like IP addresses and names, is covered under the regulation; however, GDPR is expanding the definition of sensitive data to include any data that could potentially identify a person. So, if you’re capturing it, it’s worth protecting.

What does data encryption protect against?

Many IT directors hit the pillow every night with the misguided confidence that their data encryption will prevent any GDPR-related problems. Unfortunately, that’s not always the case.

Data encryption is a useful tool if your data compromise doesn’t include credentials that unlock the encryption. But if your data is compromised because of stolen credentials, then encryption doesn’t matter. This can happen with stolen laptops, a common occurrence with company-issued employee laptops. It can also happen with malicious employee activity – if employees with valid credentials decide to exfiltrate data, encryption won’t do a thing to stop them.

What happens after a data breach?

Talk about sleepless nights for an IT director. For companies that experience a data breach, the hours and days after discovery are usually a mad scramble to assess what’s been compromised and by whom. The time and money spent to unravel the tangles of compromised data in an organization can add up fast. And GDPR doesn’t give you much time. You have 72 hours after discovery of a breach to notify GDPR authorities if personal information has been affected.

The problem for most companies is that they don’t really know where all their customer data is stored. A lot of it can end up on employee laptops and mobile devices. To truly protect their data assets, companies must have a firm understanding of where all their data travels and lives.

Data visibility

Being able to immediately and clearly locate customer data is critical to surviving a breach of GDPR-regulated data. A strong endpoint visibility tool can provide a quick understanding of all the data that has traversed through an environment—and importantly for GDPR, whether that data contains personal information.

An endpoint visibility tool can also tell you with confidence if compromised data does not include personal information that would fall under GDPR. That would prevent you from unnecessarily alerting the authorities.

Unfortunately, data breaches continue to happen, and there’s no sign of that abating any time soon. When the collection of consumer data is necessary, companies should consider it sensitive and use endpoint visibility tools to protect it.

Decoding the 72-Hour GDPR Doomsday Clock

Decoding the 72-Hour GDPR Doomsday Clock

The GDPR 72-hour reporting requirement has notable similarities to the insane ultra-marathons elite athletes run in the same time period. The 72-hour time limit requires companies to cover ground they’d typically take weeks or even months to traverse—kind of like running more than 300 miles in three days.

With data stored in unexpected places, that 72 hours can get eaten up quickly in trying to sort through where compromised data is stored. But with a robust endpoint visibility tool, which allows a response team to see the content of endpoint data clearly, the GDPR clock doesn’t have to spell doom.

What should you do if you discover a data breach?

Round up your response team. Depending on the size of your business, your data breach response team may include several dedicated personnel in addition to other key company stakeholders, or it may be a few individuals who do this along with their other duties.

Gather key information. Figure out what happened, what was the cause of the breach, and what type of data was compromised. This step is where companies that don’t have an endpoint visibility tool will see precious hours of their GDPR clock tick away as they try to determine what data was compromised. An endpoint visibility tool that provides clarity on the content of data will answer that question with confidence.

What if no personal information was compromised?

If, after using an endpoint visibility tool or another assessment process, you ascertain that no GDPR-regulated data was involved, breathe a sigh of relief. You don’t need to notify the GDPR authorities. You should, however, continue through your plan: clean up the data breach, close the holes that caused it, and notify any impacted customers.

What if GDPR-regulated data was affected?

Then the clock retroactively starts ticking from the moment you first discovered the data breach, and you notify the GDPR authorities. When you alert the regulators, it’s best to have all your ducks in a row. If you can tell the authorities exactly what happened, who was involved and your plan to remediate it, you will be better positioned to resolve the issues. An endpoint visibility tool will provide you with the information necessary to make reporting to the authorities a much smoother step.

What happens after GDPR authorities are alerted?

You continue the process of cleaning up, plugging the holes, and notifying the consumers affected by the breach. So far, the GDPR authorities have only specified that consumer notification happens “without reasonable delay.”

A data breach is always fraught with uncertainties, which is part of why companies typically take a long time to sort through the details and make public statements. With GDPR, companies no longer have the luxury of time, so it’s important to remove as much uncertainty as possible from the situation, to gain clarity quickly. An endpoint visibility tool can help speed up the process and provide confidence in a company’s findings after a breach.

There’s no way around it: the aftermath of a data breach with GDPR-regulated data will feel like a marathon. Having an endpoint visibility tool in place before the breach happens is like cutting that 300 miles down to a much more manageable 26.2 miles. It’s still a race you need to prepare for, but it’s a far more sane and feasible experience.

Code42 GDPR Compliance

Data Visibility Is the Key to GDPR Compliance

When we were young, most of us held the belief that what we couldn’t see couldn’t hurt us. We huddled in bed with the covers over our heads so we couldn’t see the monsters in the darkness, and somehow limiting our vision this way helped us feel safe.

As adults, we understand that ignorance isn’t protection, and being unaware of what’s out there doesn’t keep us safer. And yet, too many IT organizations can’t tell you what data lives on their employee’s devices. “Well, that doesn’t matter,” some IT leaders will say. “All of the valuable data in our company is on the network.”

Not true.

Code42’s CTRL-Z study showed that over 60 percent of corporate data is stored on user endpoints. With the enactment of the General Data Protection Regulation (GDPR) drawing closer every day, turning a blind eye to the data on your employee endpoints could have disastrous results. To protect company assets and meet GDPR compliance standards, organizations need to have a firm understanding of where personal customer data is stored and how it moves through their system. In other words, IT teams need to be able to see where all of their data is created, stored and shared.

GDPR is concerned with the movement of customer personal data, which is broadly defined by the regulation. It’s true that your average employee may not have customer social security numbers on their laptop, but personal information can be anything that might identify an individual, down to phone call metadata. If there’s a one percent chance a piece of data could identify a customer, GDPR requires you to treat it as carefully as you would a credit card number. And like it or not, this type of data does leave your corporate firewalls. Employees take their work home with them all the time; think about the sales rep who brings home background info on a customer to prepare for a big sales pitch.

Your leadership team does this as well. In fact, according to the CTRL-Z report, C-suite executives are the most likely to violate company data security policies. These policies are crucial, but they can’t overcome human nature. You need a data visibility tool to track data no matter where it moves, so if you do get breached, you can account for what information was impacted–and where and how.

Without that kind of data visibility, staying in compliance with GDPR will be a challenge. According to GDPR, companies only have 72 hours to report an incident once it is detected. But if you don’t know where your data lives, you have no way to gauge the impact of a breach. In the event that data is compromised, knowing exactly what has been exposed will make interactions with the regulatory agency much smoother.

It might be tempting to pull a blanket over your head, ignore the data that lives on employee endpoints, and hope for the best. That may have kept you safe from the monster under the bed, but it won’t keep you safe from potential fines for GDPR non-compliance: up to €20 million or four percent of annual revenue, whichever is greater. It’s time to recognize that data protection starts with data visibility.

Simplify Legal Hold and eDiscovery with Code42

Today, many organizations face overwhelming costs and burdens associated with responding to eDiscovery and legal hold demands. This is no surprise, given the incredible growth in corporate data – market research firm IDC predicts that the amount of data created and copied every year will reach 180 zettabytes in 2025. For reference, that looks like this: 180,000,000,000,000,000,000,000.

With so much data, it can be difficult to identify, preserve and collect all the data required for eDiscovery. At the same time, it’s never been more critical to be able to accurately collect data for legal matters. Since 2005, sanctions for spoliation of evidence have increased almost 300 percent. In 2015, the sanctions in one landmark case totaled nearly $1 million for repeated negligence in the eDiscovery process. In other words, outdated legal hold processes could wind up costing your company serious money.

Fortunately, Code42 has the legal hold capabilities that both the IT and Legal teams need. With Code42 already preserving all data on employee endpoints, litigation support personnel rapidly select custodians, apply policies and preserve data in place, with:

  • No IT time
  • No IT travel costs
  • No third-party file collection costs
  • No need to physically confiscate employee computers
  • Reduced litigation and eDiscovery costs

To learn more about how Code42’s Legal Hold and eDiscovery features empower legal teams with powerful tools and minimal IT involvement, watch our latest feature trailer below.

A GDPR Strategy That Accelerates Digital Transformation

A GDPR Strategy That Accelerates Digital Transformation

The approaching GDPR deadline is creating a fascinating disconnect in many organizations. While data security teams focus on locking down information to achieve compliance, business leaders are preaching the gospel of digital transformation—prioritizing the free(er) flow of information. But if it seems like GDPR and digital transformation are at odds, think again. In fact, with the right strategy in place, GDPR should accelerate your digital transformation.

The key to “privacy by design”

Here’s the pattern emerging in most GDPR compliance strategies: Servers, internal networks and on-premises apps get almost all the attention. The majority of companies are considering cloud apps and storage, as well. But “privacy by design” needs to extend beyond your most critical assets that you’re already protecting—probably the least vulnerable facets of your digital ecosystem. Ironically, most GDPR plans aren’t considering the most vulnerable and most dynamic element: the endpoint (and its user).

Taking the long view on GDPR compliance (and digital transformation)

Gartner estimates that half of organizations impacted by GDPR won’t achieve compliance by the May 25 deadline. But even if you’re among the compliant half, your digital enterprise environment is constantly evolving. You can’t afford to inhibit this change. Building a giant wall around your most critical assets would stifle your digital transformation—and put your organization at a serious competitive disadvantage.

Where GDPR and digital transformation come together: the movement of information

You can boil the many elements of GDPR down to two main objectives:

  1. Protect data from going somewhere it shouldn’t.
  2. Secure data wherever it goes.

GDPR doesn’t say information can’t move—just that you need to see that movement, so you can identify and respond to potential risk. That concept—gaining visibility to enable the free flow of information—is the definition of the “digital trust” that every analyst report and white paper declares as the foundation of digital transformation.

Is your GDPR strategy focused on movement?

To make a long story short, GDPR isn’t at odds with digital transformation—it’s complementary. Organizations are too focused on preventing data movement, taking a “secure the fortress” mentality. Instead, they need to start focusing their energy on seeing how and where data moves throughout the organization—from servers to cloud apps, cloud apps to user endpoints, etc. The tools and strategies that deliver this kind of visibility are not just key to achieving “privacy by design,” but also help your organization build the digital trust to allow information to flow more freely between your assets, your apps and your people.

Manufacturer Marel Prepares for GDPR with Code42

Manufacturer Marel Prepares for GDPR with Code42

Is your organization ready for the General Data Protection Regulation (GDPR)? There’s a reason we’ve written so much about GDPR recently. According to Gartner, around half of companies won’t be compliant by the May 25, 2018 deadline. Unfortunately, GDPR isn’t a moment in time or a binary switch–your company can’t prepare for May 25th and stop worrying about it on May 26th. GDPR compliance is an ongoing state that your organization needs to maintain–forever.

To make things more complicated, how you maintain GDPR compliance likely isn’t static either. The spirit of GDPR is “privacy by design,” while the digital transformation most organizations are going through relies on the concept of “digital trust,” or becoming more comfortable with data in the cloud. These two forces might seem inherently at odds with one another–how can you maintain data privacy while becoming more comfortable with data moving outside of the corporate network.

We don’t have the answer here for you today, although it is a topic that we’ll cover more on this blog in the near future. Here’s what we can tell you: You can prepare for the short-term and long-term effects of GDPR compliance regulations with endpoint recovery and visibility. Take Marel, for example. The leading global provider of processing systems for the meat, poultry and fish industries, Marel has offices in 30 countries, with 55 percent of those located in the European Union (EU). Marel relies on Code42 to protect the data for its highly mobile workforce from data loss, but also as part of its broader GDPR compliance efforts. Learn how and why Marel believes that Code42 is a key part of its GDPR compliance plan by reading the case study today. Then, be sure to check back on the blog as we continue to dive into the ongoing ramifications of this game-changing data protection regulation.

GDPR 101: Are you Ready for GDPR?

The General Data Protection Regulation (GDPR), the new data privacy law in the European Union (EU), is almost upon us. Starting May 25, 2018, GDPR will give individuals in the EU control over their personal data, create uniform data protection rules across the EU member states, and dictate the way organizations approach data privacy. GDPR requires businesses to be able to prove their compliance. The possible fines for non-compliance are up to €20m or 4 percent of global annual sales, whichever is greater.

Does GDPR apply to your business?

GDPR applies to all organizations that conduct business in the EU, as well as any organization that:

  • Offers products and/or services to EU residents;
  • Monitors the behavior of EU residents; or
  • Handles the personal data of an EU resident.

Getting personal with GDPR

Under GDPR, residents of the EU are granted the rights to:

  • Be informed about the processing of their personal data: what is collected, where it is stored, and why;
  • Access their personal data, correct any inaccuracies, or have it deleted entirely;
  • Have their data transferred from one organization to another (data portability); and
  • Ask for the processing of their personal data to be postponed or stopped altogether.

Personal data under GDPR includes any information that can directly or indirectly identify an individual. This includes names, email addresses, web identifiers, and even IP addresses and/or device identifiers. GDPR also sets baseline data protection requirements for organizations that handle the personal data of EU residents, including:

  • Implementing technical and organizational measures to ensure personal data is protected;
  • Maintaining documentation to prove compliance with GDPR;
  • Providing timely data breach notifications to the EU supervisory authority and, in some cases, to affected individuals or customers;
  • Transferring personal data outside the EU only if the organization receiving the data has adequate safeguards to provide the level of protection afforded to individuals under GDPR; and
  • Requiring certain organizations to appoint a data protection officer to oversee GDPR compliance.

In short, businesses have a lot to consider for their GDPR preparation, and a relatively short time remaining to ensure that they are in compliance with the new regulation.

GDPR readiness

Code42 is a valuable tool for enabling GDPR compliance. Code42’s feature set already includes tools to help organizations focus on the three critical elements of GDPR compliance: data protection, visibility, and recovery. Looking for more information about how Code42 can help your business prepare for GDPR? We have several resources to help.

Still have questions? Reach out to your Code42 representative. We’ll be happy to help.

Data Loss Threatens Mergers and Acquisitions

One of the most popular breakout sessions at Evolution17 featured a great merger and acquisition (M&A) scenario: Midway through the deal, critical information leaks, devastating the value of the deal. How can you figure out how much info leaked—by whom and to whom?

Here’s why that storyline was so riveting: 2016 saw more than $3.5 trillion in M&A deals. And the vast majority of those deals revolved around valuations of intellectual property (IP), which today makes up about 80 percent of a typical company’s value. If you’re a buyer organization, consider these questions:

  • Are you aware of all the IP within the target company?
  • Can you be sure all this IP will come with the deal?
  • Can you be certain it won’t leak to a competitor?

Data loss is a growing M&A problem

For most buyers, the answers to the questions above are no, no and no. This lack of visibility and security for the very assets a company is buying is startling, and it’s increasingly impeding the success of M&A deals. A 2016 survey of dealmakers found that about three in four M&A deals end up getting delayed—sometimes indefinitely—by data loss. Those that eventually get back on track often end up hobbled by missing data. Experts say this is a big part of the reason that 80 percent of M&As fail to achieve their potential or expected value.

M&A amps up the insider threat

Data loss is increasingly common in M&A for the same reason it’s increasingly common throughout the business world: More than half of all enterprise data now lives on endpoints, beyond traditional visibility and security tools centered on a network drive or central server. If the target company can’t see what its employees are doing with data on their laptops and desktops, then a potential buyer has near zero visibility. Couple that with the unique circumstances of an M&A deal and you’ve got a much higher risk of insider data theft. Laid-off employees freely take their endpoint data—sometimes for personal gain, other times just to sabotage their former employer. Those that do stick around tend to feel little loyalty toward their new company, lowering their inhibitions toward selling or taking data for personal gain.

There’s a better way to protect IP during M&A deals

IP is what an acquiring company is buying—the info that is critical to the value and competitive advantage gained through a deal. To make the most of an M&A opportunity, buyers need a better way to collect, protect and secure all data living on a target company’s endpoints—before, during and after a deal. Fortunately, with the right tools, a buyer can gain complete visibility of all endpoint data, take control of valuable IP and drive a deal to its most successful outcome.

What Is the IP Act and Should UK Businesses Be Worried?

As we make our way into 2017, the UK has a new piece of legislation to come to grips with—The Investigatory Powers Act, also known as the ‘Snoopers’ Charter.’ This act effectively gives the UK government the power of legal mass interception and hacking—even forcing communications service providers (CSPs) to store every member of the public’s communications data and web browsing history. In short, it will give Britain perhaps the most extreme spying powers in the democratically driven developed world.

The government maintains that this is to aid in fighting terrorism. This might be true. But there are also those in the tech industry making the argument that these powers are tantamount to a massive violation of personal—and potentially intellectual—privacy.

How the heck did it get passed?

Despite criticism from almost every major technology and internet company (including Code42), the deed is done. Some say the reason for the low resistance to this act is Brexit—the UK’s plan to leave the European Union—with people too focused on that matter to put up a big enough fight. Others say that UK political party Labour, which should have been the Bill’s biggest opponent, was too busy fighting its own internal wars. Ultimately though, the general public were all looking elsewhere as the bill was passed.

A potential problem for businesses

While the political implications of the IP Act and its effect on personal privacy are yet to be fully realised, the impact will not be just limited to individuals. Businesses that store company data within the jurisdiction of the UK must also be aware of the changes to the law, and take the necessary steps to ensure company and customer data remains as secure and private as possible.

Is your data within your control?

As bleak as this situation appears, things could be worse—at least companies that store data on-premise can decide how far they are willing to aid the authorities with information requests. However, for businesses that backup and store data in an unencrypted format with a third party, this decision could easily be taken out of their hands.

For example, if an organization’s backup and recovery provider is hit with a bulk collection request under the IP Act and they decide to honor it, all of that company’s sensitive information will be passed on to the authorities in an easily accessible format. However, there is a way to ensure that the enterprise maintains sovereignty over data that is stored off-premise: encryption.

Choose your partner wisely

Businesses that choose to store data off-premise with a third-party provider must ensure that it is encrypted end-to-end, with the encryption keys remaining in the custody of the enterprise itself—something that is assured with Code42. This way, in the event that a storage provider is forced to hand over the information in its possession, it will not be in an accessible format, as the encryption keys stay in the hands of the company that owns the data.

So while unwelcome, yet legal, data requests may now be a fact of life in the UK, the advantage that encryption can offer to a business is control. With Code42, this control is absolute. Code42 offers business leaders visibility over what data is stored where. It also protects data from being disclosed without permission, and renders it useless in the event of intrusion attempts by cybercriminals and hackers. One thing you can be sure of in this vulnerable political climate? There’s no backdoor or vulnerable master key for the Code42 lock.