Mounting US data disasters show we're lucky to have GDPR
A long list of failures by US companies shows the government’s planned overhaul of the UK data protection landscape needs much closer scrutiny
In terms of real-world, material experiences, the General Data Protection Regulation (GDPR) introduced myriad irritations, completely overhauling the way we approach and work with data. Implementing its rules proved a nightmare for just about every department within a business, so much so that companies created new job roles for the sole purpose of dealing with the ensuing mess. For staff like you and I, too, we still have to undergo those arduous data protection refreshers every six months. Despite all of this, I have no doubt we’re truly blessed to have GDPR fighting our corner.
With the government locked in the process of overhauling the UK data protection landscape, including UK GDPR and the Data Protection Act (DPA) 2018, I implore ministers not to weaken the rules imposed on companies that suffer data breaches. With GDPR, it isn’t just our personal data that’s safeguarded more stringently. While that’s certainly an upshot, its real benefit lies in holding businesses we know, and trust, to account. The breach disclosure provision has become even more valuable in light of the repeated gross mishandling of cyber attacks across the pond.
When we first learned Miami-based customer services firm Sitel had been targeted by the LAPSUS$ group, Okta CEO Todd McKinnon, whose company and customers were affected as a result, bore the brunt of the backlash. LAPSUS$ revealed its successful campaign on 22 March, days after cyber security firm Mandiant sent its final forensics report to Sitel, which waited more than two months to go public.
With no incentive for the company to come clean about its catastrophic breach, Sitel put its own needs ahead of its customers, which are distributed across nearly every business vertical. The breach should have been made public on 21 January, the day it engaged Mandiant for outside help, and if the firm had to abide by GDPR, it would have had no choice but to do so within 72 hours.
I’m not being pedantic here. Disclosing breaches expeditiously, especially ones that affect customers and their personal data, is massively important for businesses looking to maintain a good reputation.
Letting customers know as soon as you can allows them to change passwords, make pre-emptive calls to their banks if payment information is leaked, even change phone numbers to prevent SIM swapping attacks, and allow them to maintain proper cyber hygiene. It’s maddeningly arrogant, and ignorant, of companies to deprive their customers of the opportunity to safeguard their digital identity and delaying breach disclosures for months does just this.
After four years of familiarising ourselves with GDPR, UK and EU businesses now have responsible disclosure down to a tee. I’ve previously spoken to a host of public relations experts discussing, in part, how irresponsible breach disclosure strategies can harm a business. Almost all of them lauded the case study of Norsk Hydro.
Norsk handled its 2019 breach impeccably. Its response will – or should – be the benchmark -setter for all companies worldwide. With full transparency and sincere apologies coming from every corner, plus the CEO’s personal phone number made available to all those who were affected, Norsk gained credit by facing its problems head-on, experts told IT Pro.
Indeed, Norsk Hydro could well write the data breach disclosure textbook. Despite the respect it garnered, it seems businesses, particularly in the US, are unwilling to emulate its success, unless legally obligated to. The infamous GoDaddy breach was another great example in how not to disclose a cyber security incident. Although a staggering 1.2 million customers were affected by the domain registrar’s breach, it didn’t stop the firm from doing the absolute minimum legally required following the incident.
Instead of owning up to the incident, it made a ‘public’ disclosure in the smallprint of an Securities and Exchange Commission (SEC) report that was substantially difficult to track, even for a seasoned journalist, let alone a member of the public. With each failed click digging me deeper into the SEC website, without a clue where to find this, I became increasingly frustrated but simultaneously relived things aren’t this bad in Blighty.
The cases of LAPSUS$ and GoDaddy aren’t isolated, and you can certainly add Geico, California Pizza Kitchen and Coinbase to a mounting list of US data disasters, some of which were disclosed months after the initial breaches took place. Ubiquiti, too, has been criticised for downplaying the severity of a data breach it revealed in January 2021. We all know, too, of the consequences of the infamous Equifax data breach.
The state of US data protection is genuinely pitiful, and it pains me every time I come to report on another US data disaster. We're so lucky, in the UK, to have been a part of the EU when we enshrined GDPR into domestic law. Now, though, that the government has overseen Brexit, it’s set its sights on overhauling UK data protection to favour less bureaucracy and “box-ticking”.
In its planned overhaul, the government claims it’ll aim to strengthen the protections already afforded to the public while making changes to ensure a more lucrative data economy can be pursued. Boris and his band of suits can do what they want with the UK data protection regime: twist it, turn, it, shake it up. The choice is theirs. My only ask is, whatever changes come about, please don’t do away with mandatory data breach disclosure, or the UK might soon come to emulate the catastrophes we’re becoming accustomed to across the pond.
ZTNA vs on-premises VPN
How ZTNA wins the network security gameFree Download
The global use of collaboration solutions in hybrid working environments
How companies manage security risksFree Download
How to build a cyber-resilient business ready to innovate and thrive
Outperform your peers in your successful business outcomesFree Download
Accelerating your IT transformation
How Cloudflare is innovating for CIOs to start 2023Watch now