I know security experts will scoff at this, but I think a lot of people thought that GDPR and other privacy regulations were going to end large data breaches. (I wasn’t one of those people who thought this, but I certainly heard it mentioned enough in conversation.)
The reality, of course, is that as we come to the end of 2018, we’re still seeing large data breaches. As Carbonite’s CISO, Larry Friedman, told me in an email:
While we continue to gain a deeper understanding of the importance (and implications) of data backup and security, so do hackers. This year, we experienced another level of sophistication from hackers, resulting in far more destructive and intelligent breaches.
These data breaches could be showing a chink in the GDPR armor, as well. There’s a lot of ambiguity about the practical application of the compliance, Zack Shulman, compliance research senior engineer with LogRhythm, told me, and despite the breaches we’ve seen since the end of May, the fines aren’t as bad as threatened. Shulman said:
I’d be willing to bet the fines we have seen represent a significantly smaller number of actual breaches relative to the amount of worldwide breaches that have occurred, and each fine is most likely much smaller than the initial threats of revenue percentage-based fines.
I think Facebook is going to end up determining how successful GDPR is – or if we need to go back to the privacy compliance drawing board. It seems like Facebook has had its share of vulnerabilities and data breach revelations in the latter part of the year, including last week’s announcement that a bug allowed access of millions of users’ photos. Facebook apologized for the inconvenience and then . . . nothing. I thought this would have been the big moment for GDPR, the opportunity for the new regulation to show its bite. But that didn’t happen, as Forbes explained:
The company’s nearly two-month wait to notify data protection authorities after it became aware of the breach, in spite of GDPR’s 72-hour notification requirement, reminds us that GDPR is far more limited than the public understands.
If Facebook isn’t going to have to follow the rules of GDPR, why should other companies? And will Facebook and other companies flaunt the new state privacy laws that are set to take effect in the coming months?
GDPR has done a lot of good things. It has started serious dialogues regarding data privacy and how to better secure that information. It has created collaboration across departments and industries to come up with better security solutions. But unless the largest organizations are forced to comply and meet the standards of these regulations, what we’re going to continue to see is bigger and more devastating data breaches because there is no incentive to stop them.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba