It’s not often that a single speech has the power to reshape the computing industry. But EU Justice Commissioner Viviane Reding’s January 2012 presentation will come to be seen as an important turning point.
The proposed Data Protection Regulations include a number of tough new provisions, but the element that will give security professionals the most immediate anxiety is the insistence that organisations inform national information commissioners of data breaches within 24 hours, or risk fines of up to 2% of global turnover for not doing so.
This is a radical jump. Having been under little or no obligation to formally disclose a data breach in most EU countries, companies will suddenly be required not only to inform the authorities, but do so on an accelerated timescale. Moreover, the change will affect not only companies in the EU, but those doing business in it, making this the first de facto global data breach law.
It may sound straightforward, but is anything but. Assuming administrators have evidence that something has gone awry, do they have the tools to say precisely what without delay? What sort of reporting systems do they have to explain the extent of a breach? Do possible security failures have any regulatory and legal consequences and, if so, what?
Old-fashioned periodic, manual security audits and the manual configuration processes that underlie them could be heading for obsolescence. Currently, security is often measured for regulatory and compliance purposes through an external audit that takes place quarterly or annually, depending on the business sector.
The reality is that administrators could be asked to audit their security stance at any moment in time as a breach is uncovered, with only a few hours’ notice. CISOs will require an overview of security policies, compliance and data protection that reflects what is happening at the moment the request is made.
What such continuous auditing does is render manual assessment impractical. The solution - automated auditing in real time - goes from being a useful convenience to an essential component of any security infrastructure. Real-time security and auditing requires that organisations integrate information from multiple types of hardware system, and across a range of vendors that generate reports through proprietary management consoles.
On top of this any reporting infrastructure must also make sense of the flow of security data from different elements of the system, comparing this to a set of security policies. A key issue is whether this change from causal to mandatory and continuous auditing will be viewed positively by the people tasked with putting it into practice.
A recent survey of 100 network managers by Tufin Technologies found 42% believing that the proposals would lead to an increased risk-awareness within their organisation. A third believed that their attitude towards continuous compliance had changed, with just over half convinced that automated audits would make it easier to comply.
But Jericho Forum board member, Andrew Yeomans, worries about the impact of “false positives”. “The regulators may get overloaded with potential data breach reports that turn out to be false alarms, if only 24 hours is allowed for any initial investigation,” he warns.
As daunting as it appears, the proposed Regulation’s biggest plus is its scope, which imposes the same rules across the 27-nation EU zone and beyond. This creates short-term hurdles, but the pay-off is potentially huge. For the first time, multi-national organisations will no longer have to interpret a confusing array of data breach and protection rules in different territories. For the first time, everyone will be playing by the same rules based on a swift response.