Amit Parbhucharan analyses the recent Eir data breach and what it says about the state of GDPR at this early point in its tenure.
Recently, Irish telecommunications company Eir experienced a data breach event in which the theft of a staff member’s laptop resulted in the potential exposure of personal data belonging to 37,000 of its customers. While the laptop itself remained password-protected, the data on it was wholly unencrypted having unfortunately been stolen during a window of time in which a faulty security update from the previous working day rendered the device decrypted and vulnerable.
Because the computer held customer data that included specific names, email addresses, phone numbers and other legally protected data, Eir followed the procedure dictated by the General Data Protection Regulation (GDPR) that went into effect on 25 May, reporting the incident to the Irish Data Protection Commissioner.
‘Portable devices with access to sensitive data will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur’
GDPR introduced data privacy regulations requiring companies to meet specific standards when handling the personal data of EU citizens and residents, including the responsibility to notify the information commissioner’s office within 72 hours of discovering a data breach. GDPR is enforced through steep penalties for non-compliance, which can reach as high as the greater of €20m or 4pc of a business’s total worldwide revenue for the previous year.
However, GDPR regulators will consider an enterprise’s organisational and technological preparedness, and intentions to comply when judging whether such penalties are necessary.
Risky human behaviour
It appears that Eir did many things right in its data breach response. The company demonstrated its established capability to recognise the breach and to report it promptly.
That said, data was still put at risk. Laptops and other such portable devices with access to sensitive data (phones, USB drives etc) will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur. Loss and theft are facts of life, as are other high-risk circumstances that can be much more difficult to anticipate.
In one odd case from our experience, a resident of an in-patient healthcare organisation actually threw a laptop containing protected health data out of a window due to frustration that those devices were for staff use only. A technician deployed to site to understand why the laptop wasn’t online discovered it near the street, where it lay for hours before (luckily, that time) being recovered.
Obviously, wild circumstances like these are unforeseen, but they need to be prepared for nevertheless. There are also those cases where an employee’s lapse in judgement opens the possibility for dire consequences. Laptops get left unattended during credentialed sessions, passwords get written on sticky notes for convenience and stolen along with devices. To ‘Eir’ is human, if you’ll excuse the pun, and small windows of risk too often turn into major (and costly) incidents.
This is why organisations need to implement robust, layered data security strategies such that devices have more than one line of defence in place when challenges pop up. Encryption is essential to protecting data, and should serve as the centrepiece of any data security strategy – GDPR compliance requires as much.
But measures must also go beyond encryption. Employee training in secure practices is certainly another critical component to a successful execution. Similarly, capabilities such as those that enable remote data deletion when a device is out of hand offer a reliable safeguard in those circumstances where encryption is rendered ineffective.
‘Each effective layer of data security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy’
Ensuring the security of customer data has always been critical to protecting an organisation’s reputation and maintaining customer trust – GDPR only raises those stakes.
In the unfortunate event that a data breach must be reported under GDPR, and regulators conduct an official audit, each effective layer of security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy. That commitment serves as a positive factor in the eyes of both those auditors and the public who must continue to trust the organisation with their data going forward.
Amit Parbhucharan is general manager of EMEA at Beachhead Solutions, which provides cloud-managed PC and mobile device encryption, security, and data access control for businesses and managed service providers.