13 Months. That is the number of months (from the time of this writing) separating the #WannaCry attack from being not just a massive information security “incident” but the single largest test of the EU General Data Protection Regulation (GDPR). We are not going to focus on the WannaCry ransomware in this post though. If you’re interested in my technical breakdown, you can read my previous post. Today, I want to double-click past the malware and look at what the regulatory impact would have been, had GDPR been in effect. Spoiler alert; NONE! Ok, not quite…as with most things in the regulatory realm, there is some gray area.
If you are just becoming familiar with the finer points of GDPR, we have a wealth of resources that can get you up to speed here: https://www.stealthbits.com/solutions/by-business-need/fulfill-compliance-requirements/eu-gdpr.
The TL;DR version is the EU GDPR intended ‘to strengthen and unify data protection for all individuals within the European Union (EU)’. One of those is the 1998 Data Protection Act. The DPA however, only covers the processing of data. There is no legal obligation on data controllers to report breaches of security. That’s right, back in 1998 most information security events were just that, events – a lot of nuisance events in fact.
Under GDPR on the other hand, is the introduction of a duty on all organizations to report certain types of data breaches. Not all breaches are relevant to GDPR, but that doesn’t mean only certain types of breaches have to be reported. For now, we are solely focused on GDPR though and per Article 32, a breach has to be reported only where it is likely to result in a risk to the “rights and freedoms of individuals”. Rights and freedoms aren’t up for debate. If you have had your personally identifiable information, political affiliation, credit card information, health records or just about any information that pertains to you and only you compromised, it poses a risk to your rights and freedoms. Risk being the operative word that makes this part not open for debate.
So did WannaCry constitute a risk to the rights and freedoms of EU citizens? The National Health Service (NHS) was not the only victim of WannaCry that held or processed EU citizen data, although it got a fair amount of attention as it was the second global entity to report it had been hit. There were many organizations with EU citizen data that were also hit. But was citizen data *breached*?
If that question feels dodgy, that is because it is. As the events of WannaCry were unfolding, I tweeted the following:
Words do matter. Theresa May, the Prime Minister of the United Kingdom, said: “the Government is not aware of any evidence that patient records have been compromised in the massive cyber attack on the NHS.”
Some quick housekeeping – what is the difference between a Data Breach vs. a Security Incident vs. an Event?
National Institute of Standards and Technology (NIST) defines an event as “any observable occurrence in a system or network…” For example, a change to the access rights of a user in Active Directory (AD) is an event. A security incident, on the other hand, is, an event that violates an organization’s security or privacy policies involving sensitive information.
GDPR neither defines security incidents or events. GDPR does however, define what a security breach is:
“Article 4, (12)
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
Would an organization be open to fines or other repercussions if it were hit by WannaCry? That is the wrong question to ask. Did being hit by WannaCry lead to the ‘accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’? That is the correct question to ask. That is the question GDPR asks.
And those are the questions we answer! Answering those questions are in the STEALTHbits DNA. Our solutions not only identifies when data has been destroyed – it can prevent it! Our solution not only identifies who has access to data, it can govern who should and who should not; modeling those rights based on resources and not simply personnel. And as our customers know, our solution was updated within hours of the WannaCry attack to detect Indications of Compromise (IOCs).
To learn more about how we can help you prevent ransomware, please click here: www.stealthbits.com/ransomware.
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.