always on gdpr - the visibility to act like the pros - Nuix

6 downloads 289 Views 3MB Size Report
Knowing where your data is located is a critical first step. Nuix solution. Nuix Lab or Workstation, Nuix Lab with Elast
ALWAYS ON GDPR THE VISIBILITY TO ACT LIKE THE PROS SEE IT THROUGH FRESH EYES

GDPR - ACTING ONLY ON WHAT YOU SEE More personally identifiable data is being created and processed than ever before. This data powers commercial success and delivers services that customers value. However, the potentially negative impact of how this data is processed on the credit ratings, privacy, and everyday lives of citizens has not been lost on legislators, who have decided it is time to act. Most organizations are well aware of the intention and scope of the EU’s General Data Protection Regulation. Yet the world waits in suspense to witness a successful GDPR prosecution. As a result of their ‘Wait and See’ policy, some organizations have put their faith in solutions designed for the pre-GDPR era. This is a strategic error. THE PEOPLE’S DATA GDPR, along with related global data laws, will significantly restrict what has, until now, been largely ungoverned; the processing of Personally Identifiable Information (PII) by those who are not the rightful ‘owners’ of that data for illegitimate, or unapproved, purposes. That is set to change. Executives are waking up to the fact their organizations, in the eyes of the law, are Data Processors and Data Controllers. Those organizations carrying out irresponsible or careless processing of data are now easily identifiable by enforcement officials.

Now over half a billion EU citizens can exercise new data protection powers even on historical data. Waiting and watching as others are prosecuted is a flawed strategy because the balance of power has already shifted. Evidence of corporate wrongdoing, in the form of data requests, is all the proof consumers and regulators need for convictions. In this new and exciting era of greater responsibility for personal data the inability to detect and respond to data laws being broken is business critical. Extended delays in responding to inbound queries, can be fatal to businesses.

These authorities are about to be fed leads from customers as a result of GDPR. This means almost all companies in the EU are now subject to forensic examination by the authorities.

2

Always On GDPR - The Visibility to act like the pros

HOW GDPR LOOKS TODAY 28 countries 500 million citizens (in EU and overseas) FREE - an EU Subject Access Request 72 hours to report breaches once detected Up to 4% of global turnover at risk $5.3 billion estimated fines by 2021

NOT IN EUROPE? YOU’RE STILL COVERED. The scope of GDPR is wide, in fact global. The primary test an organization can employ for GDPR is if “The processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” This covers almost every website offering goods and services on the planet. The case is significantly strengthened for EU customers or if payment in euros is offered. The scope of personally identifiable information (PII) may also be news to many outside the EU geographical borders. GDPR requires organizations to properly store and protect any EU citizen’s data, regardless of where the organization is based in the world. Another test means organizations that track customers on the Internet, profile their past actions, or predict personal behaviors and attitudes using PII, regardless of where the organization is based, are also covered. Having extensively revamped its legislation after many years at the forefront of data protection and now with fines large enough to fund significant prosecutions, betting on leniency from EU authorities is risking everything. The time to gain the visibility to act fast, is now.

GDPR - HOW BAD CAN IT BE? In a word: terminal. For a company with a global turnover of €10 billion, audit failure fines could be $400 million from the bottom line Administrative Fines By failing to keep accurate records or not ensuring appropriate security of processing, you risk up to €10 million, or 2% of REVENUE - NOT PROFIT.

Audit Failure Penalties By failing to acquire adequate consent for, or unacceptable collection and processing of data, you risk up to €20 million OR 4% of GLOBAL turnover, WHICHEVER IS HIGHER. In the case of UK organizations, these are 20x uplifts on the current maximum Information Commission Officer levies, and neither of the above ignore audit and information retrieval costs. These figures also do not include civil damages from individuals who may take private action in addition. 3

SEEING WHAT MATTERS MOST CYBERSECURITY WON’T CUT IT An equally poor move is to hope a basic ‘Security by Design’ approach will help. GDPR is more than just another data regulation with fines for audited non-compliance, its provisions have been carefully designed and have farreaching consequences. Focusing solely on remedying data breaches is a mindset borrowed from cybersecurity, an industry built on attempting, unsuccessfully, to stop data from being taken, but with only partial success. Some 88% of professional hackers surveyed in Nuix’s Black Report believe they can break through cybersecurity defenses and into their target systems within 12 hours, and 81% claimed to be able to identify and exfiltrate valuable data within a further 12 hours.

Industry analysts at Gartner believe, “determined attackers can get malware into organizations at will” and “organizations must assume they are compromised. Contrast this reality with GDPR’s stipulation that data is identified correctly and protected at all times, can be accounted for constantly and if needed, under very specific circumstances, released to authorized personnel. It’s very like forensic evidence in a court case, and very unlike the vague excuses that seem to accompany every major cybersecurity breach. Trusting your future to a single technology approach is a very high stakes gamble.

THREE RIGHTS DON’T MAKE IT WRONG In addition to data breaches, which are both unpredictable and, according to analysts, increasingly to be expected, subject access requests, Freedom of Information enquiries and the so-called ‘right to be forgotten’ are game-changers. Yet these are three additional burdens which many organizations have yet to tackle effectively.

4

Always On GDPR - The Visibility to act like the pros

FREEDOM OF INFORMATION (FOI)

SUBJECT ACCESS REQUEST (SAR)

RIGHT TO BE FORGOTTEN (RTBF)

A right which already exists but is now complicated due to GDPR’s new restrictions on Personally Identifiable Information. Citizens can already ask government and regulatory authorities for any information held on them to be provided in a timely way. The introduction of GDPR means this is now treated more like a GDPR subject access request and can be particularly complex where several individuals’ data are co-mingled.

A staple of many country-level data privacy laws already and due to be turbo-charged with the right to be forgotten of the new GDPR regime. This empowers citizens to review all data held by organizations about them. This may include data from a wide variety of sources such as sales ledgers, service contracts, marketing databases, healthcare records, as well as live or clickstream data that can be deemed personally identifiable.

The most painful of the consumer-initiated actions to undertake. Citizens will now have the right to have all PII, with some minor exceptions, expunged from corporate records. This will need to be carried out by the controller of the data ‘without undue delay’ and in a manner provable within future audits.

LET’S GET PERSONAL

WHAT DOES IT TAKE TO PERSONALLY IDENTIFY A EUROPEAN?

The real owners of personally identifiable data, otherwise known as data subjects, in the case of GDPR, are EU citizens resident in the EU or abroad. They can now exercise significantly enhanced data protection rights at no cost to themselves and with all costs borne by those to whom they make three types of request. Organizations unable to process their requests will pay dearly.

WHAT IS “PERSONAL DATA” ANYWAY? Personally identifiable information can come in many forms. Personal data is defined as “Any information related to an identified or identifiable natural person” and may include more than you think. IDENTITY IDENTITY CARD CARD

IDENTITY IDENTITY CARD CARD

Direct Identifiers

IDENTITY CARD

IDENTITY CARD

Name, ID number, account number, physical address

IDENTITY CARD

IDENTITY CARD

PERSONAL PERSONAL FEATURES FEATURES

PERSONAL PERSONAL FEATURES FEATURES

PERSONAL FEATURES

PERSONAL FEATURES

PERSONAL FEATURES

PERSONAL FEATURES

BICYCLE

Online Identifiers Social media handles, email address, profile pictures, avatars, screen backgrounds

Indirect Identifiers Religion, political persuasion, sexual orientation, hobbies,SEXOLOGY genetic profile SEXOLOGY

SEXOLOGY SEXOLOGY

BICYCLE

BICYCLE

SEXOLOGY

BICYCLE

Higher Protection

BICYCLE

SEXOLOGY

BICYCLE

SEXOLOGY Under GDPR, personal data that reveals racial or ethnic origin, political and religious opinions or philosophical beliefs, biometrics, and genetic data about health, sex life or sexual orientation receives greater protections

SECURE SECURE DATA FOLDER DATA FOLDER

SECURE SECURE DATA FOLDER DATA FOLDER

SECURE DATA FOLDER

SECURE DATA FOLDER

SECURE DATA FOLDER

SECURE DATA FOLDER

SEXOLOGY

Less than you might think. The key test is whether direct and indirect personal data can be used to uniquely identify a natural person. A US study found just three data points could identify most Americans. TIME-TABLE EVENTS

TIME-TABLE EVENTS TIME-TABLE EVENTS LOCATION MARK

LOCATION MARK LOCATION MARK

1. Date of birth 2. Zip code 3. Gender

SEXOLOGY

Can identify

87%

of Americans

SEXOLOGY

Some advocate the presence of European SEXOLOGY currency pricing as a rough rule for whether customers are European Union citizens. The cost for criminals to obtain such data is low. On the Dark Web a full set of an individual’s PII can by obtained for as little as $1, showing that PII is currently very easy to access and not adequately protected. 5

ACTING ON WHAT MATTERS MOST CONNECTED INTELLIGENCE GETTING AHEAD OF THE GAME The good news about GDPR, is no one is starting from scratch. Most organizations have a need to store, tag, encrypt, and move data held within their systems. Those dealing with sensitive, regulated data in industries like healthcare, financial services, and diplomacy cannot afford to take their responsibilities lightly. The devil is truly in the detail. The organizations we trust with our well-being, financial independence, and liberty, in roles like defense and law enforcement, focus on information governance. For them, only the most advanced capabilities will do. They tend to be Nuix customers. Nuix works for the professionals because they appreciate how a Connected Intelligence approach unlocks their resources and helps them work smarter. With Nuix, much of the thinking has been done and sensitive issues, such as how to protect against insider threats, have been considered.

GDPR - THE HIDDEN THREAT FROM INSIDERS As if GDPR itself was not challenging enough, the associated human behaviors required for compliance present fresh management dilemmas

73% of former employees or business partners have viable reasons to check enterprise data

Insiders account for 25% of data breaches [Source: Verizon 2017 Data Breach Investigations Report]

48% of data breaches are the result of criminal or malicious activities

27% of data breaches are the result of ‘system glitches’

25% of data breaches are the result of human error [Source: Ponemon Institute 2016 Cost of Data Breach]

6

Always On GDPR - The Visibility to act like the pros

With its background in information governance, digital forensics, and cybersecurity, Nuix has more capabilities relevant to reducing the costs and improving the quality of GDPR processes. Four of the most powerful are deep insight, rapid diagnosis, horizontal scalability, Out Of-thebox search acceleration and its forensic cleanness. DEEP INSIGHT Unlike many basic eDiscovery tools, Nuix comes pre-loaded with common, or regular expressions. These character string ‘short cuts’ detect and alert searchers to likely areas for deeper dive enquiries. In addition, Nuix focuses efforts where search results are likely to be. For instance, avoiding application files, which are not likely to hold useful insights in favor of other files types that are more likely to yield results.

RAPID DIAGNOSIS Using out-of the-box acceleration techniques, such as scanning for the LUHN checksum commonly used by credit card issuers, Nuix can quickly eliminate noise as well as false positives and focus your attention on the real issues. Customers with specific data requirements, can easily program their own custom expressions with data validation to speed up data searches. This can also be used to exclude an individual’s records, to comply with the higher protection provisions in the GDPR. Nuix also has the ability to present initial findings during data ingestion, meaning zero lag, where rivals need to complete indexing before delivering results.

HORIZONTALLY SCALABLE Only indexing what’s needed for GDPR compliance greatly speeds up consumer-led and regulator searches. The architecture of the Nuix engine offers unparalleled speeds of processing up to 120GB per single processing core every 24 hours is linearly extensible so more servers speed searches up. This ability to scale could mean the difference between compliance or noncompliance, especially where corporate data is spread geographically and over thousands of mobile devices.

FORENSIC CLEARNESS Nuix’s approach is steeped in data forensics, making the handling of data a particular focus. Advanced capabilities to state with certainty if data has been processed (copied, encrypted, compressed, or deleted) helps eliminate searches of data sources unlikely to yield results. In addition, Nuix’s legacy in redacting complex and lengthy court documents means it is well-placed to remove precise records data, without affecting the record of other data subjects.

OUT-OF-THE-BOX SEARCH ACCELERATION As an example of just how fast Nuix can accelerate the efficiency of searches, here is a sample list of just some of the relevant formats the Nuix regular expression engine will automatically looks for. Having this ‘head start’ allows data professionals to focus on harder-to-detect edge cases.

ABA Routing Number Belgium National Number Countries Credit Card Numbers [Bounded and Validated] Czech National Identity Card Number Email Addresses EU Debit Card Number Finland National ID Finland Passport Number France Driver’s License Number France Passport Number France Social Security Number (INSEE)

French CNI German Identity Card Number Greece National ID Card IP Addresses Italy Drivers License Number Person Name Personal ID [Validated] United Kingdom Bank Sort Code United Kingdom ID Number United Kingdom Licence Plate United Kingdom National INS Code

In addition, Nuix includes the ability to create new custom expressions for data formats not covered ‘out of the box’. This means non-IT teams can develop their own searches for other European regular expressions, or company specific identifiers without any knowledge of coding.

7

HEADS UP – HOW PROS VIEW GDPR FIRST VISIBILITY, THEN ACTION GDPR is the most wide-ranging data legislation most have ever dealt with. Quite rightly, executive boards are waking up to the threat to their livelihoods. They are asking those responsible for data in their organizations, whether holding the official title of Data Protection Officer, as mandated by GDPR, or those with the responsibility, searching questions.

IS YOUR ORGANIZATION READY TO COMPLETE DATA BREACH INVESTIGATIONS IN JUST 72 HOURS?

Nuix stands up to scrutiny because of its Always On approach to information governance combining best-practices from data forensics and its ability to provide the Visibility to Act. • Reduce your organization’s risk exposure. • Minimize the impact of security incidents. • Identify and remediate private data that’s at risk of being lost in a data breach. • Avoid becoming the focus of international news headlines.

AHEAD OF BREACH SAFEGUARD YOUR DATA. USE NUIX TO:

AFTER BREACH INVESTIGATE RAPIDLY UNDER GDPR RULES.

• Identify all locations where data exists and prioritize the risk of each location

• Gain thorough visibility into activity on the enterprise

• Perform a deep content scan on all targets and understand what data is in violation of data security and privacy policies

• Follow an attacker’s tracks to identify areas of control the attacker had within your organization

• Remediate any data in violation of policy

• Facilitate root-cause and timeline analysis to determine who did what, when, and where

• Establish systems and processes to protect the organization from risks associated with data breaches as well as non-compliance with subject access requests and data breach notification rules

• Identify and catalog persons and items of interest in a centralized intelligence database to trigger an early warning the next time they are seen

Always On GDPR - The Visibility to act like the pros

• Determine the full scope of the incident across systems and beyond

• Automatically terminate malicious processes • Identify and block bad behaviors of known and unknown applications

8

• Quickly investigate complex incidents to gather evidence and determine next steps

• Focus on the threats that matter. Rather than alerting your entire customer base of a data breach, use Nuix to pinpoint exactly who may have been affected and notify that group “without undue delay”

THE NUIX APPROACH IDENTIFICATION

Assessing risk is the vital first step to successful GDPR compliance. Nuix can quickly identify the data sets most relevant to GDPR policies by deploying regular expressions to locate data likely to be in scope. Using pattern recognition, the data strings most likely to be an issue are then mapped to specific endpoints, cloud and network storage, third party repositories, and mobile devices. Knowing where your data is located is a critical first step. Nuix solution Nuix Lab or Workstation, Nuix Lab with Elasticsearch, Nuix Enterprise Collection Center

AG E M E N T

FICATION I T EN ID

INFORMATION MANAGEMENT

Once data is identified, it can be processed, collated, and catalogued for rapid remediation based on criteria such as risk urgency, availability and size. Two sets of processes need to be defined for GDPR to be Always On; one for consumer-led enquiries such as FOI, SAR, and RTBF, and one for breach notifications, both internal and to the regulators. Once the processes are defined, a detailed plan of action can be drawn up for each scenario and tested before it is required ‘live’.

MAN ON

RI

NG

TI

TO

Establishing an ‘Always On’ capability means GDPR processes drive better data hygiene. Making consumer-led services requests for FOI, SAR, and RTBF business as usual, improves customer relations while keeping costs for compliance as low as possible. However, the ‘side’ benefits are even more compelling. These include a stronger capability to detect data exfiltration and close off breach attack vectors, based on real-world vigilance of where personally identifiable data is at all times.

NI

MONITORING

MO

Nuix solution Nuix Enterprise Collection Center

ALWAYS ON GDPR INF

O

RM

A

Nuix solution Nuix Lab, Nuix Enterprise Collection Center, Nuix Adaptive Security

9

ALWAYS ON VISIBILITY CONCLUSION - THE BUSINESS CASE FOR ALWAYS ON VISIBILITY

HOW ACTIVE WILL CITIZENS BE IN PURSUING THEIR RIGHTS?

Making information governance core to your organization brings many advantages in terms of business agility and brand security. It also makes good business sense. Alongside the lower costs of management for customer-led queries and an ability to rapidly respond to ad hoc regulatory audits, there is also the ability to avoid unnecessary audits and fines. Plus, you can more easily ensure compliance with a wide variety of regulatory criteria, not just GDPR.

HOW PREPARED ARE ORGANIZATIONS TO COPE WITH GDPR’S DATA DEMANDS?

Imagine if you could take steps to protect your brand, reputation, avoid fines, and build a future where data was not just regulated, but assured and protected. Permanently. Globally. Forensically. Or you could roll the dice, but given what’s at stake, would you risk your reputation to an unproven solution?

THERE’S MUCH WE STILL DON’T KNOW ABOUT GDPR:

HOW STRINGENT THE AUTHORITIES WILL BE ON GDPR VIOLATIONS?

10

Always On GDPR - The Visibility to act like the pros

Seeing no evil is no longer a valid excuse for poor data management. The ability to see more and act faster has never been so valuable. When it comes to information governance, nobody cares more than our law enforcement and government agencies. Who do they use to deliver state-of-the-art data protection and produce legally watertight evidence? Nuix. There is one proven, forensics-grade information governance solution out there, used in thousands of successful legal defense and prosecution cases, trusted by regulators and legal teams globally. Nuix. Nuix is the choice of professionals in law enforcement, regulatory compliance because it is the only sure way to move from Visibility to Action and remain Always On.

1.

2.

3.

Need to see Nuix in action? Click here to speak to our team and request a demo

Looking for more information? Click here to contact our sales department for more information

Want to find out more about Nuix and GDPR? Check out our on-demand webinar for an overview of how Nuix can help support your organization in preparing for GDPR compliance.

Go

Go

Go

11

YOU NEED THE ABILITY TO VISUALISE AND ACT. PLEASE CONTACT NUIX TO LEARN MORE

Nuix understands the DNA of data at enormous scale. Our software pinpoints the critical information organizations need to anticipate, detect, and act on cybersecurity, risk, and compliance threats. Our intuitive platform identifies hidden connections between people, objects, locations, and events—providing real-time clarity, control, and efficiency to uncover the key facts and their context.

www.nuix.com EMEA: +44 203 934 1600 USA: +1 877 470 6849 APAC: +61 2 9280 0699