Blog

항목을 찾을 수 없습니다.

법에 의한 누출 방지: 2020년 데이터 보호 환경 미리보기

법에 의한 누출 방지: 2020년 데이터 보호 환경 미리보기Default blog imageDefault blog image
31
Oct 2019
31
Oct 2019

From credit card details and medical records, through to private conversations and even dating preferences, the modern consumer entrusts an unprecedented number of organizations with their most sensitive information, hoping against hope that it will be stored on the digital equivalent of Fort Knox.

The reality, however, is that robust data privacy has thus far proven elusive. Almost 13 billion records were breached over the last two years — including from Facebook, Google, and the US Postal Service — demonstrating once again that no network perimeter can keep motivated attackers at bay.

For governments whose principal responsibility is to safeguard their citizens, implementing a strong data protection regime is therefore as challenging as it is critical. At a time when cyber-criminals find vulnerabilities in the most ostensibly airtight systems, these regulators have tended to shy away from mandating concrete security practices, since no one can anticipate which measures will repel the next unpredictable attack. Instead, most data protection laws default to ambiguous calls for “reasonable,” “adequate,” or “appropriate” cyber defenses — language that arguably renders any breached company noncompliant by definition.

While such ambiguity makes prediction pieces like this one speculative to some extent, the coming year will almost certainly witness both an increase in data protection laws around the world as well as a less forgiving interpretation of their requirements. Ultimately, as governments attempt to address growing public concern over data privacy, the mere fact of having suffered a breach could be seen as grounds for significant fines. Avoiding these fines — and doing right by one’s customers — entails assuming that the bad guys will inevitably get past the perimeter.

Figure 1: Noncompliance penalties are only getting larger as the 2020s near. Data source: CSO.

GDPR goes global

The EU’s adoption of the General Data Protection Regulation (GDPR) in April 2016 was the watershed moment in the history of data protection legislation. Its enumeration of individual privacy rights, its 72-hour breach notification requirement, and its broad data protection directives continue to serve as a blueprint for countless others, such as Brazil’s General Data Protection Law (LGPD), Thailand’s Personal Data Protection Act (PDPA), and the California Consumer Privacy Act (CCPA). All three of these regulations become enforceable in 2020, with major ramifications for companies worldwide.

Brazil’s law, which will go into effect on August 15, 2020, is modeled closely after GDPR. Like GDPR, the law applies to all companies that handle the personal data of any of Brazil’s 210 million residents — regardless of where these companies themselves are headquartered. Also like GDPR, of course, the LGPD’s security clauses are open to interpretation. The law compels data handlers to “adopt security, technical, and administrative measures able to protect personal data from unauthorized access,” taking into account “the current state of technology.”

The PDPA in Thailand — effective starting on May 27, 2020 — is similarly vague in mandating unspecified security measures. It parts company, however, in that violators face the possibility of criminal prosecution and even imprisonment for up to one year, in addition to civil damages. Organizations classified as Critical Information Infrastructure (CII), including banks, telecoms, utilities, and hospitals, are regulated under Thailand’s separate Cybersecurity Act and its slightly more detailed obligations.

Figure 2: New GDPR-inspired laws like Brazil’s will turn this map increasingly blue. Image source: DLA Piper.

In California, meanwhile, the CCPA will enforce noncompliance penalties of up to $750 per consumer per incident beginning on the first day of 2020, which could result in multibillion-dollar fines in the case of large-scale breaches. Such precise provisions indicate that GDPR-style legislation is more than a symbolic step toward data protection. And yet, as of August 2019, only 2% of companies reported that they were fully compliant with CCPA, perhaps because, according to a state-commissioned study, California firms will be forced to shell out $55 billion on just their initial compliance efforts.

Checkmate for checkbox compliance

Between the hundreds of data protection fines levied under GDPR and analogous laws, the common thread is that penalized companies are deemed to have suffered a preventable breach. For instance, in the aftermath of the 2017 Equifax compromise that exposed the personal information of more than 140 million consumers, the company was found to have been in violation of the FTC Safeguards Rule, which compelled it to adopt security measures “appropriate to [the] size and complexity” of its digital infrastructure. The US government concluded that the incident was “entirely preventable” had Equifax performed a “routine” security update on the impacted database — an oversight that precipitated at least $1.4 billion in total damages.

However, a closer inspection reveals challenges far deeper than just a simple oversight. Equifax did indeed scan its network for vulnerabilities, but the automated scanner it used was not properly configured to search all of its assets. The truth is that these kinds of misconfigurations and blind spots are a symptom of the conventional approach to cyber security itself, an approach reliant on humans to adjust and monitor a vast array of siloed security tools. In the context of cloud environments designed to be dynamic and IoT devices that are often unbeknownst to the security team, there is nothing routine about defending the “size and complexity” of the modern enterprise.

The upshot of all these new laws, requirements, and fines is that the days of mere checkbox compliance are over. Breached companies can no longer throw up their hands and point to the list of perimeter security tools they had in place, particularly because attackers largely exploit user errors and misconfigurations that — while inevitable — also appear preventable in a vacuum. Rather, to achieve compliance in 2020, human teams need artificial intelligence to make sense of their dynamic digital estates. By learning how each unique user and device normally functions while ‘on the job’, such Cyber AI detects threats that are already inside the perimeter — before they cost the company in court.

More in this series:

항목을 찾을 수 없습니다.

Like this and want more?

Receive the latest blog in your inbox
감사합니다! 제출되었습니다!
양식을 제출하는 동안 문제가 발생했습니다.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
저스틴 파이어
SVP, Red Team Operations

Justin is one of the US’s leading cyber intelligence experts, and holds the position of SVP, Red Team Operations at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

USE CASES
항목을 찾을 수 없습니다.
PRODUCT SPOTLIGHT
항목을 찾을 수 없습니다.
COre coverage
항목을 찾을 수 없습니다.
This Article
법에 의한 누출 방지: 2020년 데이터 보호 환경 미리보기
Share
Twitter logoLinkedIn logo

Related Articles

항목을 찾을 수 없습니다.

귀하의 비즈니스에 좋은 소식입니다.
나쁜 사람들에게 나쁜 소식입니다.

무료 평가판 시작

무료 평가판 시작

유연한 배송
가상환경에 설치하거나 하드웨어에 설치할 수 있습니다.
빠른 설치
설치하는 데 1 시간 밖에 걸리지 않으며 이메일 보안 평가판의 경우 더 적게 걸립니다.
여정 선택
클라우드, 네트워크 또는 이메일을 포함하여 가장 필요한 곳 어디에서나 셀프 러닝 AI를 사용해 보십시오.
약정 없음
Darktrace Threat Visualizer 및 세 개의 맞춤형 위협 보고서에 대한 모든 액세스 권한이 있으며 구매 의무는 없습니다.
For more information, please see our Privacy Notice.
감사합니다! 제출되었습니다!
양식을 제출하는 동안 문제가 발생했습니다.

Get a demo

유연한 배송
가상환경에 설치하거나 하드웨어에 설치할 수 있습니다.
빠른 설치
설치하는 데 1 시간 밖에 걸리지 않으며 이메일 보안 평가판의 경우 더 적게 걸립니다.
여정 선택
클라우드, 네트워크 또는 이메일을 포함하여 가장 필요한 곳 어디에서나 셀프 러닝 AI를 사용해 보십시오.
약정 없음
Darktrace Threat Visualizer 및 세 개의 맞춤형 위협 보고서에 대한 모든 액세스 권한이 있으며 구매 의무는 없습니다.
감사합니다! 제출되었습니다!
양식을 제출하는 동안 문제가 발생했습니다.