The EU Global Data Protection Regulation (GDPR) and New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) represent a landmark change in the global data protection space. While they originate in different countries and apply to different organizations, their primary message is the same:
Protect your data, or pay a steep price. More specifically, protect the sensitive data you collect from customers.
With deadlines looming, is your organization ready?
The time to act is now. Read more to learn:
--Key mandates and minimum requirements for compliance
--Why a comprehensive data-centric security strategy is invaluable to all data protection and data privacy efforts
--How you can gauge your organization’s incident response capabilities
--How to extend your focus beyond the organization’s figurative four walls to ensure requirements are met throughout your supply chain
The first New York requirements deadline has arrived. With the next deadline of mandates only 6 months away, you don't want to fall behind and leave your organization at risk for potential penalties and fines.
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
1. EU GDPR & NEW YORK
CYBERSECURITY
REQUIREMENTS
3 KEYS TO SUCCESS
2. www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.
Sponsored by
3.
4. IN TODAY’S DIGITAL
WORLD, WE ARE ALL
“DATA SUBJECTS”
Threats are increasing as technologies
distribute sensitive data farther across
locations, devices, and repositories
Critical aspects of our lives
are determined by the data
that is held about us
5. CYBERCRIME IS A GROWTH INDUSTRY
According to Gemalto, 1,792 data breaches led to almost 1.4 billion data records being
compromised worldwide during 2016, an increase of 86 percent compared to 2015. That’s
nearly 4 million records stolen per day, 157,364 per hour and 2,623 per minute.
6. EU GDPR AND NY
DATA PROTECTION
AND PRIVACY
REQUIREMENTS
ARE USHERING
IN A NEW ERA OF
ACCOUNTABILITY
Protect your data, or pay a steep price.
More specifically, protect the sensitive
data you collect from customers.
7. Ask yourself:
a) Beginning stages
b) Well underway
c) Fully compliant
d) Not sure
HOW FAR ALONG DO YOU THINK
YOUR ORGANIZATION IS IN ITS
COMPLIANCE PLAN?
8. Companies that violate certain provisions—such as the basic processing principles or the rules
relating to cross-border data transfers—may face fines amounting to four percent of the
company’s annual gross revenue, and up to two percent for violations such as failing to meet
the breach notification rule.
Fines
EU GDPR MANDATES
A “right to erasure”, also known as the “right to be forgotten,” gives a data subject the right to
order a data controller/organization to erase any of their personal data in certain situations.
Data controllers will be required to erase personal data “without undue delay” when the data is
no longer necessary in relation to the purposes for which it was gathered or processed.
Companies whose “core activities” involve large-scale processing of “special categories” of
data—information that reveals racial or ethnic origin, political opinions, religious or
philosophical beliefs, genetic data, biometric data, health or sexual orientation—need to
designate a data protection officer. Companies who collect some of this information strictly for
internal human resources purposes may also be subject to this requirement.
A single data breach notification requirement is applicable across the EU. The rule requires
data controllers to notify the appropriate supervisory authority of a personal data breach within
72 hours of learning about it.
Right to be
Forgotten
Breach
Notification
Data Protection
Officer (DPO)
9. Establishment and adoption of a cybersecurity policy and program, including adequate funding
and staffing, a CISO, cybersecurity awareness training, limitations on data retention, and
periodic reporting to the most senior governing body of the organization.
Program
and Policy
NY CYBERSECURITY MANDATES
Risk-based minimum standards for technology systems including access controls such as
multi-factor authentication, data protection (including encryption or an alternate CISO-approved
compensating control), and vulnerability assessment/penetration testing.
Adherence to minimum standards for addressing data breaches, including incident response
plans, the preservation of data for investigations, and notice to DFS of material events within
72 hours. Additionally, organizations need to maintain audit trails for reconstruction of financial
transactions, and cybersecurity incidents.
Identification and documentation of material deficiencies, remediation plans and annual
certifications of regulatory compliance. Additionally, organizations need to implement written
policies and procedures designed to ensure the privacy and security of information systems,
and sensitive data accessible to third-party providers.
Security
Controls
Maintaining
Accountability
Data Breach
Response
11. The development of a data-
centric security program is
invaluable to all data protection
and data privacy efforts
ONE
DATA-CENTRIC
SECURITY
12. Determine where and
what type of data is stored
Continuous process to provide
visibility, outline risk, and validate
employee role assignment
Confirm awareness level
and policy compliance as
well as enhancement
DATA
DISCOVERY
Many organizations don’t even know
where their sensitive information is,
which makes it extremely difficult to
comply with requirements such as the
GDPR “right to be forgotten”.
13. Policy
Data handling procedures
Report/detect/protect
IR /forensics
Risk-based approach
Identify business owners
CLASSIFICATION
Data classification policies and tools
facilitate the separation of valuable
information that may be targeted from
less valuable information.
14. Consider SSL decryption at
gateway points of access
Data-in-motion
Data-at-rest
Data-in-use
ENCRYPTION
STRATEGIES
End-to-end encryption maximizes data
protection regardless of whether the data
is in a public or private cloud, on a device,
or in transit. It can be invaluable in the
effort to combat advanced threats, protect
against IoT-enabled breaches, and
maintain regulatory compliance.
15. Directory unification
Access management
Federation privileged access
Access governance and authentication
IDENTITY
MANAGEMENT
The NY requirements specify the use of
multi-factor, risk-based authentication “for
any individual accessing the Covered
Entity's internal networks from an external
network (500.12)” and as a means for
protecting sensitive data. Multi-factor
solutions and services can help.
16. The GDPR and NY requirements
contain 72-hour data-breach
notification mandates
TWO
INCIDENT
RESPONSE
17. Ask yourself:
a) Yes
b) No
c) Not sure
IS YOUR ORGANIZATION READY TO
RESPOND TO INCIDENTS WITHIN
STRICT TIMELINES?
18. Are employees aware of what constitutes an incident to
begin with, and how to report and manage an incident?
QUESTIONS TO CONSIDER
Have you optimized the tools you’re using today
to protect against and detect incidents?
Has your program been updated and tested to support today’s
cyber threats and compliance with breach notification requirements?
Do you have the tools and relationships in place to accelerate your response
to a serious security incident for containment and public management?
Does your plan include considerations for retaining forensic and
PR firms that directly align to your cybersecurity insurance policy?
1
2
3
4
5
19. Third parties can present your
greatest area of risk exposure
THREE
THIRD
PARTY-RISK
20. Map your data. Understand which third parties have access to data, what categories of data they have, and
what they are doing with it. Make sure you collect only the minimum amount of personal data required for the
product or service, and review legal grounds for collection and processing.
THIRD PARTY RISK PROGRAM ELEMENTS
Ensure you have appropriate budget and resources allocated for completing assessments of third
parties, and for remediation projects.
Review your contracts to ensure they are compliant with both regulatory mandates (GDPR contains
requirements for contracts with data processors, as well as between data controllers), and with your own
security policies.
Complete assessments of all third parties that have access to, handle or touch your client/personal data
to ascertain their awareness of specific requirements, and to ensure that they have appropriate technical and
organizational measures in place to comply.
Ensure third parties are scored based on risk-assessment results and other due diligence. For high-
risk third parties, identify audit partners for the assessment of processes, and set the scope of remediation
programs and ongoing monitoring requirements.
21. PEOPLE
Adhere to regulation-specific staffing
requirements, such as GDPR’s DPO,
and NY’s CISO (drives accountability)
Education & awareness
Changing behaviors around
the collection and use of data
Establishing appropriate consent controls
Ensure suitable technical (security analysts,
IR team) & non-technical (business
leadership, legal, PR) staff is
in place and is trained appropriately
PROCESS
Perform risk assessment (utilizing
framework like NIST, ISO, etc.)
Identify and manage collection
of sensitive data
Set processing/dissemination rules
Ensure means to address inquiries and
adhere to 72-hour notification req’s
Establish data lifecycle management
(inventory, classify, track the movement of,
and disposal of, data)
Set IR processes (preparation, detection/
reporting, triage/analysis, containment/
neutralization and post-incident activity)
Develop third-party risk program
TECHNOLOGY
Visibility (identify data and its
location: endpoint, DB/shares,
cloud, structured/unstructured)
Analytics (when, where,
and how data is moving)
Data protection tools (discovery,
classification, DLP, encryption,
IAM, CASB, and gateway controls)
Detection tools (IDS/IPS, NGFW, UEBA)
Containment tools: Endpoint Detection and
Response, and Forensics tools
Third-party risk and security scoring tools
22. WE’RE ALL GOING TO HAVE TO
CHANGE THE WAY WE THINK
ABOUT DATA PROTECTION.
— Elizabeth Denham, UK Information Commissioner
25. Authors:
David O’Leary
Director, Forsythe
Security Solutions
Thomas Eck
Director, Forsythe
Security Solutions
Alex Hanway
Product Marketing
Manager, Gemalo
www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.