For companies doing business in the European Union, the pain of a data breach just got more intense. As of last month, enterprises with operations in any of the 28 member nations now have a 24 hour window in which they must alert those who could be affected by lost, stolen or misused information. No more weeks-long investigations before going public. No more months-long periods in which to identify fixes before admitting fault. Businesses in Europe now get a single day in which to figure out what went wrong, who could be hurt by it, and how they will prevent it from happening again.
With that kind of stringent reporting regulation on the books, it's hard to imagine why any electronic communication service companies (ECSCs) would fail to do everything possible to avoid security breaches. The proposed EU General Data Protection Regulation (GDPR) raises the stakes even higher. It's pretty clear that businesses will bear some of the fallout from public outcry over the mass-scale NSA leak and the UK's GCHQ involvement. The choice organisations face now is whether to invest in prevention or suffer the consequences of data loss in the face of new regulations and potential litigation.
The new and proposed rules present even greater challenges for organisations that don't already have systems in place to help them comply. The most capable of these solutions wrap each file in a layer of security to ward off loss or theft regardless of where information travels. Not only does this approach protect sensitive data, intellectual property and customers' personal information, but it also saves companies from the revenue losses that accompany highly publicised security breaches. Those losses will be inevitable with the new regulation, which ensures not only publicity after a breach, but rapid publicity.
In its recent study, "The Risk of Regulated Data on Mobile Devices," The Ponemon Institute found that more than half of the respondents had already experienced an average of five data breach incidents involving the loss or theft of a mobile device containing regulated data. Of the 798 IT and IT security practitioners included in the survey, respondents saw numerous areas of risk related to regulated data, including mobile devices, cloud computing infrastructure and applications.
Yet, a disturbingly small number reported a full understanding of the size of the risk. A mere 19 per cent said their organisations know how much regulated data is on mobile devices, and only 16 per cent knew how much resides in cloud-based file-sharing applications.
If you take this lack of knowledge and combine it with a lack of file security, a plethora of employee-owned and operated devices, and the widespread use of commercial-grade file-sharing services, it is little wonder that the response to data leaks is intensifying. The best way to manage new and proposed regulations in Europe – and to avoid the associated costs in fines and reputation loss – is to implement adequate security protocols. The time to act is before any security breach occurs, not afterward, when organisations will be forced to make hasty and public disclosures.
Moti Rafalin is the co-founder and CEO of WatchDox, a provider of secure access, file sync and collaboration solutions that enable the confidential sharing of important or sensitive documents in an easy and secure way.