BalaBit blog

Background

On 25 January, 2012, the European Commission has proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

The Commission’s proposals are passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

Source: European Commission Justice

Which changes will affect IT Security professionals?

“Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.”

Overall, the EU Data Protection Directive can be a milestone in boosting the transparency of IT security at organizations – similarly to the regulatory compliance regulations after the Enron case. If adopted, the new directive could bring about a change in the implementation of IT security policies so that the current focus on audits could shift to the deeper integration of IT security processes into business processes.

“Privacy by design’ and ‘privacy by default’ are principles that would need to be integrated into business processes. This means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-protecting default settings, for example in social networks, should be the norm.” Source: How will the EU’s data protection reform benefit European businesses?

In the past few years, companies separated the compliance department from the IT security team, to make sure that they were well prepared for audits; purchased the necessary IT tools and reported all required data. Organizations spent an increasingly large amount of their IT budgets to pass audits, but did not focus enough on taking advantage of these investments and didn’t implement them for other IT security or maintenance purposes. Organizations could pass an audit even though their private data may have been lost. If the EU Data Protection Directive is adopted, the focus of supervision would be based on whether security incidents occur, rather than on passing audits. The separate compliance and other IT security departments together with the existing or newly appointed, independent data protection officer could better harmonize their workflows in the future and increase the level of security.  This way, another positive effect could be the greater acceptance of the IT security department within the organization.

„For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).”

Being able to answer the question of “who did what” in your IT system (real time!) is becoming more important than ever. Although there is no information about the definition of “serious data breaches”, organizations should be aware that both the type and number of lost privacy records could be considered in the definition. “As soon as possible” basically means that as soon as the organization is informed about a data breach – but at what point are they informed, and who should be informed first, the system administrator, the IT manager, the data protection officer or the head of company? Or, perhaps the outsource service provider who maintains the IT system? Preferably all of them at the same time thanks to monitoring tools. Incident detection, both internal and external, in real-time is important. But, a key area is monitoring privileged users’ activity, as they have access to most of the sensitive company data. Monitoring tools will be required to control access, and guarantee that the recorded activities cannot be subsequently modified or cleared. For instance, Shell Control Box, BalaBit’s activity monitoring tool helps find the source of the security incident, and organizations can learn from their previous “mistakes” and correct them – this is what the new directive aims to achieve.

“if feasible within 24 hours” – The stress is on “if”. According to the latest Verizon 2011 Data Breach Investigation Report, organizations allow a security breach to exist for weeks, months, and even years before realizing they’ve been had. There always are higher priorities than investigating off-chance, small incidents. With the new directive, companies are forced to change this attitude, at least in the case of private data loss. As logging and log management are the base of every monitoring method, technologies with high-speed and zero message loss capabilities, like syslog-ng, will come to the front. Encrypting log files, in which companies store usernames, passwords and other sensitive company data is also key to prevent data loss, as an encrypted file – even if lost for any reason – cannot be decrypted easily. The High-Speed Reliable Logging (HSRL) version of syslog-ng is able to handle up to 650,000 log messages per second.

“Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.”

Companies, who operate in multiple EU countries, could decrease their administration costs and avoid developing several custom-made reports and applications for each country. It also could reduce the maintenance cost, processes can be more automated which results a safer environment in the long term.