Despite Tough Regulations, Tracking PII Remains an Ongoing Challenge

Global online business practices changed significantly with the introduction of Europe’s General Data Protection Regulation (GDPR) in 2018, considered the first data privacy regulation with any real teeth and the potential for significant fines. The effects aren’t confined to Europe, of course, because they apply to anyone doing business with European natural citizens.

Despite the potential for extremely stiff fines and reputation damage when it comes to data privacy non-compliance or exposures, most enterprises aren’t able to fully comply with GDPR or similar data privacy regulations because they don’t have a good handle on all the places where personally identifiable information (PII) is being collected, transmitted, stored or inadvertently exposed in their extended IT ecosystem.

That makes mapping, monitoring and security-testing your extended IT ecosystem a prerequisite for identifying where GDPR-relevant data (or systems) may be exposed, and to pinpoint security issues related to those assets that could result in breaches of those systems or data. A particular challenge for GDPR is the “unknowns,” which CyCognito calls shadow risk. Research (described below) shows that organizations are ignoring much of that risk. To reduce the risk of violating GDPR and other data privacy regulations, it is critical that your enterprise continuously discover and test all of the assets in your entire attack surface with methods tuned to identify unknown, unmanaged and abandoned assets, whether they are on-premises, in the cloud or in subsidiary and third-party environments.

To emphasize the criticality of this approach, let’s take a look at what’s happened since GDPR went into effect in May 2018:

• The rate of GDPR non-compliance fines assessed and the size of penalties has been 
  steadily increasing with large corporations based in the U.S. as well as Europe among those facing hefty multimillion dollar penalties. ^{1, 2} 
• “Insufficient technical and organizational measures to ensure information security” is the second most common reason for being fined for a GDPR violation, behind “Insufficient legal basis for data processing.”³
• Other regions around the globe have enacted or amended similar regulations:
  For example, the California Consumer Privacy Act (CCPA)⁴ went into effect in January 2020. Like GDPR, it gives consumers more control over the personal information that businesses collect about them:
  
  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.
    
  And 132 out of 194 countries have legislation to secure the protection of data and privacy according to the United Nations Conference on Trade and Development.⁵ To name a few:
  • Bundesdatenschutzgesetz (BDSG), the world’s first data protection law, was updated in 2018 to incorporate GDPR.⁶
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was updated in 2019.⁷
  • Essential segments of South Africa’s Protection of Personal Information (POPI) Act went into effect in July of this year with more to follow in 2021.⁸

Most enterprises have also vastly expanded their IT ecosystem since 2018 with the adoption of cloud and digital transformation initiatives and don’t have visibility to their entire attack surface, which makes it virtually impossible to be in compliance with data privacy regulations.

For example, as we know from our work with leading enterprises, it is not uncommon for assets from acquired subsidiaries to be unknown and unmanaged even by the subsidiaries themselves, much less the central IT and security teams… and you can be fined for non-compliance for breaches that occurred even before you acquired the company. 

Despite the fact that not being aware of all the assets in their attack surfaces can have significant consequences, most enterprises don’t take a broad enough view of their attack surfaces and their related exposures for effective digital risk management. A recent survey by CyCognito and the Enterprise Strategy Group (ESG) of cybersecurity and IT professionals revealed that more than 45% of respondents do not include SaaS applications, public cloud workloads, and partners/affiliates in their definition of “attack surface.” For example, an abandoned marketing landing page in the cloud could collect PII or credentials and store them in an unmanaged database; similarly, other unknown, unmanaged or abandoned assets could provide a pathway into customer information in an internal network via remote servers or external databases.  

What are the implications of all of the above?

Knowing where all the PII you’ve collected is in order to comply with data privacy regulations around the globe, including GDPR, requires that:

1. You know where the PII is in order to share it back or delete it promptly should the data owner request it. 
2. You know where it might be exposed so that you can comply with post-breach reporting requirements, which can result in substantial fines if defined breach disclosure procedures are not conducted within specified timeframes. 
3. And it goes without saying, you must protect the PII you’ve captured to avoid the breach in the first place, maintain customer trust and protect your brand.

But you can’t protect data you can’t see; nor can you assure customers/citizens and regulatory bodies that your organization is complying with applicable data security laws if you haven’t examined the hidden recesses of your unmanaged, unknown extended attack surface for all the places that PII is being collected, transmitted, stored or inadvertently exposed. 

Obvious locations are:

• main websites, corporate and subsidiary 
• known landing pages and marketing microsites

But what about:

• shadow IT assets
• unsanctioned cloud deployments 
• microsites created for you by third-party vendors
• abandoned servers
• unknown subsidiary assets 

Regulatory compliance is crucial from a business reputation and a bottom-line perspective. At the best practices level, compliance is a beneficial by-product of effective security processes. The CyCognito platform offers pioneering capabilities so that you can reduce your digital risk and better comply with data privacy regulations. It identifies hidden assets and attack vectors — including locating assets where PII could be inadvertently exposed — across your entire attack surface.

Talk to us to learn more about how we can improve the quality of your security and streamline and improve your compliance initiatives. 

1. https://www.infosecurity-magazine.com/news/carrefour-handed-37-million-gdpr/
2. https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html 
3. https://www.enforcementtracker.com/?insights
4. https://oag.ca.gov/privacy/ccpa
5. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
6. https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz
7. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/
8. https://www.saica.co.za/Portals/0/Technical/LegalAndGovernance/ms_20200622_POPIA_Sections_Commencement.pdf