One of the less publicized features of the European General Data Protection Regulation (GDPR) is that US companies can be held liable even if they do not actively trade with Europe. This is because the regulation is about the collection and storage of European personal information, not about business.
Any U.S. company that operates a website that collects user information (a log-in form, or perhaps a subscription application) could unwittingly collect protected European PII. That makes the company liable — there are GDPR requirements over how it is collected (including explicit user consent, secure collection, and limitations on what is collected). Whether European regulators could do anything about that liability if the US company has no physical presence in Europe is a different matter.
Nevertheless, this highlights an area that is not well covered by many of the reports that warn about GDPR, that highlight the lack of business preparedness, and that offer solutions. IT and security teams are usually more aware of where data is stored and how it is processed than they are about where and how it is collected.
Research from RiskIQ published in June 2017 showed the potential extent of this blind-spot — even with European organizations. The research found that 34% of all public web pages of FTSE 30 companies capturing personally identifiable information (PII) are in danger of violating GDPR by doing so insecurely.
It further found that these organizations have an average of 3,315 live websites; and that from these websites there is an average of 440 pages that collect PII per company. Thirty-four percent of these are insecure; 29% do not use encryption; and 3.5% are using old, vulnerable encryption algorithms.
It is even worse in the U.S. RiskIQ researched 25 of the 50 largest U.S. banks and found a per-organization average of 1,891 insecure login forms; 1,663 pages collecting PII insecurely; 1,326 EU first-party cookie violations; and 1,265 EU third-party cookie violations.
“GDPR is a global game changer that will pull the rest of the world toward setting a higher bar for protecting PII,” comments Jarad Carleton, principal consultant, Digital Transformation, Frost & Sullivan Cybersecurity Practice. “However, to be compliant, you first need to know where PII is being collected, so proper process controls can be put around that data.”
The problem is so extensive for larger organizations, that with little over six months to go, compliance in this area will be difficult to achieve.
“PII discovery, inventory, and compliance assessment is one of the major tasks for GDPR project teams,” warns Lou Manousos, CEO of RiskIQ. “In our experience, most security and compliance teams have only partial visibility of the websites owned by their organization. They are left to engage users across the business in an effort to uncover them. And once they have compiled that list, inspecting tens of thousands of web pages is labor intensive and prone to error.”
The solution will require some degree of automation — and to that end RiskIQ has this week announced the addition of explicit GDPR compliance functionality to its Digital Footprint product.
RiskIQ Digital Footprint’s new PII/GDPR analytics feature, says the company, helps expedite compliance during the initial and subsequent GDPR audit processes by actively identifying websites belonging to an organization, as well as highlighting issues with specific pages that collect PII. GDPR, coming into effect in May of 2018, applies to all organizations that actively engage with EU citizens — even if they have no physical presence in the EU.
The product discovers, creates and assesses an interactive inventory of public-facing web assets. It highlights the pages that collect personal information through login forms, data collection forms, and persistent cookies. In short, it automates the process of finding GDPR web-based violations to enable more rapid and complete violation remediation.
“The new PII/GDPR analytics feature in RiskIQ Digital Footprint automates the once cumbersome and often inaccurate process of ongoing website PII discovery and assessment, helping to more efficiently support compliance obligations for large enterprises and multinational organizations,” says Carleton.
RiskIQ’s PII/GDPR analytics feature is immediately available and is included as part of its Digital Footprint Enterprise solution.
San Francisco, Calif.-based RiskIQ raised $30.5 million in Series C funding led by Georgian Partners in November 2016, bringing the total raised by the firm to $65 million.
