Connect with us

Hi, what are you looking for?



Website Blindspots Show GDPR is a Global Game Changer

One of the less publicized features of the European General Data Protection Regulation (GDPR) is that US companies can be held liable even if they do not actively trade with Europe. This is because the regulation is about the collection and storage of European personal information, not about business.

One of the less publicized features of the European General Data Protection Regulation (GDPR) is that US companies can be held liable even if they do not actively trade with Europe. This is because the regulation is about the collection and storage of European personal information, not about business.

Any U.S. company that operates a website that collects user information (a log-in form, or perhaps a subscription application) could unwittingly collect protected European PII. That makes the company liable — there are GDPR requirements over how it is collected (including explicit user consent, secure collection, and limitations on what is collected). Whether European regulators could do anything about that liability if the US company has no physical presence in Europe is a different matter.

Nevertheless, this highlights an area that is not well covered by many of the reports that warn about GDPR, that highlight the lack of business preparedness, and that offer solutions. IT and security teams are usually more aware of where data is stored and how it is processed than they are about where and how it is collected.

Research from RiskIQ published in June 2017 showed the potential extent of this blind-spot — even with European organizations. The research found that 34% of all public web pages of FTSE 30 companies capturing personally identifiable information (PII) are in danger of violating GDPR by doing so insecurely.

It further found that these organizations have an average of 3,315 live websites; and that from these websites there is an average of 440 pages that collect PII per company. Thirty-four percent of these are insecure; 29% do not use encryption; and 3.5% are using old, vulnerable encryption algorithms.

It is even worse in the U.S. RiskIQ researched 25 of the 50 largest U.S. banks and found a per-organization average of 1,891 insecure login forms; 1,663 pages collecting PII insecurely; 1,326 EU first-party cookie violations; and 1,265 EU third-party cookie violations.

“GDPR is a global game changer that will pull the rest of the world toward setting a higher bar for protecting PII,” comments Jarad Carleton, principal consultant, Digital Transformation, Frost & Sullivan Cybersecurity Practice. “However, to be compliant, you first need to know where PII is being collected, so proper process controls can be put around that data.”

Advertisement. Scroll to continue reading.

The problem is so extensive for larger organizations, that with little over six months to go, compliance in this area will be difficult to achieve.

“PII discovery, inventory, and compliance assessment is one of the major tasks for GDPR project teams,” warns Lou Manousos, CEO of RiskIQ. “In our experience, most security and compliance teams have only partial visibility of the websites owned by their organization. They are left to engage users across the business in an effort to uncover them. And once they have compiled that list, inspecting tens of thousands of web pages is labor intensive and prone to error.” 

The solution will require some degree of automation — and to that end RiskIQ has this week announced the addition of explicit GDPR compliance functionality to its Digital Footprint product.

RiskIQ Digital Footprint’s new PII/GDPR analytics feature, says the company, helps expedite compliance during the initial and subsequent GDPR audit processes by actively identifying websites belonging to an organization, as well as highlighting issues with specific pages that collect PII. GDPR, coming into effect in May of 2018, applies to all organizations that actively engage with EU citizens — even if they have no physical presence in the EU.

The product discovers, creates and assesses an interactive inventory of public-facing web assets. It highlights the pages that collect personal information through login forms, data collection forms, and persistent cookies. In short, it automates the process of finding GDPR web-based violations to enable more rapid and complete violation remediation. 

“The new PII/GDPR analytics feature in RiskIQ Digital Footprint automates the once cumbersome and often inaccurate process of ongoing website PII discovery and assessment, helping to more efficiently support compliance obligations for large enterprises and multinational organizations,” says Carleton.

RiskIQ’s PII/GDPR analytics feature is immediately available and is included as part of its Digital Footprint Enterprise solution.

San Francisco, Calif.-based RiskIQ raised $30.5 million in Series C funding led by Georgian Partners in November 2016, bringing the total raised by the firm to $65 million.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...