Most US-based business leaders are at least somewhat familiar with the GDPR (EU General Data Protection Regulation.) Although this broad set of data regulations is designed to protect the privacy of citizens in the European Union, it will significantly affect US businesses as well. It will also likely lead to a new and costly cybercrime: “GDPR extortion.”
How will EU-based data regulations affect businesses in the US? What is GDPR extortion? How can businesses protect themselves? These are the questions I’ll address in this article.
GDPR In a Nutshell
As the most comprehensive set of data-security regulations in history (99 articles organized into 11 chapters, to be exact,) the GDPR is raising eyebrows and anxieties worldwide.
That’s because capturing customer data helps businesses in all industries improve marketing, sales, customer service and many other efforts. Now, thanks to GDPR, companies have to collect data much more carefully.
GDPR gives EU citizens something that doesn’t exist in the US: the right to personal-data privacy. What kinds of regulations are included under this set of laws? Although GDPR gets quite complex, here’s a brief rundown.
An EU citizen’s right to data privacy now outweighs a businesses’ interest in collecting their data. Therefore, under GDPR, each EU citizen has:
- The right to choose whether or not to allow their data to be collected
- The right to see all the data that’s been collected about them
- “The right to be forgotten,” meaning their data must be de-listed by Google and other search engines upon request
- And finally – the right that gave birth to the GDPR extortion phenomenon, which is the right to be informed of data breaches within 72 hours (such as breaches resulting from hackers)
How GDPR Affects US Businesses?
Before diving into what GDPR extortion is, I must stress why US businesses are not in the clear here.
If your US-based business offers services to EU citizens or collects personal data about EU citizens, you must comply with GDPR regulations. Some of the US industries that are most likely to fall under GDPR include travel, hospitality, SaaS and ecommerce. However, any US-based business with a market in the EU should make preparations to meet the requirements.
What are the consequences for failing to meet GDPR requirements? Fines could be as high as €20 million ($22.7 million), although it’s not yet clear how such EU payments are going to be enforced in the US.
But the consequences for falling short of GDPR compliance extend far beyond debilitating fees. Companies with a large EU customer base could also face losing their good standing with a market of more than 510 million people.
With the threat of eight-figure payments on one hand and the possibility of sacrificing EU-customer trust on the other, many US businesses have no choice but to retool their data-management framework to comply with GDPR.
As if the steep consequences associated with GDPR noncompliance aren’t worrisome enough, EU and US business leaders have yet another reason to lose sleep: “GDPR extortion.”
The mad dash of executives who are scrambling to prepare for GDPR is creating a perfect storm for cybercriminals. If a business isn’t GDPR compliant, and if their devices are unpatched and unprotected, a hacker can gain access to the businesses’ data and make an ominous ultimatum: Either pay the hacker a specified sum of money or the data will be leaked – a scenario that would also lead to crippling fines.
A hacked company will have a choice at this point. Either appease the criminal(s) or inform the ICO (Information Commissioner’s Office) of the data breach, per GDPR requirements.
Cybercriminals know that many companies will opt to pay the hackers rather than face even larger GDPR fines. Also, in an attempt to avoid public outcry, business leaders will often pay a cybercriminal and try to keep EU citizens in the dark about the data breach.
In spite of the temptation to pay a hacker, a business that’s fallen victim to a cybercrime should stand its ground rather than negotiate with criminals. The best course of action is to inform the ICO of the breach and work with them to mitigate the damage. Why? There are at least four reasons.
- There’s no guarantee that hackers will live up to their end of the deal and give the victimized business control of their data.
- Paying the hackers encourages them to come back and extort the same company yet again.
- Giving in to cybercriminals emboldens them to keep developing advanced technologies for blackmailing even more companies around the world.
- There’s an ethical reason to resist cybercriminals. People deserve to know when their personal data has been illegally accessed.
Patch Your Entire IT Environment
The best protection from GDPR extortion is to block hackers from entering your system. Cybercriminals are always on the lookout for businesses with unpatched and vulnerable devices, and for good reason. Even companies as large as Equifax have been breached because of unpatched servers.
Patching is the repairing of system weaknesses that have been uncovered after hardware and software has already been released. It sounds simple enough, but the process is daunting and complex.
Think of all the components that need to be patched. Servers and routers, operating systems, applications, email clients, desktops and laptops, mobile devices, firewalls, office suites and more. And as any IT professional will agree, just a company’s servers alone can turn into a patching headache.
For example, it’s common for a business to run two or more server operating systems, such as Linux and Windows. Further, many companies run several versions of these operating systems, including numerous Linux distros.
Because of the complexity involved, and with so many components that could become open windows for cybercriminals, smart companies implement a patch-management process to keep track of it all automatically. Cloud Management Suite, for example, enables IT managers to continuously patch every device and software package their company uses, regardless of their operating systems.
Educate Your Employees
Because many hackers gain access to vast amounts of personal customer data simply by outsmarting employees, it’s crucial to educate your staff about cybercriminal methods. A mandatory “social engineering” should be held for employees and executives. A few important topics to warn employees about include:
- Classical social engineering, such as when someone calls an employee claiming to be form IT and asks for passwords or other sensitive information
- Opportunity social engineering, such as when a cybercriminal drops a malware-loaded USB in a parking lot and waits for an employee to find it and use it
- Email phishing, involving emails that appear legitimate but actually contain fraudulent links or malware
It’s also helpful to educate employees about GDPR and GDPR extortion. Becoming GDPR compliant (discussed next) can be a laborious process, so the more knowledge your staff has about its importance, the better.
Become GDPR Compliant
Besides denying hackers access to a company’s sensitive data, any business with an EU market should become GDPR compliant. Although the process is labor intensive, it’s well worth it.
Businesses who spend the time and effort to meet GDPR requirements prove to the European Commission and other authoritative bodies that they care about the privacy rights of EU citizens. Such efforts are likely to minimize any imposed fees or other consequences of a data breach.
Honest companies who work toward compliance find it easier to win over their market. Whether in the US or the EU, consumers value honesty.
Businesses that do everything in their power to meet global regulations and operate transparently are quick to gain a competitive edge.