I’ve spent a ton of time over the past few weeks chatting with different folks about GDPR and how this soon to be enforced EU regulation is contributing to a rising tide of interest in best practices for IT risk management and open source governance.
With GDPR due to become enforceable on 25 May 2018, indeed every company in the world doing business in the EU has been studying GDPR and it's potential ramifications for quite a while. What's new however, is the fact that many of these companies are all of the sudden interested in understanding how to implement open source governance programs in the wake of the recent Struts2 breach at Equifax.
Simply stated, from the time that Equifax first discovered the breach in late July -- the company waited 40 days to disclose the exploit to the public. This leisurely approach toward public notifcation would not fly in the EU under GDPR rules that are set to take effect in May 2018. Under GDPR -- Equifax would have been required to notify the public within 72 hours or face penalties up to €10M ($12M) — or up to 2% of prior year revenue — whichever is higher.
Yes, that's right. Under GDPR rules, Equifax would have been fined $60M for taking their sweet old time to disclose the breach. That's a whopping $1.5 million dollars per day.
Of course, in the US we do not currently have a federal law requiring companies to inform the public about data breaches. Legislation proposed in 2015 would have set a 30 day disclosure deadline — but the bill failed — most likely because a majority of congress felt that we already have ample regulation in place in form of PCI.
The white hot irony of course is that Equifax most likely would have passed a PCI audit with flying colors — yet they still got hacked and lost personal data on 140 million Americans and 40 million Brits becuase of poor open source governance.
In the face of GDPR, and in the aftermath of Equifax, companies are beginning to understand two things:
- web application firewalls, network and end point security tools, and hardened operating systems by themselves are not sufficient to defend against an attack that is aimed at the application layer and exploits known vulnerabilities in popular open source components like Struts.
- true data protection requires end-to-end software supply chain hygiene.
As the U.K's Information Commissioner's Office (ICO) states in their FAQ, “In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place". An innovative solution to automatically manage open source risk wouldn't be a bad idea either -- just ask Equifax.