By Source Defense

The European Union’s General Data Protection Regulation (GDPR) is arguably the world’s most demanding data privacy and security law. Non-compliance brings about the potential of significant fines – and the fines have been building throughout 2022. One of the more recent examples is a New York-based digital advertising firm facing a $61 million fine for running afoul of GDPR in France by allegedly spying on unwitting users’ browsing behaviors.

The case in France is just the latest in a series of GDPR enforcement actions that have targeted 3rd party firms that have been taking advantage of their business partners’ lack of visibility and control over their digital supply chain. But the collection, use, and selling of personal data without consent to drive ad revenue is just the tip of the compliance iceberg for companies that manage dozens of digital business partners. 

Millions of enterprise websites leverage similar payment platforms and services, chatbots, social media, analytics, ads, trackers, and other marketing services as part of the front end of their web applications. And with security teams lacking the people and bandwidth to conduct necessary code reviews, most organizations are left with no knowledge of what those snippets of code being served into their websites by their partners and their partners’ partners are doing. This code may be violating compliance in its normal behavior – creating data leakage concerns- or hijacked by cybercriminals to conduct data theft. 

Compliance Starts With Visibility

Unless you can prove that you have visibility into all the third-party code you allow to enter your website, there is no such thing as being in compliance with GDPR. If you don’t know what is there, you cannot say with certainty that your client-side interactions with users protect privacy.

Visibility enables you to know who your partners are and verify their purpose. And if you are concerned with GDPR compliance, you must gain this visibility. Not only do you need to police and control the normal behaviors of your website partners, you need to ensure that they aren’t the vector through which a successful client-side attack occurs. Cybercriminals are increasingly taking advantage of a Javascript vulnerability that gives all scripts, regardless of their origin, the same level of control, including access and authorship capability, the ability to change the webpage, access all information on it (including forms), and even record keystrokes and save them.

Left unchecked, this situation puts your organization at risk of a material loss. And you don’t have to take our word for it. Look at some of the most recent examples of client-side attacks and the costs incurred.

  • British Airways was originally fined $238 million for GDPR violations that resulted from a Magecart attack and later agreed to pay a reduced fine of $26 million, given the impact of the pandemic.
  • Ticketmaster UK was fined $1.6 million under GDPR for a data breach stemming from third-party JavaScript code on its payment page, affecting nine million European customers.
  • Macy’s was hit with a lawsuit over a Magecart data breach, and the company’s stock price took a 10% hit following the breach being made public.

The Importance of Control

While most companies would say they are comfortable with the level of visibility and control of the website code developed in-house, the reality is that the average web application has between 40% and 70% of its code sourced from third parties. Third and fourth-party code increases the GDPR compliance risk exponentially. In fact, GDPR assigns responsibility for third-party code behavior to the website owner.

Since you are responsible for what these partners are doing, it is imperative that you have a way to control the actions of their code – both the normal behavior of that code, and preventing any cybercriminal from taking control of that code. The best approach to client-side security and data privacy compliance is a solution that’s purpose-built to provide visibility, assurance and control over the 3rd party code running on your websites. 

You need a solution that: 

  • Allows you to gain complete visibility into the 3rd party digital supply chain – know who your partners are, verify their purpose, control their actions, block any malicious activity 
  • Empowers the business AND ensures compliance – streamlining time to market with new third-party capabilities without fear of data breach or leakage

With Source Defense, you get customizable policy controls out-of-the-box that provides both data privacy governance over your 3rd party supply chain and automated prevention of client-side attacks. On average, Source Defense users spend less than five hours per month managing policy controls.

Can You Show Compliance?

GDPR says data controllers have to be able to demonstrate they are GDPR compliant. And this isn’t something you can do after the fact: If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant.

Client-side data privacy compliance and security platforms like Source Defense streamline the assessment and review process for your Governance, Risk, and Compliance (GRC) team. It gives you the power to demonstrate adequate controls through logs and quantified reports of policy violations.

Source Defense uses real-time, client-side sandboxing and permissions-based isolation and reflection to protect your company and your customers’ data and prevent successful data exfiltration or leakage by:

  • Isolating and monitoring JavaScript execution in an end user’s browser in real-time, as the user interacts with your web page
  • Using real-time JavaScript sandboxing to restrict the access that each script has to a web page as well as control that script’s behavior
  • Allowing or restricting access to different parts of the page and the data that they contain
  • Monitoring and managing the flow of data from the page to other places
  • Enforcing compliance policies and security controls

GDPR is large, far-reaching, and fairly light on specifics, making compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs). With Source Defense, it is possible to mitigate client-side risks that could cost millions in security response costs, legal fees, brand damage, and compliance fines.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.