By Source Defense
Now in its fourth year, the European Union’s General Data Protection Regulation (GDPR) is one of the strictest, most complex, and most confusing data privacy laws in the world. Although that complexity initially meant that accountability got off to a slow start, GDPR fines are now becoming more common and costly.
During the last 12-18 months, some of the biggest brands in the world have suffered some of the harshest fines under GDPR:
- Amazon – $824 million
- WhatsApp – $224 million
- Google Ireland – $99 million
- Google – $66 million
- Facebook – $66 million
- H&M – $39 million
- British Airways – $26 million
Many enterprises remain confused about what is required of them under GDPR. GDPR applies when personal data are processed. Personal data are defined broadly in the GDPR to mean any information related to an identifiable person is personal data (Article 4.1). For example, an email address, an IP address, a tracking cookie, an identification number, and an ‘online identifier’ are almost always personal data. But even hashed or encrypted email addresses are generally personal data, as far as they contain a unique identifier that can be linked to a person.
There is a natural tension between the letter of the law and the business models that depend on customer data to enhance customer experience and generate revenue. GDPR has been criticized for being too vague and difficult to interpret, especially for digital and marketing professionals on the front line of digital business. The result has been uncertainty about what security and privacy protections should be undertaken, which often leads to little or no action on GDPR controls.
One thing is certain though – there is a real and material risk of non-compliance with GDPR stemming from the 3rd party digital supply chain on your websites.
Understanding and Addressing the Risk
Here’s what we know about the compliance risk posed by third-party and fourth-party digital supply partners. Your websites likely include potentially a dozen or more partners serving code (with your permission) to each new web user directly inside their browser. As the website property owner, you have a duty of care to ensure that all data collected both complies with data privacy requirements and is protected from potential cyber breach. However, you have limited to no visibility into what the code these partners serve up is actually doing. The reason behind this is multi-fold. Firstly, the code itself changes at a fever pitched pace – with potentially thousands of changes occurring on an annual basis. Secondly, the code is often dynamic – meaning that it changes on the fly based on customer interactions with your site. And, most likely, you don’t have any tools in place to monitor, secure and enforce compliance policies on this code.
This creates a gap in compliance assurance that could cost you dearly. Recent research from Source Defense and other parties has found that in the normal course of their operations, many of these website partners are capturing data without consent, and in some cases passing that data along. Consider the recent case of Meta outlined in this blog post. This means that you may be exposed to potentially massive GDPR and other data privacy compliance fines just by conducting the normal course of your daily operations.
Web application logic — a combination of the owner’s application logic and the integration of third-party content and functionality — is loaded and runs on the client side in the browser beyond the protection of server-side security. The code is dynamically downloaded from a remote server, which means that it bypasses the traditional security infrastructure, including website firewalls and web application firewalls. The vulnerability is easily exploited and attacks using this vector occur by the hundreds daily. When an attack is successful, it not only carries brand damage, significant security response costs, potential class action lawsuits – but also the potential for fines for data privacy non-compliance like the one suffered by British Airways.
Source Defense offers a simple, easy to use solution to the problem that benefits the business stakeholder, security and your efforts in Governance, Risk and Compliance.
This is as close to ‘set it and forget it’ security and data privacy that you will see on the market. And it is a solution that gets Security and GRC out of the way of business decision-making.
Adopting client-side security from Source Defense isn’t the same proposition you’re used to – it doesn’t require a lengthy proof of concept, major disruption for installation and tuning, or a team full of new resources to manage it – it is easy, effective and immediately beneficial to uniting the business, security, and GRC units under a single risk management umbrella that protects the organization from harm.
Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.