listen to this article:
The European Union’s General Data Protection Regulation is the most influential privacy law in the world. It is inspiring privacy laws far beyond Europe. In addition, GDPR is also having a a global effect on how cryptography is used for data security.
What Is GDPR?
GDPR is a comprehensive law of privacy. Having gone into effect 2018, GDPR is an extension of European privacy laws that have roots dating back decades. GDPR requires that data holders undertake a broad range of steps to protect the privacy of individuals, including;
- notifying the individuals of data collection, use and sharing;
- the destruction of data under certain circumstances;
- the use of data only for intended purposes; and
- the design of computer systems with privacy as an explicit purpose.
What Does It Take to Comply With GDPR?
For larger organizations, compliance with GDPR can involve extensive review of, and implementation of policies on, the collection and use of personal data. Full compliance with GDPR can be challenging because the rules are vague, and the authorities are still wrestling with the practical interpretation of those rules. Often the rules speak in terms of aspirational goals rather than highly prescriptive steps that apply in every situation.
How Is GDPR Promoting Constant Improvement in Cryptography?
GDPR requires data holders to secure personal information, and failure to secure can lead to fines under GDPR Article 32.
An essential class of security technology, according to GDPR authorities, is cryptography. For example, failure to encrypt data counted as an “error” in GDPR compliance according to the UK regulator investigating British Airways after a credit card data breach.
But encryption and cryptography are intricate, nuanced technologies. At what point does any specific deployment of cryptography satisfy GDPR? The answer is dynamic, and changes over time. That means it must improve as time passes.
In Cryptography, The State of The Art Is Always Advancing
Article 32 recognizes that appropriate security needs to evolve and improve as threats and technology change. Article 32 says the steps a data holder takes to protect data must take into account the “state of the art.” For cryptography, the state of the art is constantly advancing: new algorithms, new trust models, new key management architectures, new integrations with other cybersecurity controls. Hence, as better security technology becomes available, data holders are obliged to consider using it, rather than blindly staying with older technology.
For example, in the British Airways case mentioned above, the regulator assigned the company credit when it recognized it had a vulnerability and addressed it with a newer, more effective endpoint monitoring tool called “Crowdstrike Falcon.”
Failure to Keep Pace With State-Of-The-Art Technology Can Be Disastrous
Unsurprisingly, large organizations make extensive use of cryptography to secure personal information. But if an organization implements cryptography and then fails to reevaluate it, the organization is not only violating Article 32, it is opening itself to emerging threats and vulnerabilities.
A spectacular example of an organization that failed to stay ahead of threats was the large US retailer TJX. TJX relied on outdated WEP encryption to protect internal Wi-Fi at its many stores, but it was well known that WEP was outdated and needed to be replaced with WPA encryption. Hackers took advantage of this cryptography weakness and successfully broke into the company’s corporate network, stealing a massive cache of credit card data.
TJX fell short of Article 32’s mandate. Article 32 calls on data holders like TJX to do more than implement a technology and forget about it. Article 32 expects data holders to keep up as cryptography changes, improves or becomes vulnerable.
But in practice, keeping up to date is an indistinct idea. How, then, can an organization build the case over the years that it is complying with Article 32’s expectation for constant cryptographic improvement?
GDPR Compliance: How to Stay Current with Cryptographic Advancements
Following are steps an organization can take to document to regulators that it is applying the required diligence to stay current.
An organization should regularly conduct risk assessments of its cryptographic resources. Article 32 makes clear that it expects organizations to adopt an approach to security that is informed by risk. Greater risk justifies greater effort and expense. Depending on the circumstances, a risk assessment can be a long, thorough document, or it might be a three-sentence email among security team members evaluating what to do for an immediate, specific problem.
Article 32 requires ongoing diligence to understand the state of the art and consider adopting it.
An organization should proactively research advances in cryptographic technology. It should invest in the training of cryptographic administrators so they can stay abreast of latest threats and developments.
An organization should periodically have a responsible officer sign a certificate to the effect that the organization is making appropriate efforts to re-evaluate and improve its cryptographic resources.
This idea draws inspiration from laws such as the US Federal Information Security Modernization Act (FISMA) and the Cybersecurity Regulations of the New York Department of Financial Services. Those laws require responsible cyber security officers to sign certificates of compliance with security requirements. Such a certificate is evidence of substantial efforts by an organization to comply. But if the officer declines to sign, that is a red flag to executives that problems need to be addressed.
An organization should further engage third parties such as auditors to evaluate the effectiveness of cryptographic implementations in light of latest and future threats.
An organization should affirmatively communicate that good deployment of cryptography does not mean you reach a state of perfection and stay there.
It is tempting for an organization to speak internally of cryptography as a magic black box that simply achieves a goal, with no deeper evaluation. However, organizations must recognize that the use of encryption is a never-ending process which must fit into the context of a dynamic business environment, acknowledging reality and seeking constant vigilance and improvement, knowing that perfection will never be achieved.
Effective communication about cryptography may include policies, mission statements, audit reports, employee training, presentations to executives and other internal messages, which will influence:
- The way cryptography administrators and their partners in the organization understand and execute the mission of cryptography;
- How auditors and regulators evaluate the use of cryptography;
- The expectations of executives as they assign resources for cryptography and evaluate the role of cryptography in managing risk; and
- Perceptions among staff about threats and the need to be on guard for attacks and anomalies.
Regulators Respect Documentation of Compliance
Documentation showing an organization has taken the steps above create evidence to show a regulator that the organization has a track record of compliance with Article 32. When an organization strives constantly to improve in cryptography, it not only gets closer to the goal of compliance. It also gets closer to staying secure in a dangerous and rapidly changing world.