RiskIQ, the leader in digital threat management, announced new functionality in RiskIQ Digital Footprint to help organizations ensure that their websites comply with the new EU General Data Protection Regulation (GDPR). Under GDPR, which covers the protection of EU personal data, fines can be considerable if the personally identifiable information (PII) is compromised or solicited and handled insecurely.
RiskIQ Digital Footprint’s new PII/GDPR analytics feature helps expedite compliance during the initial and subsequent GDPR audit processes by actively identifying websites belonging to an organization, as well as highlighting issues with specific pages that collect PII. The regulation, in effect in May of 2018, applies to all organizations that actively engage with EU citizens—even if they have no physical presence in the EU.
GDPR governs the collection, storage, and usage of EU personal customer data and mandates that PII is collected and transmitted securely. Besides data breach notification, an offending organization can face fines of up to 4 percent of their annual revenue (€20 million) should inadequate security provisions be evidenced. GDPR also includes specifications designed to ensure that EU citizens know and consent to how their information is being used.
GDPR, as applied to the use of websites with EU citizen personal data solicitation, explicitly requires the following personal data safeguards:
- Collect data in a secure, encrypted way
- Provide terms and conditions that are easy to understand, with an opt-in requirement to accept
- Notification within 72 hours of data breach discovery to a GDPR supervisory authority and the offended citizen
“GDPR is a global game changer that will pull the rest of the world toward setting a higher bar for protecting PII,” said Jarad Carleton, principal consultant, Digital Transformation, Frost & Sullivan Cybersecurity Practice. “However, to be compliant, you first need to know where PII is being collected, so proper process controls can be put around that data. RiskIQ Digital Footprint tells enterprises where PII collection is occurring, even when individual departments have web initiatives outside the oversight of IT. The automated approach supports GDPR and can help enterprises avoid fines and protect future business.”
According to research published by PwC, 92 percent of U.S. multinational companies cited compliance with the GDPR as a top data protection priority. However, the challenge for larger organizations is the sheer volume and complexity of websites and web applications that need to be identified and inspected for GDPR compliance. For expansive European and U.S. multinational companies, the ongoing discovery, analysis, and remediation tasks are nearly unachievable without automation— leaving a considerable security and compliance gap. Plus, recent RiskIQ research of U.K. organizations revealed that nearly a third of the FTSE-30 websites collected EU citizen personal data insecurely.
RiskIQ research of North American organizations also looked at 25 of the 50 largest banks in the U.S. (2017) and discovered significant security gaps in PII collection. The findings indicated that 68 percent of the banks collect PII insecurely, revealing a per-organization average of:
- 1,891 insecure login forms
- 1,663 pages collecting PII insecurely
- 1,326 EU first-party cookie violations
- 1,265 EU third-party cookie violations
Each of these insecure collection points represents a violation of GDPR, as well as a potential to have customer data compromised.
RiskIQ Digital Footprint helps address this challenge by actively discovering, creating, and assessing an interactive inventory of public-facing web assets, including sites, applications, and infrastructure, connected to an organization. The new PII/GDPR analytics feature automatically highlights web pages where personal data is being solicited, including login forms, data collection forms, and persistent cookies.
The resulting inventory tags and reports indicate where GDPR policy violations exist to enable IT and security teams to focus their efforts on remediating those web assets to support GDPR specifications. As part of ongoing auditing efforts, it can identify the appearance of new sites and PII collection pages, checking that data is being collected securely and that approved data usage notices and user consent are present. Organizations benefit through significant time and resource savings in the discovery process and audit verification processes, as well as gaining an inventory of and insights towards their PII collection points.
“PII discovery, inventory, and compliance assessment is one of the major tasks for GDPR project teams. In our experience, most security and compliance teams have only partial visibility of the websites owned by their organization. They are left to engage users across the business in an effort to uncover them. And once they have compiled that list, inspecting tens of thousands of web pages is labor intensive and prone to error,” said Lou Manousos, CEO of RiskIQ. “The new PII/GDPR analytics feature in RiskIQ Digital Footprint automates the once cumbersome and often inaccurate process of ongoing website PII discovery and assessment, helping to more efficiently support compliance obligations for large enterprises and multinational organizations.”