The GDPR's definition of "reasonable" is a data security minefield

by Luke Atkin, September 8th 2018

Another day, another data breach. We’ve just learned that British Airways have lost almost 400,000 of their customers’ credit card details to malicious hackers, one of the largest data breaches we’ve seen since the GDPR came into force back in May. While the new requirements of the GDPR have forced BA to reveal the extent of the breach sooner rather than later (unlike Yahoo, which sat on its knowledge of a breach of its own for over two years), there’s no indication yet what if any fine the company will face as a result of this latest hack. Under the GDPR the fine could be as much as 4% of BA’s global turnover, which amounts to £500 million - but then, a breach doesn’t necessarily mean a penalty at all. There are, of course, other factors to consider.

The GDPR requires that businesses take “reasonable” steps to prevent the sensitive data they hold from falling into the wrong hands. If a data breach does occur, if it is felt that the business in question made a “reasonable” effort to protect that data from hackers, penalties will be less severe or non-existent. The breach will be considered unavoidable in that regard. This appears to be the situation with British Airways; the hack was carried out by sophisticated individuals with the means to break through seemingly secure systems, and thus did not take advantage of a lack of “reasonable” action by BA. So, to today’s point of discussion: what is “reasonable”?

Unreasonable demands

If a burglar breaks into my house and makes off with my TV, could it be argued that I had taken “reasonable” steps to prevent this from happening? I don’t have a burglar alarm, or security cameras, or the kid from Home Alone running around setting booby traps. I simply close my curtains and lock my front door. Would you say this constitutes reasonable efforts to protect my property, or should I do more? If a burglar wanted to break in and had the tools and knowhow to do so, he could. I’m not denying that, or even taking steps to prevent it; the “reasonable” efforts I’ve made are intended to deter opportunists and the vast majority of would-be thieves. (My TV is still around, so obviously it’s worked so far.)

So what’s the problem? Well, when deciding what measures are reasonable to prevent my stuff being stolen, the consequences of those measures failing lie with me. In the case of GDPR and data protection, it’s a little more complicated. When a company loses the sensitive data it was holding on its customers, sure, it’s the company that faces penalties and sanctions - but it’s the customers who face the real consequences. If I were looking after something valuable for a friend, you can bet I’d make sure it was more secure than the TV in my lounge. Data protection is no different. Customer data is worth its weight in gold in the modern age, so I would argue that “reasonable” steps to protect it would be storing it in the digital equivalent of Fort Knox - or, in fact, not storing it at all!

Keep not, breach not

There is in fact another matter at play in the case of the British Airways breach. The hackers also got hold of customers’ credit card CVV numbers, which should never have been stored in the first place. This begs the question: if it is reasonable to store sensitive data as securely as possible, is it not reasonable to also securely dispose of data which should no longer be (or never should have been) stored? Enter data destruction. Now, as a purveyor of data destruction systems myself, I’m naturally somewhat biased in this discussion, but there’s an important point to be made here. Businesses across the globe continue to hold personal data which is outdated, redundant, no longer fit for purpose, or should otherwise not be stored. In many cases, this data is buried in forgotten files and folders, on archived drives or in backups, and the organisations in question may not even be aware of it.

This is one of the key bugbears which the terms of the GDPR are hoping to stamp out. “Data should only be stored for as long as it’s being used” is one of the key mantras put forth by the new legislation, but it’s also one of the hardest to enforce due to the ubiquity of all that legacy customer data floating around. Whereas the attitude towards data over the past decade or more has been to protect it through continual backups and redundant copies, we’re now seeing that mindset being walked back in the name of consumer privacy. In short, businesses need to know exactly what and where the sensitive data they hold is.

What’s the answer? How do we prevent auditing nightmares with all this potentially sensitive data backed up on hard drives and the cloud and random employee USB sticks? Without meaning to sound too sales-pitchy, secure destruction might just be the most convenient solution. When a storage system is packed to the gills with all manner of files, many of which may be customer-related, it’s far easier to simply dispose of the system and start afresh. This won’t be the answer that many data hoarders were hoping for, but when mister GDPR comes knocking, you’ll be able to tell him you took more than “reasonable” steps to protect that data. After all, you don’t need to protect what you don’t have.

It may seem counter to our business model, but we here at Varese would like to see a drop in the amount of data companies hold. As much as we love running a hard drive through a military-grade crusher, we’d all be far better off if there were no need to do this in the first place. Unfortunately, data collection is a fundamental part of the sales and marketing pipeline (and I say this as a marketer myself), so the concept of mass data harvesting won’t be going anywhere anytime soon. In the meantime - since breaches and hacks are inevitable in this “big data” culture - we advise you to be vigilant; keep a watchful eye out for data breaches, and ensure you carry out best practices like using multiple passwords and two-factor authentication to keep your own data as secure as possible. After all, businesses should pay the price for losing your data; you shouldn’t have to.