Kali on My Mind

GDPR Crossing the Atlantic?

One of the focuses of my studies at FlatIron dived into the different protections and regulations that organizations would need to follow based on where they were located as well as what services they were providing. An example that many people in the US would be familiar with would be HIPAA. One of the more well known provisions of HIPAA is that any individual identifying information must be kept confidential by health care providers. This keeps doctors or anyone else that may have access to a persons private medical information from releasing it in any public way.

The GDPR (General Data Protection Regulation) is a landmark piece of legislation that was passed by the European Union and took effect in 2018. It provides a list of requirements for how organizations must handle everything from private financial information to data breaches within a network, and also sets both time limits and escalating fines for not meeting the new requirements. The GDPR was not the first legislation to provide consumer protection, but it may be the most expansive and aggressive to date.

Notably, the United States does not have nearly as stringent requirements at the federal level. There are a few states (California’s CCPA has some similarities to the GDPR but still on a smaller scale) that have laws related to consumer protection and cyber security, but as a whole there are comparatively few rules and regulations here in the US. That may be about to change.

There are new regulations being implemented in response to the recent cyber attacks on critical infrastructure. Some of these include appointing a designated CISO, having an action plan in case of network breaches, and being required to disclose those breaches within 12 hours. To be blunt, how was this not a law already? This should be the bare minimum expected by any mature organization when it comes to cyber security.

If our infrastructure is to be protected, we can no longer do the bare minimum and hope its enough. Malicious actors have shown that they are not afraid to target high level infrastructure if they think the payout will be worth it. Without major changes in how we work to prevent these attacks the next crisis might be worse than a gas shortage.