On May 25, 2018, a wave of widely publicized and long-awaited set of European Union rules — the General Data Protection Regulation (GDPR) — go in to effect. This sweeping set of regulations give EU citizens more control over their data, enforce privacy and security around the handling of personal information, aim to prevent data breaches by requiring greater security controls, and limit citizens’ exposure to spam and other bulk email marketing by businesses. GDPR replaces prior regulations that date back to 2005.
Authentication Security Now Has a Higher Bar
Under GDPR, cybersecurity requirements for your organization are more stringent and fines for data breaches are severe (2-4% of annual, prior year revenue). EU supervisory authorities can perform data protection audits at any time.
The adoption of strong, multi-factor authentication technology that utilizes unshareable, “hack-proof” credentials is strongly recommended within GDPR regulatory language. Weak, static and easily compromised credentials will be heavily scrutinized by auditors. And under GDPR rules, breach event reporting to customers and regulators is required within 72 hours.
Doing Business in the EU
By now, organizations should have identified where sensitive information exists, who has access to it and implemented the proper authentication technology protecting applications and endpoints in the network. Organizations should have also determined if a Data Protection Officer (DPO) is needed.
EU citizens have the following rights beginning May 25, 2018:
- Timely breach notification
- Full access to one’s personal record
- The right to request one’s own record to be forgotten by any organization
- The right to limit sharing of personal information with other entities
The Upshot: Going Beyond Static Passwords
From a cybersecurity standpoint there is little doubt that if simple, static password protocols are left in place, an organization’s systems are vulnerable to network hacks and data breaches. A recent market study pegged the average cost to midsize and large organizations at upwards of $1M — to notify clients formally of a data breach, and remediate the same (source: Ponemon Institute Study, 2017). The cost does not even factor in the new EU penalty/fines structure.
Smart organizations are now looking to adopt contextual, behavioral and risk-based solutions, which deliver more convenient and secure options.
Germany’s Federal Data Protection Act
The German legislature has preempted the adoption of new GDPR mandates and led the charge with its own German Federal Data Protection Act (GDPAA). Passed in summer 2017, it also takes effect on May 25, 2018. Within this set of statutes, virtually all public agencies must appoint a DPO. Private entities that employ ten or more employees and are “dealing with the automated processing of personal data” — i.e., the vast majority of incorporated businesses that store and process customer data of any kind — must also appoint a DPO. Incremental, federally-applied fines will also apply to data breaches. To this effect, Germany is applying incremental policy pressure and teeth to the long-awaited EU legislation.
Crossmatch can help DPOs and IT leaders further understand the implications of GDPR and solve for compliance and risk mitigation against data breaches — completely, quickly, and cost-effectively.
Also, our advanced biometric tokenization technology negates privacy concerns associated with the capture of biometric factors as images and physical attributes are converted into purely numeric representations.
How a Composite Authentication Approach Can Help
For more than 20 years, Crossmatch has been an innovator in identity and authentication security solutions. Our solutions solve complex security challenges in an ever-changing world. For compliance with GDPR, GDPAA and other EU country-level regulations and guidance on authentication methods and technology, DigitalPersona has you covered.
DigitalPersona Key Benefits
- Human/hack-proof: Eliminates likelihood of account compromise: no one can share credentials.
- Secures your workstations, servers, network and applications with the broadest possible selection of authentication factors including what you know, who you are, what you do and where you are.
- Offers a frictionless, easier user experience that delivers the strongest protection available in the industry.
- Adapts to precisely match risk exposure to an optimal user and customer authentication security posture that suits your organization.
- Solves for compliance requirements across the globe. DigitalPersona helps organizations of all sizes and across industries meet cybersecurity compliance mandates and goes far beyond to protect critical data and personally identifiable information.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.