Three 4-Letter Words That Changed Cyber Security: GDPR, CCPA, CMMC



Excerpts from the following article will appear in the forthcoming book Assessing and Insuring

Cybersecurity Risk from CRC Press, Co-Authored with Ravi Das.


OK so technically they’re acronyms. Our industry needs more of them right? Four-letter words

can lift and build (like “love”) or bring down (like “dumb” or other expletives.) These three

acronyms however have had significant impact on cyber security and privacy. They are GDPR,

CCPA and CMMC.


In this article we’ll do an overview of each, and I suspect there will be a little value for all.

Few companies can escape the impact of these four-letter "words".


Privacy and GDPR – What’s the Big Deal?


A wave of data privacy rights, discussions, laws, and actions have swept the world recently,

but especially since World War II. One can suggest that for GDPR, or the General Data

Protection Regulation, the Holocaust has had everything to do with its inception and passage(1).



Enacted in May of 2018, the general Data Protection Regulation is designed to protect the data

of its member states’ owners, both in terms of cyber breach protection as well as data owners’

rights to see their data, be forgotten, and/or see to the removal of that data.


Like the HIPAA legislation in the US, GDPR expands to cover EU citizen data surrounding almost

all personal elements, including not only the obvious such as name, address, birth date, phone

and credit card numbers etc., but religious affiliation, sexual orientation, political opinions, race,

gender, and more.


History refresher: Concern of privacy data is directly linked to the atrocities of the Nazis who, as

their regime rose to power, systematically abused private data to identify Jews and other

minority groups with extreme objectives – the most atrocious of course being genocide,

torture, manipulation and other terrible acts.


Here are some facts surrounding early data processing during WWII that you will find curious if

not disturbing:


In 1930s Germany, census workers went door to door filling out punch cards that

indicated residents’ nationalities, native language, religion and profession. The cards were counted by the early data processors known as Hollerith machines, manufactured

by IBM’s German subsidiary at the time, Deutsche Hollerith Maschinen GmbH

(Dehomag). This history became more widely known after the publication of the 2001

book IBM and the Holocaust: The Strategic Alliance Between Nazi Germany and

America’s Most Powerful Corporation, which argued that those Hollerith machines not

only identified Jews, but also ran the trains that transported them to concentration

camps. Some historians dispute the book’s claims that IBM supported the use of its

machines to carry out genocide and argue that the Nazis also used other methods, as

simple as pen and paper, to round up victims just as effectively; the company hasn’t

denied that its machines were used during the Holocaust, but claims “most” documents

about the operations have been “lost.” (2)


Clearly the example above indicates moral and ethical responsibility to ensure that as

technology progresses, so too do the protections and rights involving personal data.


Implications for Business and Cyber Security


Simply stated, businesses which fail to implement proper cyber protections into their data

processing and infrastructure, in addition to the user/owner data rights and policies, can find

themselves in breach of the Regulation. In fact, negligence leading to data breach, data misuse, or failure to disclose or grant the rights enumerated under GDPR can lead to some whopping fines. Specifically, Article 82, Right to compensation and liability states:


"Infringements of the following provisions shall, in accordance with paragraph 2, be

subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking,

up to 4 % of the total worldwide annual turnover of the preceding financial year,

whichever is higher"


Yeah, you’re reading that correctly – 4% of global revenue or twenty million EUR, whichever is

higher.


Think of the implications of this for companies such as Facebook, for example. Rounding out

their 2019 revenue to $70 Billion, that’s 2.8 Billion in fines. Ouch! A small company providing a

data service provider role (say a growing SaaS company) of only a million in revenue could face

a fine (the “higher of the two”) of much more than just a $40,000 fine. Although, wise judicial

arbitors should make the fine appropriate to the offense, they still have the power to levy much

more than the 4% for smaller companies.


“So why should I care?” you may be saying, “I do business in the US!” But what if you are

a technology company and you have garnered European clients over the years. Many

technology businesses have. Businesses such as the hotel industry have as well, where technology is used to store the data of its European clients.


While it may be true that European regulators may not have power in the US, they could block

your company from doing business in the EU, and that could sting.


One other scenario and implication is that your business may not service EU citizens directly,

but your systems and services may service those companies who do. Examples include SaaS platforms or POS systems for hotels and other industries. Faults and flaws, failure to patch or keep up with vulnerabilities in your software could cause your company liability. Liability determined by your clients should they suffer privacy data loss or inability to otherwise comply with the Regulation. That now resonates with many businesses in the US.


More About GDPR

Running a cybersecurity company, I tend to think about GDPR from a cyber protection and risk

management perspective. However, the implications for legal issues such as consent,

declaration, and rights-granting policies and technologies also come into play.


Here are the seven key principles GDPR sets out to achieve:

  •  Lawfulness, fairness and transparency.

  •  Purpose limitation.

  •  Data minimization.

  •  Accuracy.

  •  Storage limitation.

  •  Integrity and confidentiality (security)

  •  Accountability.

To summarize, GDPR states that personal data must be "processed lawfully, fairly and in a

transparent manner in relation to the data subject". This means that all data controllers must

only process data for the purpose they acquired it and with consideration of the data subject's

rights. Finally, processed data must be stored, processed, and transmitted securely and with

information security policy which will mitigate the risk of data breach or data theft.


DPO, DCs and DPs


With GDPR, organizations now have the requirement to categorize themselves as Data Controllers, and/or Data Processors. They also have the requirement to designate a Data Privacy Officer or DPO. A Data Controller is a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body). For the official GDPR definition of “data controller”, please see Article 4.7 of the GDPR.


The Data Controller determines the purposes for which and the means by which personal data

is processed. The Data Processor processes personal data only on behalf of the controller.

The data processor is usually a third party external to the company (credit card processors, for

example)


Here is the official definition by the ICO or International Commissioner’s office, the governing

body in the UK for GDPR.


  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (3)

The relevance here is that controllers basically own and are liable for the data they’re

processing and for what purposes.


“Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.


Although a processor may make its own day-to-day operational decisions, Article 29 says it

should only process personal data in line with a controller’s instructions, unless it is required to do otherwise by law.


If a processor acts without the controller’s instructions in such a way that it determines the

purpose and means of processing, including to comply with a statutory obligation, it will be a

controller in respect of that processing and will have the same liability as a controller.


A processor can be a company or other legal entity (such as an incorporated partnership,

incorporated association or public authority), or an individual, for example a consultant. (4)”


Governing these policies and processes in the organization is the DPO or The Data Protection

Officer. The DPO “ensures, in an independent manner, that an organization applies the laws

protecting individuals' personal data. The designation, position and tasks of a DPO within an

organization are described in Articles 37, 38 and 39 of the European Union General Data

Protection Regulation. (5) ”


In short, it is the DPO’s responsibility to ensure compliance with the GDPR. Since most

organizations won’t have a DPO, this resource can be outsourced.


Conclusions on GDPR

At the time of this writing, 2.5 years out from its origin, what has been the impact of GDPR? It is perhaps too early to tell, but just observe the changes:

  •  Most websites that track you are now telling you and allowing you to accept or not.

  •  GDPR has created a one-stop shop system for the regulation and enforcement of privacy in the EU.

  •  Other regulations, particularly in the United States (and we’ll discuss CCPA next) have incorporated many of GDPR’s principles and the result has influenced legislation.

  •  Corporate officers now have data privacy and protection as a discussion where a decade ago less so.


California Consumer Privacy Act (CCPA)


Introduced in January 3, 2018 and signed into law by then Governor Jerry Brown, the California

Consumer Privacy Act, or CCPA, is what I consider the little brother of GDPR. It is a California-

specific statute intended to “enhance privacy rights and consumer protection for residents. (6) ”



Some of the differences, besides the obvious being the protection of only California residents:

  •  The GDPR language protects data subjects, defined as “an identified or identifiable natural person,” whereas the CCPA gives certain rights to consumers, defined as “a natural person who is a California resident.” ... The GDPR protects data subjects, not citizens or residents, unlike the CCPA.

  •  GDPR affects any organization inside or outside of the EU that offers goods or services to or monitors the behavior of EU subjects; where as CCPA is more limited:

  • o Only companies or entities that do business with California residents and have a gross revenue of greater than $25 million, and handles personal data of more than 50,000 consumers for commercial purposes, or derives 50% or more of its annual revenues from selling consumers’ personal data.


Other key facts about CCPA include(7):

  •  No DPO or privacy officer designation is required as with GDPR.

  • Fines: Civil penalties, which are violations lacking intent, are $2,500 per violation. Intentional violations are $7,500 each after notice and a 30-day opportunity to remedy the violations.

  • Security: Does not define or impose data security requirements, but it does give consumers the right to take legal action and establishes a right of action if a security breach occurs. Note – this is the big kicker with CCPA. In a litigious society, CA residents have another way to be even more litigious!

Consent, rights of opting out of the sale of personal data, and legal right to take action are the

foundation of CCPA. Many other minor differences between GDPR and CCPA exist, but for

purposes of this brief chapter I’ve highlighted what I think are the main ones.


The message here to corporate officers everywhere is simple: protect your data, provide