On May 25, 2018, the General Data Protection Regulation (GDPR) came into force, after it was adopted by the European Union. For two years companies have been flooded with offers for GDPR solutions from security firms; and publications have been bombarded with surveys claiming that only certain percentage of firms are ready for it or knows GDPR.
In fact, the ‘data protection’ element in GDPR is a bit different to pre-existing European laws. The GDPR changes come in the way user data is gathered, stored, processed, and made accessible to users; in breach disclosure; and in the severity of non-compliance fines.
The companies can learn from last year’s data protection non-compliance incidents to gain insight into next year’s potential GDPR non-compliance fines. The statistics are available from the Information Commissioner’s Office (ICO — the UK data protection regulator).
The ICO’s latest ‘Data security incident trends’ report was published on 14 May 2018. During Q4, the ICO levied just a single fine: £400,000 on Carphone Warehouse Ltd following serious failures that had put the customer data at risk. There was a total of 957 reported data security incidents. The ICO considered these as a major concern for those affected and a key area of action for the ICO.
One of the major worldwide criminal target for extortion and theft of PII is in the healthcare. There were total of 349 data security incidents reported in Q4. The most common incidents were not technology-related: 121 incidents were those involving data posted or faxed to the wrong recipient, or the loss or theft of paperwork.
The frequent technology-related incidents were not hacking, but simple email failures where the data are sent to the wrong recipient, or a failure to use BCC when sending email. So there is an easily ignored backdoor into GDPR non-compliance.
Data sent to the wrong recipient is commonly addressed by data labelling and data loss prevention technologies. One problem is a high level of both false positives and false negatives. Employees who are supposed to label the data might sometimes label unprotected data as ‘sensitive’ due to extra caution. This is time-consuming and affects the workflows. Similarly, the sensitive data may be unlabeled and sent to the wrong address.
In September 2017, the national Law Journal reported, “Wilmer, Cutler, Pickering, Hale and Dorr was caught Wednesday in an email mix-up that revealed secret U.S. Securities and Exchange Commission and internal investigations at PepsiCo, after a Wilmer lawyer accidentally sent a Wall Street Journal reporter privileged documents detailing a history of whistle blower claims at the company.” This was not just an embarrassment; but could have been a breach of GDPR if it had involved any EU data.
A new UK based start-up firm called Tessian is trying to solve the email GDPR backdoor using machine learning artificial intelligence. The co-founder and CEO of Tessian, Mr Tim Sadler said that they are helping organizations protect against the human threats. They strive to prevent organizations sending highly sensitive emails to the wrong people.
The main difficulty with the email problem is that it does not provide a traditional set of rules as solution. Email is used too frequently, too easily, with too many topics and to too many people. The firm has taken the machine learning approach. They analyse the history of the various communications patterns to understand the kind of information that is shared with different people in the user’s network. On outgoing emails, they find the anomalies and it is unusual that this data is shared with that contact. This kind of an approach works very effectively.
On analysing the user email logs within 24 hours, a base-line of ‘normality’ can be produced and anomalies to that baseline are flagged. Users are kept on board by being fully involved — flagged emails aren’t simply blocked. An explanation of the system’s decision is conveyed to the user which can be accepted or overridden. Then the user’s response is added to the system’s machine learning knowledge.
The company was founded in 2013 by Tim Sadler, Ed Bishop and Tom Adams, and was originally known as CheckRecipient. The company was rebranded and renamed as Tessian in February 2018 due to its evolving and growing nature.
Sadler says that at Tessian they believe that an organizations’ security has moved on from perimeter firewalls and endpoint security. The humans are the real endpoints of the organization. They are focused on building security for the human endpoint. They look into not just the outbound email threats, but also inbound email threats and also, to understand the different ways in which human’s leak data within an enterprise.
Tessian is unique in bringing a machine learning solution to an email problem which is an overlooked threat to GDPR compliance.