The imminent activation of the General Data Protection Regulation (GDPR) on 25 May 2018 has many businesses and public institutions scrambling to get their data protection act together. If you handle the personal data of any EU citizens -- whether you capture it yourself or process it on behalf of another company – you have to get much more serious about protecting it. Fail to comply with the new rules, and you risk some seriously nasty fines: €10M-€20M, or 2%-4% of your annual revenue, whichever is greater.
Among other requirements, GDPR expects you take build robust defenses to protect against security breaches by bad actors like cybercriminals. If you do suffer a breach, you now have to notify the GDPR authorities and give your customers the bad news quickly. Now consider the news that ransomware – that notorious malware strain that encrypts your data and holds it hostage for a ransom -- just became the world’s biggest security breach threat [see Verizon 2018 Data Breach Investigations Report]. Put these facts together, and you might conclude that your GDPR compliance depends a lot on how well you defend your EU customers’ personal data against ransomware attacks.
To illustrate this point, we put together a tale of two companies that both fall under GDPR regulatory scrutiny: one that pays attention to the ransomware threat -- the other, not so much. As you will see, one picture is much prettier than the other.