It’s been more than a year since the introduction of GDPR, yet according to our recent survey, more than half of employees in the U.S. are unaware of the privacy law changes. Unfortunately, blissful ignorance isn’t acceptable for employees that handle data of EU citizens. (Even if they’re based in the U.S., a lack of compliance with GDPR could result in massive fines). In addition to this news, stories on nation state threats and third-party data breaches dominated the headlines. Get this month’s top stories below.
(Source: HelpNet Security)
A recent survey from ObserveIT revealed that awareness of GDPR laws is far more prevalent among UK employees than it is in the U.S. Even though nearly 60 percent of employees in both the U.S. and the UK are handling sensitive data on a daily basis, 52 percent of U.S. employees aren’t aware of any data privacy laws, while only 17 percent of UK employees were unaware of these laws.
This general lack of awareness is problematic, especially since GDPR is applicable to any organization that handles the data of EU citizens, even if the organization itself is based in the U.S. Without fundamental awareness of how to handle sensitive corporate data, employees could be putting customer data and other important information at risk.
However, there’s still plenty of room for more training, especially in the U.S. Only 47 percent of employees claimed that they had ample training on data privacy compliance. Proper training can ensure that employees are aware of the applicable regional laws, which will become especially important as the patchwork of new, state-by-state data privacy laws emerges in the U.S. (such as the California Consumer Privacy Act (CCPA) and the most recent, strictest law from the state of Maine).
In case you missed Mary Meeker’s epic, annual 300+ slide report, Internet Trends, we’ll give you the TL;DR cybersecurity take on it. On slide 207, Meeker highlighted the rise in nation state threats, noting that the U.S., UK, the Netherlands and Germany have all indicted state-sponsored threat actors. Organizations should be vigilant of the typical user activity patterns of malicious, state-sponsored threats. One positive metric from Meeker’s report: the average attack-to-detection dwell time continues to fall for organizations: from a whopping 416 days in 2011 to 78 days in 2018.
Earlier in the month, both LabCorp and Quest Diagnostics reported data breaches allegedly involving customer information, with potentially sensitive patient data and payment information at risk. According to reports, a third-party billing collections vendor that both companies used, American Medical Collections Agency (AMCA) experienced a breach. Unfortunately, the scope of this breach is potentially massive: Between LabCorp and Quest, the two companies had referred a total of 19.6 million customers to AMCA. Breaches like this one underscore the need for strong security practices among trusted third-party vendors and contractors.