GDPR Privacy Laws: Ramifications and Possible Interdictions for Open Source Security Vulnerabilities

By Tae Jin “TJ” Kang

The Data Protection Directive 95/46/EC, adopted in 1995, was an attempt by the European Union to create a unified set of data privacy rules for all member countries. In 1998, the U.S. legislation enacted the Health Insurance Portability and Privacy Act (HIPPA) to provide significant data privacy and security provisions. This was followed in 2003, by the state of California’s bill SB1386, which established mandatory privacy laws in the U.S. As each new set of regulations were implemented, multinational businesses were required to adjust their data privacy and protection practices.

In less than two months, on May 25th, the E.U. will enact its landmark General Data Protection Regulation (GDPR) that was approved in 2016. Not only will the GDPR affect any organization located or doing business in the E.U., but it will also impact organizations processing data of EU individuals, regardless of their own geographic location. Just as multinationals had to address their privacy and data protection activities in order to do business in California, so too will they will have to adjust their practices in order to comply with the new, and more stringent, data privacy and protection policies in the E.U.

So what is the GDPR?

According to the official GDPR website [www.eugdpr.org], it is a law to “protect all E.U. citizens from privacy and data breaches in an increasingly data-driven world.” Its reach is broad, “it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.” And, the penalties are non-trivial, “organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”

The GDPR includes the E.U.’s Organization for Economic Co-operation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (95/46/EC). The GDPR contains these guidelines, and several more, and has turned mere directives into law, with stiff penalties for non-compliance.

The Equifax data breach of 2017, illustrated the issues surrounding the use of open source code, or code elements, and data protection. The credit giant could have avoided the breach had it installed the version of an Apache Struts software that had fixed the security vulnerability for which the warning was issued. This update had been available for months prior to the outbreak.

Had the GDPR been in place at the time of the Equifax breach, the fines would have been significant. Based on estimated Equifax 2017 income, which has been delayed in reporting, 4% of its approximately $3 billion in revenues is $120 million. The days of sweeping security vulnerabilities under the rug in the E.U. are over.

The proliferation of Open Source and Its Vulnerabilities

More than 90 percent of the software written these days integrates open source code. Such code is used in operating systems, network platforms, and applications. This trend will only continue to grow because, by leveraging open source, developers can lower assembly costs and quickly add innovations.

Whether software code is proprietary or open source, it harbors security vulnerabilities. Because of its transparency, open source code tends to be better engineered than a comparable piece of proprietary code. And thanks to its flexibility, the open source code is extensively used. This means that a security vulnerability in a piece of the open source code is likely to exist across a multitude of applications and platforms. Consequently, open source software vulnerabilities become a “low hanging fruit” for hackers to target and attack.

The mission to secure outward-facing, software infrastructure systems has become incredibly chaotic, thanks to obstacles that include the proliferation of open source, a poor accumulation of institutional software memory, unknown software components delivered in third-party binaries and a very low-level priority placed on engineering debt.

So what can businesses do to mitigate their potential data losses and E.U. fines from open source software vulnerabilities?

Open Source Software Vulnerability Cyber Security Insurance Interdiction

Many businesses are finding that their software infrastructure becomes increasingly challenging to secure every year. Some organizations have turned to purchase cybersecurity insurance to mitigate their financial losses from this trend. PwC estimates that by 2020, businesses will spend $7.5 billion on cybersecurity insurance. [https://www.technologyreview.com/s/603937/insurers-scramble-to-put-a-price-on-a-cyber-catastrophe/]

Many legal and insurance pundits have commented about the limitations of cybersecurity insurance as it relates to GDPR. For example, a November 2017 contribution by Shoosmiths LLP in Lexology, see: https://www.lexology.com/library/detail.aspx?g=25c7cefc-e438-48cd-82a3-639611506656, a resource of free-to-access legal updates and analysis, posits that organizations will find it tremendously difficult to secure an insurance company willing to face and underwrite a policy covering 4% of global turnover in this day and age, when cyber-attacks are becoming daily occurrences.

Effective Vulnerability Remediation Interdiction

Another method of addressing open source vulnerabilities is for businesses to know exactly what open source code elements hide in their software – before and after they procure it. This can be a challenge given that open source code elements are not well documented due to software procurement trends and intellectual property issues.

Fortunately, there are new types of fingerprint-based binary code scanners that alleviate this challenge. These solutions enable companies to scan their software and firmware in binary code, without recreating the source code through the somewhat inaccurate and time-consuming practice of reverse engineering – and then scan it for composition.

By knowing exactly what open source code elements reside in the current or prospective code, IT departments can assess their investment risks and take proactive measures to ensure that they are up-to-date with the latest open source component versions. The implementation of an effective open source update model should be of utmost priority to ensure data security and mitigate potential corporate losses.

Open source software development and use are irreversible trends in today’s business. And given the undeniable importance of the E.U market, organizations must adapt to comply with the GDPR. It is prudent for software development and IT teams to investigate and reevaluate, in-depth: the ramifications of GDPR, their client data, and privacy procedures, the short-term risk mitigation potently offered by cybersecurity insurances and their plans and practices for finding and responding to open source security vulnerabilities.

About the Author

Tae Jin “TJ” Kang is a technology industry executive and entrepreneur. He is the president and CEO of Insignary. In addition to founding a number of successful technology startups, Mr. Kang has held senior management positions with global technology leaders that include Korea Telecom and Samsung Electronics, among others.
Mr. Kang can be reached online at [email protected] and at our company website www.insignary.com