Kip Boyle: Welcome to Cyber Risk Management podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, cyber security counsel at the law firm of Newman DuWors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cyber security related legal responsibilities ...

Kip Boyle: And if you want to manage your cyber risks just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable, and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cyber security expert. You can find out more by visiting us at CyberRiskOpportunities.com and NewmanLaw.com.

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Oh, today we're going to talk about something new and cool, the European Union's General Data Protection Regulation, or as we all love to refer to it, GDPR. So let's get the ball rolling. Jake, what is GDPR?

Jake Bernstein: The name is, as you just mentioned, the General Data Protection Regulation, and it replaces the 1995 EU privacy law entirely. There was a privacy directive that had been in place since the 1995 law had been passed by the Article 29 Working group over in the European Union Council. The GDPR, however, is a wide ranging, practically global, privacy and data security regulatory scheme that effects anyone who touches European Union citizens' data. It touches on security. It touches on privacy. And if you're not compliant with it, you will risk massive fines.

Kip Boyle: Okay. Massive fines. So as an American thinking about a fine from the European Union, I don't know, seems kind of remote, and seems like if I don't have offices in the EU, maybe it's not a big deal, but what kind of fines are we talking about?

Jake Bernstein: You asked two questions really. It is a big deal if you're an American company, as Microsoft and Google will attest, the EU is not shy about fining American companies who operate in Europe, and under the GDPR, fines can be up to 4% of your global turnover, which is essentially revenue in American business terms, or 20 million euros, whichever is higher. So if you're a big company, obviously the 4%'s going to be the fine, otherwise 20 million is going to be there. But this is a lot of money and it applies to you if you process or control data of European Union citizens, regardless of where you're based.

Kip Boyle: Okay. So I've read GDPR a couple of times now, the actual source document, and I've also read other people's commentaries on it and so forth, and you know, it's a very technical document, and very difficult to navigate, even though I've read things, like similar things many times, but when they talk about global turnover, and in some ways I feel really unsophisticated to say this, but I had no idea what they were talking about when I first read that, because I'm just not used to a European jargon about business, and so it took me a while to realize, "Oh, they're talking about annual revenue." And I just kind of sat back and just thought, "Oh my goodness." I mean, as difficult as GDPR is conceptually for Americans, the terminology just doesn't make it any easier.

Jake Bernstein: And there's a lot of terminology. I mean, you've got data subject, which is kind of obvious, data controller, data processor, data protection officer. You need to do data protection impact assessments. I mean, there's all kinds of little definitions and jargons in there. Fortunately, Article 5 of the GDPR contains all of these definitions, making it a little bit of a good references point for a lot of people.

Kip Boyle: Well, so I'm great that there's reference points, but I've been a little slow on the uptake, as well.

Jake Bernstein: My apologies. It's Article 4. Article 5 is different.

Kip Boyle: Oh, okay. Because there you go, case in point.

Jake Bernstein: Well, Kip, there's only like 137 recitals, followed by ... What is it? Multiple chapters and quite a few-

Kip Boyle: I know.

Jake Bernstein: It's very long.

Kip Boyle: It's very dense. It's long. It's dense. It's obtuse, and it's one of the reasons why I'm glad that you are the co-host, because I'm not a lawyer, and I try to be able to read these things, but I'm certainly not expert at interpreting it. But let's think again about these fines. So I guess the next thing I want to know is when does this all start?

Jake Bernstein: The initial text, at least the version I've got here, was dated May 4, 2016, and that's about when it became final text. It's been in the works for years, actually, years and years. But the effective date that everyone needs to know about is May 25, 2018. That is when enforcement of this regulation starts.

Kip Boyle: So we've got just over 90 days for enforcement to begin. Makes me wonder if they've got a short list of people that they're going to be scrutinizing right off the bat.

Jake Bernstein: Oh, I would expect that much beyond that complaints are actually ready to be filed. I see no reason that lawsuits will not begin on May 25th. I mean, they've had years ... what they've tried to communicate to the world of data processors and data controllers is this is the law. It has been the law since May 2016, and we're just going to give you two years before we start coming down with the hammer. So I expect on May 26th that there's going to be a lot of attorneys getting a lot of phone calls.

Kip Boyle: You know, that's a really great point. When I think about May 25, 2018, for whatever reason, I think, "Oh, well that's when the law comes into effect." But you just made a great point, which is like, no, the law's been in effect for almost two years already; they've just delayed enforcement. Is that right?

Jake Bernstein: That is correct, yeah. It's actually the last article, Article 99 of this, and it is the ... so the regulation entered into force on the 20th day following its publication, so it actually came into force on May 24th, probably May 25th depending on how you count days, 2016, but the application begins May 25, 2018.

Kip Boyle: Okay.

Jake Bernstein: So really, I mean, like I said, you're right. It's been the law, and now they can enforce the law.

Kip Boyle: So I read, just to help people understand the fines, because I think this really interesting. I mean, what a hammer, right? I was reading somebody's kind of interpretation of GDPR, and they gave this really good example. So in the UK there was a mobile phone company called TalkTalk, which I watched ... God, what an embarrassment. TalkTalk had a data breach in 2017, 2016, and it was just embarrassing to watch them navigate the public relations of that. In the court of public opinion, I mean, they were just tried, convicted, guilty. Just it was horrible. They ended up getting fined 400,000 pounds as a result of that data breach under a UK fine, but under a GDPR fine, it would've been a 59 million pound fine, right. 400,000 pounds to 59 million pounds. What an illustration I thought that was.

Jake Bernstein: Well, and that's exactly right, and see, this is one of the issues. This is one of the reasons that the GDPR was created is that prior to the GDPR's adoption, enforcement and the fines were slapdash across Europe. There are some countries where part of the European Union or the European Economic Zone that would not ... they would give $20,000. We'll just use dollars as a place holder for all the very potential currencies, mostly euros. But that's a slap on the wrist in most circumstances, right. Then you'd have the UK, which a 400, 500,000 pound fine is decent size. I mean, it's not nothing, but it doesn't compare to what the GDPR is going to do.

Jake Bernstein: Not only that, but there's actually talk that the broader European Union is going to pressure the individual countries to enforce more evenly, and speculation is that it's going to push all fines up, not down, so what you're going to see ... and keep that in mind, too, is that every country has its own data protection authority, and each country is going to be able to bring its own cases, and so that right there. It's not just like the EU, such as it is, that is going to be bringing these cases. It's Germany, it's France, it's the UK, at least until Brexit completes. It's everything from Austria and Greece. Everyone in the European Union.

Jake Bernstein: And one thing that's I think often not realized is that class actions are an American tradition in some sense, right? They haven't historically been a major component of European law, to my knowledge. I could be wrong about that, but I can tell you that one of the things that's special about GDPR is that it creates specific class action rights for EU citizens. Not only can EU citizens complain to and actually take legal action to force a data protection authority to take action, right. So think about this. The government can be forced by citizens to take action under GDPR, and the citizens can take collective recovery actions, which is a class action. So the odds of a company operating with any European data and violating the statue or the GDPR in a fashion the causes anyone harm and then not being noticed, are about zero. They're about zero, because you've got ... when the individual victims have that kind of power to force action, you can't ... I mean, don't think that hiding or being small is going to make a difference.

Kip Boyle: Well, let's talk about the GDPR itself. As you mentioned, it's very long, it's very complicated, and as I've noticed, it's pretty dense, so I'm wondering if you can help our listeners by telling us what does the GDPR require, and can you simplify it at all?

Jake Bernstein: Well, as we discussed, it's over 200 various provisions with many sub-parts, so simplifying this regulation is challenging, but what it really comes down to is, in my mind, two kind of core areas of it. There are substantive privacy rights. People probably have heard about the right to be forgotten, as an example. Then there are kind of substantive security requirements, and these are two separate ... security and privacy often go hand in hand, but I think we all agree that they're separate but related.

Kip Boyle: Yeah.

Jake Bernstein: So with regard to the privacy rights, it is a substantive declaration of privacy rights. There's literally an entire chapter that is called Rights of the Data Subject. It encompasses 18 articles go into detail about the rights of the data subject. It's about transparency. It's about being able to access your data, change it if it's wrong, remove it if it's incorrect, or if you just want to be removed. There are provisions about what the EU is calling pseudonymization, which really is just another way to say anonymize data. So that's kind of the privacy principles that are enshrined in this regulation.

Jake Bernstein: Then the responsibilities of the controllers and the processors ... And just to get that out of the way briefly. A controller is someone who gets the data and kind of owns it. They control the data insofar as it's contractually theirs. A processor is someone who, logically, processes that data. They didn't necessarily collect it, but they're being used for processing activities by a controller.

Kip Boyle: Okay, so I've thought about this. Tell me if I've got this right, just by way of an example. So, a bank could be a data controller because they have account holders, and they've got all this information on their account holders. If the bank outsources the printing of the statements that account holders get every month, then that outside printing company would be a data processor. Did I get that right?

Jake Bernstein: That's correct, yeah. Most data controllers are both controllers and processors, but a lot of them also will hire out to additional data processors, and there's requirements surrounding that, in terms of obligations and shared responsibilities. One of the things that is different, since we are talking about this, between the GDPR and the 1995 directive, is that data processors are joint and severally liable with the data controllers, and that's a legal term that means I can collect the full amount from either of you-

Kip Boyle: Oh interesting.

Jake Bernstein: ... of the fine. So, for example, if ... It's a term from tort law, which means typically you'd see it in really even like say multiple parties involved in polluting the ground, right. It might be that the law says, okay, you know what? You're all joint and severally liable, which means we're going to collect from all of you, or any of you, and then if you want to go and fight amongst yourselves about how you're going to divvy up the responsibility, you go ahead and do that, but the plaintiff, the one who's been injured, doesn't really have to care about who did what. You're all liable.

Kip Boyle: Interesting.

Jake Bernstein: You can all pay, and then you can fight amongst yourselves about who actually has to be stuck with the bill. And that is the case here, the GDPR has done, and what's fascinating is that it actually allows the data controllers to explicitly go after their own data processors if the controller has to pay a fine that they think was caused by the processor's misbehavior.

Kip Boyle: Interesting.

Jake Bernstein: Isn't this fun?

Kip Boyle: Oh my goodness. It's going to be quite a show. I'm going to pop some popcorn, because the first couple of years of this, right, figuring out what's normal, what's reasonable in the implementation of all these ideas, it's going to be quite a show.

Kip Boyle: One thing I saw about data controllers and data processors and their relationship reminded of HIPAA, which, if I read this right, is that data controllers and data processors have to have contracts between them that clearly delineate roles and responsibilities under GDPR, and that kind of reminded me of like a business associate agreement in the HIPAA regime. What does that sound like to you?

Jake Bernstein: Well, they call them data processor agreements, and yeah, that's exactly what they are. Very similar.

Kip Boyle: Right, okay. Okay, so it's interesting. A lot of the ways that GDPR works, and HIPAA, New York Department of Financial Services, DFARS, it seems to me, as I look at all this stuff, and DFARS is, by the way, an American Department of Defense data protection regime, it seems to me like they're all starting to coalesce. There's a lot of commonality between these, and I find this fascinating that we might actually be converging to a point where things are going to start looking a lot more similar than they're going to be looking differently. What does that seem like to you?

Jake Bernstein: I agree completely. I mean, I think that the ... everything is headed toward the same kind of ... I mean, here's what the GDPR says: The controller will implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose are processed. And they talk more about this confidentiality and integrity and availability. I mean, really, the GDPR even points to things like ISO 27001, the NIST Cybersecurity Framework in the US. The idea here is, some of it you and I have talked about before, which is are you taking reasonable steps, and thinking about this reasonable word and how that kind of is difficult to maybe describe to folks, think about what it would mean if it was something else.

Jake Bernstein: The corollary would be that really all we're saying is no one's expecting you to take unreasonable security steps. Right? If you flip it on its head, so what does that look like? Well, that means we're not going to ask you to spend 50% of your revenue working on cyber security. But what it does mean is that there's a lot of industry best practices out there, there's a lot of different ways to help yourself, and there's a lot of opportunity to do it right. You better do it right. That is really the message here is that this kind of era of "Oh no! I was hacked! Oh well." I think that's rapidly closing to the point where you're not going to be able to do business anymore unless you have taken care of these issues.

Kip Boyle: Yeah, so while I think these sanctions under GDPR are quite severe, I do like the fact that all of these different regimes seem to be converging, and even the Federal Trade Commission, right, we talked before about the reasonable cyber security standard, and that's in GDPR, and I think we're going to see that more. It's the responsibility to be reasonable, but the freedom to figure out what exactly does that mean for me, and what I'm seeing with our customers is it actually confuses them. They like the idea of reasonable, but they struggle to define it, and I see them develop an appetite for a checklist, which that is kind of disheartening, but anyway. So this is just all very fascinating.

Jake Bernstein: Well, and I can understand why a checklist would be seen as helpful. The problem is is that the security of your products in the information age and your services, it touches every aspect of your business cycle and development. You cannot reasonably expect to have a checklist that's going to cover everything that you need to pay attention to.

Kip Boyle: Yeah, but they really have to kind of put together their own checklist, though, don't they? I mean, to operationalize reasonableness, and to be able to train people, you really have to construct your own checklist in a sense, don't you? I mean, whether that's a security policy and procedures and standards. I mean, taken as a group, I mean, that kind of becomes your checklist, right? These are the things we do.

Jake Bernstein: You know, I really like that thought is that if you're going to practice security, then what you should think about if you want to think about checklists, then you should think about making your own checklist, because if you make your own checklist, not only is the checklist itself important, but the process of getting to that checklist, that's really where the value lies, and by being able to do that, it's actually more of a guarantee that you've actually done what those checklist items require.

Kip Boyle: No certainly. You certainly understand-

Jake Bernstein: So I think that's a really good way of doing it.

Kip Boyle: Yeah.

Jake Bernstein: Yeah.

Kip Boyle: I want to ask you a few questions. I've had conversations with different people about GDPR. One of the best conversations I've had to date, there's a fellow that I met, and he works for a cruise line, and so their ships are all over the world. They're in the Mediterranean, the Pacific, the Caribbean, just everywhere, and so GDPR has been something that they've been wrestling with for quite some time now. He told me some really interesting things about their interpretation of GDPR, and so I just wanted to share a couple of these things with you, and just see what you think about this.

Kip Boyle: One thing that he said is that GDPR kind of follows EU residents wherever they go, so if an EU resident or a citizen ... I guess citizen. If an EU citizen moves to California, and retains their citizenship, that they have all of the GDPR rights in California as they would have in any EU member state. Does that sound right to you?

Jake Bernstein: So if someone ... the answer is marginally yes. That the GDPR covers the personal data of European Union citizens and residents. There's a question about if you move to the US, you're no longer a resident, but you are a citizen. I expect that some of these questions will be answered quickly by case law, and I think others will take a little bit longer to tease out. Maybe they'll amend the regulation. There are very ... I've heard people say, "No, that's wrong." Right? I've heard people just adamantly disagree with what we just talked about, what you just mentioned, and you can read it, and oftentimes you can come to a different conclusion. For example, it's very clear that it doesn't matter if the processing takes place in the Union or not, so that part's not so hard. It doesn't really matter if the data subjects ... what it says is the data subjects are in the Union. Well, does that mean they're citizens? Certainly it doesn't mean that if you get on a boat and go for a boat ride that you no longer have GDPR protection because you've left the Union, so I think in this situation, I would certainly counsel, assume the broadest possible reach. That's what the vast majority of kind of commentators are saying these days, which is assume the broadest possible reach. It's global. Just deal with it.

Kip Boyle: Okay. So then it must also be true as an American if I was to start living in Paris, that I could enjoy all of the rights under GDPR even though I am an American citizen, but I would be an EU resident. Does that sound right?

Jake Bernstein: Well, you would be a data subject in the Union.

Kip Boyle: Right, and so then I could exercise my right to be forgotten, or anything really in the GDPR. Yeah, this is really fascinating. It's kind of these use cases that this guy shared with me. I'll just tell you a story, too. He said that as an EU citizen, if they take a cruise, and let's say it's a week long cruise, and while they're on board ship, photographs are taken. When that citizen disembarks from the ship, and say fires up their mobile phone or maybe even finds a pay phone. Who knows these days. They could call the cruise line and say, "Hi. I'm Joe, and I'm a resident or citizen of the EU, and I'm going to exercise my right to be forgotten, so please forget me immediately." The things that the cruise line has to do in order to actually comply, even gets to the point where any photographs taken with Joe's face in them have to be found and deleted. Can you believe that?

Jake Bernstein: I can. The right to erasure, right to be forgotten is a enormous can of worms that is, I think, is going to take years to tease that one out on its own.

Kip Boyle: It's just amazing the implications of GDPR. I'm not saying that it's inappropriate, but until that was explained to me, I wouldn't have guessed it.

Jake Bernstein: Well, and think about this. Do I get to retain information about your request to be forgotten? Because if I don't, how can I prove that I did it?

Kip Boyle: Right.

Jake Bernstein: What if you say, and what about authentication questions? What if you, Kip, ask for me Jake to be forgotten? How do I prove that? I mean, there's an enormous number of issues that stem from this, right?

Kip Boyle: And there are some exceptions, too. That's the other thing that-

Jake Bernstein: There's always exceptions, and I mean, that is why this a multi hundred page document of rules.

Kip Boyle: Right, so I think police work, there's an exception for police records, and I think there's also kind of a national defense exception, too. I think I saw that in there, as well. And that's really too bad in a way, right, because wouldn't it be nice to be able to call up the police and say, "Just forget that you pulled me over and gave me that ticket."

Jake Bernstein: Yeah. If it has to do with criminal law, criminal offenses, then it doesn't really apply.

Kip Boyle: So let's go back to one more thing real quick. Just roll all the way back. What we're really saying is GDPR has two major sort of pieces to it. It has a privacy piece, and then there's kind of like a cyber security, data protection piece. Is that right? I mean, that's really what we've been talking about, isn't it?

Jake Bernstein: Yeah, it is, and I mean if you look at the rest of the regulation, a lot of it's about implementation, specific rules based on that, how you can transfer data, but that really ... all of that stuff is really about implementing these privacy rights on the one hand, and the cyber security requirements on the other. So, yes. I think that's the best way to think about it. If you're really going to boil it down, you got some privacy rights, and you have some cyber security requirements.

Kip Boyle: Okay, all right. All right, so that's all the time we have today for the podcast. Thanks everybody for joining us. So today what we talked about is GDPR and just beginning to understand what does it consist of and what do we have to do in order to be compliant, and what could happen to us if we're not.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management podcast.

Jake Bernstein: Remember that cyber risk management is a team sport, and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: And management inaudible should create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at CyberRiskOpportunities.com and NewmanLaw.com. Thanks for tuning it. See you next time.