Before you send out that next email marketing blast, make sure you’re compliant with the EU GDPR

Email marketing is big business. MarTech Advisor reports that it is the best-performing channel for a company’s ROI, and 61% of consumers prefer to receive offers via email, as opposed to only 5% who prefer social media offers. However, many organizations are concerned about how the EU GDPR, the European Union’s new, sweeping data privacy law, will impact their email marketing programs. The concern is valid; organizations found to be out of compliance can be fined up to 20 million euros (approximately $24.6 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

With the May 25 deadline to comply with the EU GDPR fast approaching, here are five things all organizations need to know about the EU GDPR and their email marketing programs.

1. Companies outside Europe must comply with the EU GDPR, too.

Even though the EU GDPR compliance deadline is almost here, many companies in the U.S. still aren’t prepared; quite a few of them erroneously believe that the GDPR does not apply to them. Compliance with the EU GDPR is not based on where your organization is located, but on where your customers are located. If you collect data on any individuals or organizations in the European Union, you must comply with the EU GDPR.

2. Marketers must get explicit permission to send communications, using clear, simple language, and keep a record of it.

The GDPR puts an end to black-hat and gray-hat marketing tactics such as using pre-checked boxes to automatically subscribe users to mailing lists (they’re prohibited), combining multiple agreements into one box (also a no-no), or burying information regarding opt-in and opt-out in a mountain of legalese. Marketers must now get users’ “freely given, specific, informed and unambiguous” consent to receive email or text communications. In clear, simple language, users must be informed what data is being collected from them, how it will be used, and how they can opt out and have their data deleted. Marketers must also keep records of when subscribers consented to communications and be able to produce this proof on demand.

3. Marketers must let subscribers be “forgotten.”

Under the GDPR, users will have a “right to be forgotten.” Upon demand, organizations will have to scrub all trace of a user from their systems, or at least anonymize the data.

4. Marketers must ensure data security.

In addition to data privacy, the GDPR addresses data security. Organizations will be required to bake data security into their products, policies, procedures, and systems from day one, and disclose all breaches to the authorities and the affected parties within 72 hours of discovery. Organizations that handle very large amounts of data will have to appoint a Data Protection Officer (DPO).

5. Organizations can’t pass the buck if a third-party vendor is breached.

If your organization outsources its email marketing, be aware that the GDPR will hold your organization responsible if that company, or any other third-party vendor that processes or stores information for you, is breached or found to be out of compliance. Make sure you do business only with reputable service providers that are compliant with the GDPR.

The EU GDPR Is an Opportunity for Savvy Firms

Rather than seeing the GDPR as a regulatory burden, smart email marketers will see it as an opportunity to improve their data governance, cyber security, and ROI. Ensuring that marketing emails are being sent only to subscribers who are truly interested in receiving the messages and demonstrating to customers that their data privacy matters to the organization will increase conversion rates and build brand loyalty.

Is your organization prepared for the EU GDPR? Click here to take Continuum GRC’s free GDPR readiness assessment and download your report today.

If your organization is struggling with your GDPR compliance efforts, don’t be afraid to seek help. The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

WHOIS service in jeopardy as EU authorities reject ICANN’s interim solution to GDPR compliance for vital “internet phonebook”

The deadline for compliance with the EU’s General Data Protection Regulation (GDPR) is fast approaching, and an astounding number of organizations are woefully unprepared to meet it. A new survey of IT decision-makers by Crowd Research Partners found that a whopping 60% of organizations will likely miss the GDPR compliance deadline of May 25, 2018, even though 80% of respondents listed GDPR compliance as one of their organization’s top three priorities. A closer examination of the findings paints an even grimmer picture:

• Only 7% of respondents reported having already achieved GDPR compliance.
• 28% of respondents hadn’t even begun working toward the May 28 GDPR compliance deadline.
• 43% of respondents cited an internal skills gap as a stumbling block to GDPR compliance, while 40% blamed budget issues.

Among these organizations is ICANN. Yes, that ICANN, the non-profit organization responsible for IP address space allocation, DNS management, and other duties that ensure the reliable, stable operation of the internet.

EU Authorities to ICANN: Achieve GDPR Compliance or Else

At issue is the WHOIS directory, which acts as a sort of “internet phonebook” and contains the personal identifying information (name, address, phone number, etc.) of everyone, whether a person or an organization, who owns a domain name. As it currently functions, WHOIS is in violation of the GDPR, and ICANN has admitted that it won’t be able to make WHOIS GDPR compliant by the May 25 deadline – despite having had two years to come up with a solution. ICANN has proposed an interim solution it calls “The Cookbook,” but EU authorities have found it severely lacking.

The ongoing debacle has put the future of WHOIS into jeopardy. Barring a major development, the service may become fragmented or even go completely dark on May 25, a prospect that has put IP attorneys, cyber security experts, and law enforcement agencies, who depend on WHOIS to enforce intellectual property rights and track down cyber criminals, on edge.

ICANN is pleading with European data authorities for an extension, but many experts doubt one will be granted. ICANN has had two years to prepare for the GDPR; additionally, the EU has been sending it written warnings about WHOIS violating other European data privacy laws for at least six years. Instead of preparing for the inevitable, ICANN chose to sit on its hands.

Is Your Organization Prepared for the GDPR?

Organizations that violate the GDPR face fines of up to 20 million euros (approximately $24.6 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The stakes are incredibly high, and the time left to prepare is critically short.

Find out where your organization stands right now. Click here to take Continuum GRC’s free GDPR readiness assessment and download your report today.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Hardware & Software Supply Chain Cyber Attacks Pose Significant Threats

Due to globalization and outsourcing, enterprise supply chains are more intricate than ever. Most products are no longer manufactured by a single entity. Materials, components, and even final products pass through multiple hands before ending up in the hands of end users. Additionally, most companies have multiple third-party business associates providing everything from office supplies to cloud storage; the largest enterprises may have thousands of these vendors. While enterprises have long been on guard against the possibility of physical product tampering or counterfeiting, many companies are still not cognizant of the scope of supply chain cyber attacks.

Supply chain cyber attacks can involve hardware or software. According to NIST, some of the most common threats to the cyber security of the supply chain include:

• Third-party vendors – anyone from software engineers to janitorial providers – having physical or virtual access to information systems.
• Lower-tier business associates with poor cyber security practices.
• Compromised software.
• Hardware that has been compromised by malware or that is counterfeit.
• Unsecure supply chain management or supplier system software.
• Data aggregators or third-party data storage.

Cyber criminals are increasingly hacking legitimate software updates. A recent study by Symantec found that this type of supply chain cyber attack surged by 200% in 2017. One of the most infamous examples is the NotPetya malware, which was spread through a compromised update of a popular accounting software package.

While supply chain cyber attacks are a threat to all industries, the problem is especially acute in the healthcare industry, which is rapidly implementing IoT devices. At any one time, the world’s hospitals are running up to 80,000 exposed devices, and these devices can be attacked at numerous points on the supply chain.

The U.S. government is also vulnerable to supply chain cyber attacks; for this reason, the FCC has drafted a proposal that would prevent telecoms from using Universal Service Fund money to purchase hardware manufactured by companies that “pose a national security threat to United States communications networks or the communications supply chain,” noting that compromised equipment could “provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more.”

Preventing Supply Chain Cyber Attacks

Proactive supply chain risk management is key to preventing supply chain cyber attacks. Here are some examples of best practices:

• Know your organization’s vendors. Often, the purchasing and accounting departments are well-versed in a company’s supply chain ecosystem, but cyber security personnel are left in the dark.
• Establish specific security metrics for your vendors to adhere to, and include them in every RFP and contract. Don’t forget about physical as well as technical security controls; e.g., measures taken to ensure that hardware is not physically tampered with.
• Institute no-tolerance, “one strike and you’re out” policies for vendors who provide products that are found to be counterfeit or fall short of security specifications.
• Tightly control hardware component purchases. Unpack and thoroughly inspect all components purchased from vendors that are not pre-qualified.
• Tightly control vendor access to your hardware and software. Limit software access to as few vendors as possible. Limit hardware vendors’ access to mechanical systems only, with no access to control systems. Authorize and escort all vendors while they are on your premises.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.