A massive data breach at Marriott and Starwood Hotels and Resorts has put the General Data Protection Regulation (GDPR) back in the spotlight. As the hotel chain faces record fines under the GDPR, privacy experts are again extolling the importance of secure log management practices to avoid suffering a similar fate as Starwood.
The Starwood data breach recently exposed personal data of 500 million hotel guests, including such crucial information as passport numbers, birth dates, and credit card specifics. This has led privacy experts to suggest that Starwood could be the first company to be hit with maximum fines under the GDPR.
Under the GDPR, companies can be subject to fines of up to 20 million Euro or 4% or global revenue, whichever is larger. Starwood’s 2017 revenues were nearly $5.5 billion, with 4% of revenues totaling $220 million or nearly 194 million Euro. And while no fines that large have been levied in the six months since the introduction of the GDPR, industry experts say regulators will likely hit Starwood with record penalties due to the severity of the data breach.
Since May 25 when GPDR went into full effect, every breach, whether it’s Cathay Pacific, British Airways, Starwoods and the latest Facebook’s latest bug is fair game for GPDR’s purview. In each case, it boils down to a simple sounding problem: unauthorized database access.
The details of the Marriott breach is only starting to unfold over the last few weeks. One thing we know is there has been potentially four years of unauthorized access. The database was hosted on the cloud and the breach was detected in September by an internal security tool after an upgrade to merge user accounts from Marriott Rewards, The Ritz Carlton and SPG. Would cloud monitoring and logging be able to identify suspicious log-in locations and large data transfers sooner? Details will continue o come out in the coming weeks and months and we will see how GPDR is invoked.
What is the GDPR?
The European Union (EU) implemented the GDPR in May 2018, marking a historic evolution in data protection and privacy. Not only does the law cover all 515 million residents of the EU and the European Economic Area (EEA), but it has the amplifying effect of regulating the export of personal data from the EU and the EEA to the rest of the world.
At a basic level the GDPR represents a shift in the default business operating mode for personal data collection from the previous mantra of “collect and store as much personal data as possible for as long as possible” to “retain as little data on individuals for as short a period of time as is absolutely necessary.”
Essentially, the GDPR’s requirements are defined in each case by the scope and type of the data in question versus the need to store that data. The other key element is that the GDPR requires companies to obtain consent from subjects in order to collect their data.
More importantly, the sheer scope of the law’s population and business activity coverage has ensured significant impacts from the GDPR are already being felt well beyond the borders of Europe to shape data management practices around the globe. The California Consumer Privacy Act will also go into effect in 2020.
The GDPR and server logs
Though the GDPR doesn’t focus on server logs in particular, data protection authorities often view the proper handling of logs as an indicator that a firm is demonstrating regulatory compliance.
The GDPR is nonetheless important for those firms working with server logs, especially considering the default configuration of many popular web servers like NGINX and Apache Web Server are set to automatically collect and retain logs. Web servers store security audit logs, error logs and access logs, and according to the GDPR all three types of these logs contain personal data by default.
The law specifically defines IP addresses as personal data, while logs can also contain usernames if the web service in question uses those in its URL structure.
There is one exception to these rules, and that is the limited gathering and storing of data for legitimate security purposes. In this case the regulation allows the retention of personal data without consent solely for the purposes of detecting and preventing unauthorized system access and fraud.
LogDNA and GDPR
LogDNA’s approach to data collection and storage is well-suited to the new landscape ushered in by the GDPR, as we only retain client log data for as long as is necessary for problems to be identified and addressed. As a matter of course, LogDNA ensures that server logs are trafficked through our system as efficiently as possible, with prompt removal once clients have completed their diagnostic and remediation work.
As well, LogDNA maintains compliance with all industry standards, including the GDPR. Specifically, we constantly monitor changes to compliance from privacy-related regulatory bodies, while reviewing guidance from our world-class legal team. LogDNA provides clients with regular updates on changes to international standards and laws like the GDPR to ensure your own organization remains compliant amidst ever-changing data regulations.