GDPR is a bust — and so are HIPPA, PCI and the pending California Consumer Privacy Act (CCPA). These rules are largely observed in the breach, judging by the 2019 Global Data Risk Report, a study by the Varonis Data Risk Lab.
For one thing, 53% all firms have over 1,200 sensitive files open to every employee, up from 41% last year — a problem that can send them careening right into a collision with the GDPR. And !5% have over 1 million folders open to each staff member.
How does Varonis define sensitive data? It is defined as information on customers, employees, projects and other business matters.
The data on individuals are governed by GDPR and other laws.
Across the board, 22% of all folders are exposed to every employee, up from 21% in 2018. And 80% of companies with over 1 million folders found 50,000 folders open to every employee.
Another problem is that companies are collecting more data than they need and keeping it too long, violating the GDPR’s right to be forgotten. As the study asks about that right — “What was that again?”
Of the firms studied 87% have over 1,000 stale sensitive files. And 71% have found 5,000 such files. Overall, that adds up to 72% of all folders in the average company, and 53% of all data is stale.
Varonis recommends that companies follow the principles of Privacy by Design — minimize the amount of data you collect, the number of people who have access to it and how long you keep it.
“Data kept beyond a pre-determined retention period can expose an organization to additional liability,” the study says. “Stale data can be expensive to store and manage, and poses an increased (and unnecessary) security risk.”
Then there’s the matter of access permission.
Many firms have applied permissions to more folders than they can realistically manage, and 58% found over 1,000 folders with inconsistent permissions.
The study urges firms to determine “exactly who uses — or no longer uses — data, so that you can be surgical about reducing access without causing any headaches.”
That requires simplifying access management procedures and adopting a “least-privilege model” that allow users access only to the data they need.
They also should set expirations for passwords — 38% of all users sampled have a password that never expires.
Varonis analyzed 53.8 billion files, compared with 6.2 billion its 2018 report. On average, this included 70 terabytes per company.