Cybersecurity Blog: The Cyber Scene is evolving, are you?

Return to blog

The United States and Europe have never quite been on the same page when it comes to privacy. Traditionally, European governments have taken a more stringent approach regarding their laws and regulations than the US Federal Government. Complicating matters further, brand new European privacy laws that are even stricter may be headed on a collision course with US-based firms, particularly with organizations within that embrace the Internet of Things (IoT) in record numbers. As a result, companies that do business internationally will need a solid plan and dedicated tools to keep ahead of the new regulations.

The United States and Europe have always been at odds over privacy. In the US, personal information is understood to belong to, and become the responsibility of, whoever holds it. Most US-based companies have fashioned some type of privacy policies, but those are often done more as a marketing tool to show customers that the information being held regarding them is secure. They are almost never created with a real threat in mind, rarely updated, and only enforced legally in very specific industries like government and healthcare.

The European Union by contrast generally takes the view that personal information belongs to the individual regardless of where or how it is stored. And, that person has the legal right to determine when and how that information is used. That view has recently been codified in the EU’s General Data Protection Regulation (GDPR), which was approved this spring and scheduled to go into effect in May 2018.

The GDPR has teeth. Penalties for companies that violate the law can range from 10 million euros or 2 percent of the company’s worldwide annual turnover for some violations, all the way up to 20 million euros or 4 percent of worldwide turnover for more serious breaches.

The Brewing Storm

The GDPR will apply to any organization holding or processing the personal data of EU residents. US-based firms doing business within the EU will certainly be subjected to it, as will firms that are not necessarily based in the EU, but which collect the personal information from customers who live there.

These points bring up the problem of the Internet of Things (IoT). IoT devices are oftentimes little more than basic sensors which record very specific pieces of information. That data is then streamed to and collected by other computers, cataloged and used to make all sorts of decisions, sometimes automatically based on historical trends. Firms within the United States have been embracing the functionality and economy of IoT more quickly than almost anywhere else in the world, with billions of devices expected to be online within the US by 2018.

Certain industries like healthcare and critical infrastructure managers have especially embraced its potential, though IoT touches almost every sector. There are even crossover users, like when insurance companies use IoT to monitor the health of their customers and provide discounts for those who regularly increase their heartrates through exercise. IoT is incredibly cheap, with some devices only costing a few pennies to manufacture, yet can provide invaluable insights about customers and business trends.

The one big negative about IoT devices is that security is almost never part of their design, or at least not a big part. Adding a cybersecurity layer would negate a lot of the economic advantages of deploying that technology.


Within the US, not having robust security on IoT, while not a great practice, is not normally a legal vulnerability. In May of 2018 when the GDPR goes into effect, that may not be the case within the European Union. While GDPR was not written specifically to protect IoT data, it could be argued that data from something like a heartbeat sensor would belong to the patient within the EU. Even something like an electrical sensor could be interpreted as personal data if tied to a specific customer or household.

US-firms doing business or wanting to do business within the EU, or with EU-based customers, should immediately work to catalog their entire IoT network and map what data is being collected, how it is being used, and what protections it has or needs. Doing so ahead of the May deadline could save a lot of hassle and potentially a lot of lost revenue in fines.

Another wildcard specific to companies working within Britain is what happens once Brexit fully kicks in. Presumably, Britain will craft some agreement with the EU regarding privacy laws that may be separate from GDPR. But firms that have an active catalog of their IoT activities needn’t worry, because they will be able to quickly adjust to keep on the right side of any pending change of law.

In any case, the time to get a handle on IoT data collection is now. This is especially true for any firm that touches the EU, but would be a good practice for any company before it becomes an embarrassing or expensive issue.

Chris Coryea is the Head of International Cyber Intelligence Services for Leidos. In this role, he oversees the EMEA and Asia-Pac Security Intelligence Centers for Leidos and is responsible for leading a global team of Cyber Intelligence Analysts, Pen Testing Engineers, Incident Responders and Open-Source Intelligence (OSINT) Analysts. In 2003, Chris joined Lockheed Martin in the United States where he helped to establish the Corporate Information Security Office. He held various cybersecurity leadership roles across US and moved to London in 2010 to assist global organizations in the application of a proven cybersecurity tradecraft against the ever-evolving threat landscape. Applying the knowledge gained from his 14 year journey with Lockheed Martin and Leidos, Chris is a prominent speaker who has delivered numerous presentations across the globe including a recent keynote speech at RSA Singapore and Black Hat Europe. Chris enjoys providing thought leadership on cybersecurity and has authored numerous white papers and blogs for Lockheed Martin, Leidos and industry. Chris holds a BS in Management Information Systems from Kansas State University and a MS in Information Technology Management from Rensselaer Polytechnic Institute.