7 unexpected ways GDPR and other privacy regulations make security harder

The smallest well-intentioned acts can have significant unintended negative consequences. When those acts have a global impact on individuals and businesses, the unanticipated negative effects could potentially be catastrophic. That’s what some experts fear when it comes to the ability of security teams to do their jobs in the wake of new privacy regulations, in particular the European Union’s General Data Protection Regulation (GDPR).

In some cases, the GDPR and laws such as the California Consumer Privacy Act (CCPA) make it harder to stop bad actors from stealing the personal information that the regulations are supposed to protect. The regulations often lack specifics about how to comply, and companies take actions that impede security out of fear of potential penalties.

“The penalty for violating [the GDPR] is so egregious that you are getting these unforeseen consequences, and at the same time you’ve increased the threat surface due to the loss of Whois data,” says Caleb Barlow, vice president of threat intelligence at IBM Security. “The threat surface on which I can be attacked has increased dramatically because of GDPR—not by a little bit, but by an order of magnitude.”

Barlow, who says he is in favor of privacy controls, is seeing instances where security’s response to an attack is slowed because they can’t access the data they need due to privacy concerns.  Those same concerns are giving “bad guys places to hide and get away, because the bad guys have private information, too.”

“This could literally cause some of the largest privacy losses in history,” Barlow predicts.

In some cases, companies have over-reacted regarding how security responds to incidents. Recital 49 of the GDPR, for example, appears to exempt security teams from the regulations while performing their duties:

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

What follows are some of the most serious examples of unexpected vulnerabilities or other difficulties that security teams face as a result of the GDPR and other privacy regulations.

1. Hackers get more personal data due to right-of-access requests

None of the privacy regulations will prevent hackers from taking over individual accounts. The information needed to do so is easily available for a small fee on the internet. Most of the privacy regulations, however, give consumers the right to request all personally identifiable information (PII) an organization has for them.

That’s great, as long as the person requesting the PII is indeed that individual. The problem is that hackers can get enough information on someone to make a successful fraudulent request for more data, thus gaining the ability to do more damage.

“The old scenario is you get into some account with a retailer that I bought something from,” says Barlow. “The problem nowadays is that every retailer buys and collects all kinds of information on you. Once I get into that account, I can request all that additional information, which gives you the ability to move laterally into other accounts. Now I actually have more PII than [the victim] gave the retailer.”

2. Disappearing Whois data prevents shutdown of malicious domains

Rather than risk running afoul of GDPR rules around exposing private data, many internet domain registries are removing PII from the public Whois database—not just data about European domains, but all domains. That data is vital to researchers trying to identify domains that are responsible for phishing, ransomware and other attacks. Yes, hackers will use phony PII to register domains, but that false data is important to researchers trying to find other domains an attacker might be using.

“Historically, you’d use a combination of Whois data and other tools to find where [a malicious] website is coming from,” says Barlow. Obviously fake data indicates quickly that the website is owned by a bad actor, he adds. The only real information would be an email address and phone number.

“Of course, they are using a burner phone and some free email service,” Barlow says. ”You can figure that out almost instantaneously and in many cases in an automated way. Even if it was a bad buy and you don’t know who the bad guy is, you have enough information to pivot and say OK, has this entity registered any other domains? Oh look, it registered 1,000 domains,” he says.

“I also see that phone number is associated with 10,000 more domains. Bad guys are lazy. They’re not going to get a new burner phone for every domain they register. They’re going to use the same burner phone for thousands if not tens of thousands of malicious URLs,” says Barlow. “Then I can look at that email address and say oh, here’s another 5,000 domains that are associated with that email address.”

One malicious indicator, even if it’s not real data, could lead to the blocking of thousands of suspect domains. “That could happen instantly, and people could be protected almost instantly,” says Barlow. “Now [that process is] basically useless.”

The GDPR has put the domain registrars in a position of choosing between following ICANN rules for registering domains or minimizing the risk of a fine from EU commissioners. ICANN does not sanction registrars for not following its rules, so now the Whois database “is basically going dark,” says Barlow. “Now I don’t see the phone number, I don’t see the address, I don’t see the name of the individual, and I can’t block anything other than that one domain. That alone could result in the largest privacy losses in history, which could far outweigh any positive goal the GDPR was trying to achieve.

Barlow believes that the EU and ICANN can come to a workable solution regarding Whois data. The European regulators have got to sit down with ICANN and figure this out. It’s going to take a few more months before we realize the size of [the problem],” he says.

3. Bigger workloads for security teams

Reaction to privacy regulations is putting more responsibility on the shoulders of security teams while at the same time making it harder for them to do their jobs. “The security and IT teams now serve as the last line of defense to ensure that the principles like data minimization, purpose limitation, security of processing and privacy by design requirements are met,” says Matt Dumiak, director of privacy services at CompliancePoint.

Joan Antokol, managing partner at data protection law firm Park Legal, says she sees security and IT professionals at corporations working long hours. “In-house security teams are given increasing responsibilities in light of the GDPR, and some are really over-extended and worried. They can’t do their jobs properly if they are being pulled in so many different directions.”

One area where Antokol sees security and IT doing extra, possibly unnecessary work is in relation to using excessively detailed or complicated data protection impact assessment (DPIA) forms that require an extraordinary amount of information—well beyond regulator expectations. She noted that one client produced a 67-page DPIA template with 500 or more questions, which they planned to use to conduct 50 or more DPIAs.

“It would take an inordinate amount of time to complete a single DPIA using a 67-page form containing that many questions, and that’s not what the regulators expect,” Antokol says. Businesses need to adopt procedures and measures that are fully aligned with the GDPR requirements and guidance documents, while at the same time are reasonable and practical.

The level of perceived risk of penalties is helping to generate this pressure, Antokol adds, and she sees a parallel to an earlier regulation that governs financial reporting. “Like Sarbanes-Oxley, there’s real risk to companies that don’t comply,” she says, “and there are a number of things that are uncertain.” As has been the case with Sarbanes-Oxley, though, the pressure on IT subsided once organizations learned what to expect. She anticipates the same will happen with GDPR, once companies adjust their practices to the new standards and obligations and operationalize them.

4. Slower response to active breaches

When a breach occurs, responders need to work quickly to identify the problem, stop the damage, shut down the attacker, and take steps to ensure it doesn’t happen again. Barlow has seen instances, particularly in Europe, where that process has ground to a halt because of concerns over violating GDPR rules.

He cites an example where the victimized company needs to deploy endpoint protection to detect if an attack happens again. “You want to deploy these tools as fast as possible because the bad guys are still in there and you can’t root them out until you have a way to kick them out, but also you want to make sure that you do it all at once so the bad guys don’t see what you’re doing and then go hide somewhere else where you can’t detect them,” says Barlow.

A large company might have thousands of endpoints at which to deploy the new tool in a short period of time. “The problem is you can’t do that in Europe now because these same tools work by ultimately gathering a lot of information about what’s going on at the endpoint, including potentially PII,” says Barlow. “Their job is not to collect private information, but they look at the files and servers running on a machine and of course, there may be some PII that you can derive from that.”

What’s happening in Europe, particularly in Germany, now is that companies need to get permission to deploy those tools, often from a worker’s council. Barlow says that can take 30 to 90 days.

Barlow would like to see policies in place around GDPR compliance during an active investigation of a breach that allow security teams to act quickly, “Companies and governments need to have a level of freedom to do what needs to be done to stop the losses and get business back up and running,” he says.

5. Safe havens for cyber criminals in countries with strict PII protections

If you aren’t worried about the above scenario because your organization is outside the EU, you should be. Strict interpretations of PII protections are creating safe havens for cyber criminals to operate from.

“Think about this from the bad guy’s perspective,” says Barlow. “Where are you going to put your command and control servers? Where are you going to put your infrastructure? You’re going to put them in Germany.” With their center of operations there, a victimized company can’t shut them down immediately even if they are caught.

“It’s the analog of bad guy breaks into a bank, police show up and see the bad guys in the vault. They walk in, shake hands and say, ‘Hey, nice to meet you but don’t tell me your name. I’ll be back in 30 to 60 days to arrest you and get that information,” says Barlow. “What are the bad buys going to do? They’ll hang around, empty the vault and do whatever they were going to do and clean up after themselves.”

6. Cyber criminals using the threat of GDPR fines to extort payments

Although CSO could not confirm that this has actually happened, several experts agreed that it’s very likely a hacker will threaten to go public about a breach they executed and put the company at risk of a large fine. It might not need to be a breach. Antokol believes we’ll see cyber criminals finding vulnerabilities that show an organization is out of compliance and extort companies by threatening to go public.  The hackers might explain that it is less expensive to pay them than deal with an EU data protection investigation, including fines and adverse publicity, she adds.

Given the success of other types of extortion like ransomware, it’s easy to see the appeal to cyber criminals. It’s something companies should prepare for.

7. Roadblocks to investigate insider threats

When suspicious activity is detected on an employee’s computer or device, you need to determine if that activity was done by the employee or a third party that compromised the employee’s account or device. Some companies, particularly in Europe, have made that investigation more difficult due to concerns over GDPR.

A proper investigation of an insider threat will require access to the employee’s PII. “Normally, you would look at a variety of things. You might look at email accounts; you might look at badge swipe data,” says Barlow. That data can show quickly whether the employee was involved. “Now it’s all PII data that you don’t necessarily have permission to gather.”

This scenario played out at a European telecommunications company, which CSO reported earlier. A third-party security vendor found evidence of an insider threat and presented it to the company. Because the company’s employee union adopted language regarding privacy protections from the GDPR, the company could not investigate further even though the data resided on company computers.