At the recent RSA Conference in San Francisco, I spent a good deal of time meeting with VMRay partners to discuss their preparations for the General Data Protection Regulation (GDPR). The regulation, which takes effect on May 25, creates a new framework for safeguarding the personal data and privacy rights of European Union (EU) citizens. But, as we shall discuss, its reach extends far beyond the EU.
As a security company focused on malware analysis and incident response, VMRay has spent the last eight months reviewing our own internal data systems and making changes to comply with the GDPR’s many technological, administrative and legal requirements. Equally important, we have worked closely with our partners supporting their compliance efforts as well.
New Risks and Obligations
There’s a good reason that all organizations, regardless of industry, should be vetting their partner ecosystems for GDPR compliance. In the same way that personal data routinely flows across corporate and national boundaries, liability under the GDPR now flows throughout an organization’s chain of data. This creates new risks and obligations, especially for entities that sit at the top of that chain: data controllers, who have a direct relationship with individual customers or users (called data subjects in GDPR parlance), and data processors who conduct processing operations on behalf of controllers. These parties can be GDPR-compliant themselves yet still be held liable for a data breach or compromise that occurs downstream, within their network of partners, suppliers and subcontractors. So what, exactly, are all these entities responsible for?
GDPR in a Nutshell
Replacing a 1995 EU directive, the GDPR strengthens data privacy rights for EU citizens while increasing the obligations organizations have for collecting, storing, processing and disposing of their personal data. Among the key provisions:
- Increased territorial scope: The regulation applies regardless of where the organization collecting the personal data is located or where the data is physically processed and stored. Whenever a controller or processor offers goods or services to a data subject in the EU, this entity will be required to take into account the new data protection framework. The decisive criterion for GDPR-applicability is whether data of EU-data subjects is processed.
- Expanded privacy rights: These include the right to data portability, access to and erasure of one’s personal data, the right to rectify erroneous information, and the right to restrict processing activities.
- More types of protected information: The GDPR prohibits collecting and processing categories of personal information that today are widely shared in non-EU markets. Examples include location data, IP addresses, social media posts, genetic makeup, religious and racial identity and many other categories.
- Data minimization: The principle that organizations should only collect and hold the minimum amount of personal data needed to fulfill the stated purpose.
- Purpose limitation: Personal data may only be processed for specific and clearly defined purposes.
- Accountability: Organizations that process personal data need to be able to prove that they are complying with relevant data protection regulation
- Consent: Processors and controllers are required to obtain the data subject’s consent-given in plain, unambiguous language-to collect and store personal data.
While the penalty regime for GDPR is sure to be contested in the courts, fines for the most serious cases of non-compliance can range up to 4% of a company’s annual revenues or €20 million (about $23.35 million US).
A New Twist to Indirect Cyber-Attacks
Partner compliance requirements under the GDPR add a new twist to the fact that cybercriminals often attack large organizations indirectly, by targeting trusted partners and suppliers, whose security measures tend to be more lax. Unfortunately, entities sitting atop the data chain can’t easily track what happens to sensitive data once it leaves their own networks. In the Ponemon Institute’s 2017 Data Risk in the Thrid-Party Ecosystem study, 57 percent of survey respondents said they don’t maintain an inventory of the third parties they share information with, and 82 percent don’t know if their sensitive information was shared with a fourth or even a fifth party.
The potential risks created by such blind spots were illustrated at a security conference in 2017 by Markus Neis, a threat intelligence manager at Swisscom AG. As an experiment, Neis created a set of YARA rules that allowed him to retrieve thousands of emails containing confidential information relating to his own company. All these files had been uploaded to a widely used, open-source malware-scanning service, where they were potentially exposed to cybercriminals, nation-state attackers and his own search efforts, via publicly available repositories of threat data.
With further exploration, Neis was able to extract corporate business plans, PGP keys, SSH private keys, VPN credentials, Homeland Security documents, TLP Alerts issued by the FBI, and confidential malware reports that were meant to be shared between security companies.
He noted that third parties are often the worst offenders in sharing their customers’ data with this and similar services, showing little regard for whether confidential information was being exposed in the process. Today, under the GDPR, any personal data on EU citizens contained in those uploaded files would be subject to the new privacy requirements and related fines.
Adding to VMRay’s Built-in Protections
As our customers face an ever-growing attack landscape, VMRay’s GDPR compliance efforts add a new layer of safeguards to the substantial protections already built into our solutions. The VMRay Analyzer platform allows customers to create a completely isolated environment for analyzing advanced malware threats, without the risks posed by open-source tools and services. With VMRay Analyzer On-Premises, customers can ensure that their data never leaves their network. For organizations choosing a cloud solution, hosted at our headquarters in Germany, personal data and other sensitive information is protected in accordance with some of the strictest data privacy laws in the world.
In addition, VMRay’s partner ecosystem is selective and well vetted. Unlike large companies, which may be managing hundreds of relationships, our network encompasses 15 to 20 companies that specialize in key aspects of threat detection and analysis. When the situation calls for data to be shared with any of them, we have a high level of trust they will protect it with the same vigilance and technical skill we expect of ourselves.