At the recent RSA Conference in San Francisco, I spent a good deal of time meeting with VMRay partners to discuss their preparations for the General Data Protection Regulation (GDPR). The regulation, which takes effect on May 25, creates a new framework for safeguarding the personal data and privacy rights of European Union (EU) citizens. But, as we shall discuss, its reach extends far beyond the EU.
As a security company focused on malware analysis and incident response, VMRay has spent the last eight months reviewing our own internal data systems and making changes to comply with the GDPR’s many technological, administrative and legal requirements. Equally important, we have worked closely with our partners supporting their compliance efforts as well.
There’s a good reason that all organizations, regardless of industry, should be vetting their partner ecosystems for GDPR compliance. In the same way that personal data routinely flows across corporate and national boundaries, liability under the GDPR now flows throughout an organization’s chain of data. This creates new risks and obligations, especially for entities that sit at the top of that chain: data controllers, who have a direct relationship with individual customers or users (called data subjects in GDPR parlance), and data processors who conduct processing operations on behalf of controllers. These parties can be GDPR-compliant themselves yet still be held liable for a data breach or compromise that occurs downstream, within their network of partners, suppliers and subcontractors. So what, exactly, are all these entities responsible for?
Replacing a 1995 EU directive, the GDPR strengthens data privacy rights for EU citizens while increasing the obligations organizations have for collecting, storing, processing and disposing of their personal data. Among the key provisions:
While the penalty regime for GDPR is sure to be contested in the courts, fines for the most serious cases of non-compliance can range up to 4% of a company’s annual revenues or €20 million (about $1.7 billion US).
Partner compliance requirements under the GDPR add a new twist to the fact that cybercriminals often attack large organizations indirectly, by targeting trusted partners and suppliers, whose security measures tend to be more lax. Unfortunately, entities sitting atop the data chain can’t easily track what happens to sensitive data once it leaves their own networks. In the Ponemon Institute’s 2017 Data Risk in the Thrid-Party Ecosystem study, 57 percent of survey respondents said they don’t maintain an inventory of the third parties they share information with, and 82 percent don’t know if their sensitive information was shared with a fourth or even a fifth party.
The potential risks created by such blind spots were illustrated at a security conference in 2017 by Markus Neis, a threat intelligence manager at Swisscom AG. As an experiment, Neis created a set of YARA rules that allowed him to retrieve thousands of emails containing confidential information relating to his own company. All these files had been uploaded to a widely used, open-source malware-scanning service, where they were potentially exposed to cybercriminals, nation-state attackers and his own search efforts, via publicly available repositories of threat data.
With further exploration, Neis was able to extract corporate business plans, PGP keys, SSH private keys, VPN credentials, Homeland Security documents, TLP Alerts issued by the FBI, and confidential malware reports that were meant to be shared between security companies.
He noted that third parties are often the worst offenders in sharing their customers’ data with this and similar services, showing little regard for whether confidential information was being exposed in the process. Today, under the GDPR, any personal data on EU citizens contained in those uploaded files would be subject to the new privacy requirements and related fines.
As our customers face an ever-growing attack landscape, VMRay’s GDPR compliance efforts add a new layer of safeguards to the substantial protections already built into our solutions. The VMRay Analyzer platform allows customers to create a completely isolated environment for analyzing advanced malware threats, without the risks posed by open-source tools and services. With VMRay Analyzer On-Premises, customers can ensure that their data never leaves their network. For organizations choosing a cloud solution, hosted at our headquarters in Germany, personal data and other sensitive information is protected in accordance with some of the strictest data privacy laws in the world.
In addition, VMRay’s partner ecosystem is selective and well vetted. Unlike large companies, which may be managing hundreds of relationships, our network encompasses 15 to 20 companies that specialize in key aspects of threat detection and analysis. When the situation calls for data to be shared with any of them, we have a high level of trust they will protect it with the same vigilance and technical skill we expect of ourselves.