In the InfoSec industry, we’ve seen the rules for data security change from relatively simple policies, such as simple access controls, to much more complex policy requirements with the implementation of the European Union’s General Data Protection Regulation (GDPR). In this article, I’m going to cover two new perspectives that will influence data protection controls in the coming years and how IT operations and IT security are going to have to cooperate to play by these new rules.
New Types of Protected Data and Operational Impacts
When I first started learning about GDPR’s new data storage and processing requirements, I was in the middle of a project to deploy a card skimmer detection platform in the US and Western Europe. My team had developed a system which relied on software-defined radios to monitor for the presence of skimmers which used WiFi and Bluetooth to transmit captured payment card details to the criminal who installed skimmer in the ATM or unattended payment terminal whenever prompted. In order for us to detect the presence of a card skimmer, we were constantly monitoring the WiFi and Bluetooth wireless spectrum for MAC addresses, signal strengths and friendly names of all wireless devices in a particular area.
As we prepared to release our platform in the EU, the attorneys advising our company notified us that our monitoring technique created a significant risk of running afoul of GDPR. Their warning was counterintuitive to the project we were working on since we were deploying our system to protect the integrity of the global payment card system and make it harder for criminals to clone users’ payment cards. During our first conference call with the relevant legal experts, they informed me that since we were capturing MAC addresses for our analysis, we had to be aware that under GDPR all MAC addresses were to be considered ‘personal data’ and were subject to all of the consent and handling guidelines under GDPR.
I remember distinctly how I restated the situation to our attorneys, “So, you’re telling me that criminals who deploy card skimmers in the EU are protected under GDPR?” Their response, “Everyone is protected, including those would-be criminals.” This legal risk put my entire project on hold, and we decided against moving forward with our plans for deploying our system in the EU as the result of the legal advice we received.
In fairness, there is a process by which companies can get exemptions or special permission from GDPR regulators to gather certain types of regulated personal data, but it is lengthy and costly and still not entirely certain with its outcome. I was not alone in my concern about how handling MAC address data would impact an organization under GDPR. In discussing my situation with peers and colleagues across the EU who had significant InfoSec experience, it was obvious that the people who drafted the personal data protection guidelines really had no insight into how enterprise InfoSec teams operate.
The GDPR Impact on Security Operations
The following scenario is a good example of an enterprise InfoSec situation for which we still do not have clear guidance from regulators or legal experts. A multinational company has employees working in the US and EU and operates a global Security Operations Center (SOC) in the US. As part of the security team’s processes, they monitor network integrity by gathering MAC address data from all perimeter appliances and wireless network access points. This MAC address data is sent to the US SOC for analysis.
Under the strictest interpretation, is this company technically in violation of GDPR? Per the personal data guidelines, the company has not obtained the consent of the users of the devices from which the MAC addresses were captured nor notified them of the cross-border data transfer of those MAC addresses from EU networks to the US SOC.
I have spoken with many InfoSec leaders working within multinational companies with headquarters in the US about this MAC address collection issue. Among those who have formulated a plan to continue to capture and analyze network intelligence, including MAC addresses, most have taken an approach of attempting to gain enterprise users’ consent to gathering and transferring this personal data to the US. This enterprise user consent still does not cover a small percentage of outside users whose MAC addresses may be captured from guest networks and Wireless Intrusion Prevention Systems (WIPS), but they have decided to continue to gather that data as they deemed the legal risk low enough to continue and the security benefits sufficient to justify the collection, transfer, and analysis of the data. Some of those who responded to my question have decided to move some critical SOC functions to teams based in the EU and avoid transferring sensitive personal data outside of the EU for analysis.
The GDPR Impact on Mobile Employees
Another cross-border data transfer scenario is important for enterprise InfoSec teams to understand, and it relates to the personal data which is stored on endpoints such as laptops and other mobile devices. Chapter V (Articles 44 through 49) of the GDPR governs cross-border data transfers of personal data. Most of the analysis relating to the impact of Chapter V that I have read focuses on ‘back end’ or ‘database creation and transfer’ situations. These are situations where personal data is transferred to a third party in a country outside of the EU, and that data then resides in a persistent state in that country. What is not clear, what liabilities are created when GDPR-governed personal data is transported across a border on a laptop or mobile device?
In reviewing the existing GDPR regulatory analysis, it can be inferred that such data transfers can be acceptable if:
- The data subject (individual whose identity is in the personal data) has explicitly consented to the proposed transfer.
- The transfer is necessary for the performance of a contract between the data subject and the controller.
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary for the establishment, exercise or defense of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject, where the data subject is incapable of granting consent.
- The transfer is made from a public source of data as published according to EU or member state law.
If none of those criteria are met, then the data controller must show adequate protections are in place to maintain the privacy and integrity of the personal data being moved across borders. We don’t have good guidance on this yet. Does it mean that data must be encrypted at rest when being transferred across a border on a mobile device? If that data is accessed outside of the approved location, does the data controller need to implement additional safeguards?
All of these new GDPR requirements create wrinkles in how InfoSec teams operate and how data must be handled on mobile devices. We face a situation where we now have an additional authorization requirement for data access: WHERE is the user when they are accessing EU personal data?
As the various privacy authorities at the EU and member-state level begin their enforcement actions, we will discover more details about the precise controls that need to be in place. Until then, enterprise InfoSec teams should be focused on establishing processes and procedures for transferring personal data only when such data transfers comply with GDPR requirements. The best path forward for InfoSec teams will be to work closely with their colleagues in the legal department to begin to understand the exposures created by GDPR and document the legal guidance received to best comply with GDPR while still facilitating to the best of their abilities the core business of the company.
In other words, do your best while hoping for the best. Hopefully, we see some clear precedents coming from regulators in the coming months to help sharpen our approach to GDPR compliance.