David Emm, Principal Security Researcher, Kaspersky Lab discusses the unexpected side-effects of GDPR shortly after the new legislation came into effect
While the dust has far from settled in the wake of GDPR enforcement, businesses are learning how to operate in the new landscape – and adapting to how the new legislation has changed their business processes. But amongst the expected denials of service and email inundations that sprang up as the enforcement date arrived, some unexpected consequences of the legislation have also started to rise to the surface.
WHOIS going to help the police?
One unforeseen consequence relates to the WHOIS protocol, and the role this plays in law enforcement. Police forces internationally have traditionally relied on WHOIS – a query and response protocol – to obtain information on who owns a particular internet resource, such as a website. This information has proved useful to law enforcement agencies and researchers, as a way of verifying the legitimacy of a website.
However, the new GDPR legislation has effectively killed off the current service, on the basis that it essentially breaks the new laws. German domain registrar, EPGA, ruled that gathering the information breaks GDPR’s regulations – which would expose the service to legal challenges and potentially ruinous fines if it continued to operate in the same way.
ICANN – which oversees the WHOIS protocol – has subsequently filed a lawsuit, asking permission to keep gathering private information on people who buy web addresses whilst it develops a new version of its contract to fit with the GDPR legislation. The decision will be critical to the future of ICANN’s authority over the global internet – as well as law enforcement. If registrars stop providing access to this information, it will place an obstacle in the path of the police.
Another unintended ‘side-effect’ of GDPR is a potential rise in cyber-extortion – should cybercriminals be able to identify any company that has a chink in their GDPR armour, i.e if a company is not compliant in some way.
The fear is that such companies could be held to ransom by cybercriminals – with the threat of making this non-compliance public, or being reported to its local non-departmental public body – such as the UK Information Commissioner’s Office.
The potential fine a business can face for a serious data breach is 20 million euros or four per cent of annual turnover. Paying even a quarter of this amount for the information to remain private, whilst the organisation works towards compliance, may prove the cheaper option for over-stretched companies.
Such a ransom fee could be much lower than the potential fine from the enforcing bodies – offering a financial saving for the company, but posing a sizeable and attractive financial gain for the hackers.
Swings and roundabouts
GDPR enforcement marks an opportunity for positive change for customers, who should take this opportunity to find out exactly what data is being held on them – and what it’s being used for. This will also reduce the likelihood of it falling into the wrong hands.
It also represents positive change for businesses across all sectors, who can and should use the new legislation to improve data hygiene and create targeted customer databases that, although smaller, are likely to result in higher hit rates and improved responses due to the increased level of personalisation.
However, there is a risk that the legislation will have unforeseen and unpleasant side-effects, helping to both line the pocket of cybercriminals and to stop them getting caught.
With cyber-attacks and ransomware now being a constant, costly, threat for businesses, it’s imperative that organisations have a robust IT security strategy in place in order to safeguard themselves again hacks and breaches – especially as a data fall-out is now also likely to come with a pricey slap on the wrist.