7 unexpected ways GDPR and other privacy regulations make security harder

The GDPR and other privacy regulations are creating new opportunities for cyber criminals and roadblocks for security teams, while in some cases putting personal data at greater risk.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

The smallest well-intentioned acts can have significant unintended negative consequences. When those acts have a global impact on individuals and businesses, the unanticipated negative effects could potentially be catastrophic. That’s what some experts fear when it comes to the ability of security teams to do their jobs in the wake of new privacy regulations, in particular the European Union’s General Data Protection Regulation (GDPR).

In some cases, the GDPR and laws such as the California Consumer Privacy Act (CCPA) make it harder to stop bad actors from stealing the personal information that the regulations are supposed to protect. The regulations often lack specifics about how to comply, and companies take actions that impede security out of fear of potential penalties.

“The penalty for violating [the GDPR] is so egregious that you are getting these unforeseen consequences, and at the same time you’ve increased the threat surface due to the loss of Whois data,” says Caleb Barlow, vice president of threat intelligence at IBM Security. “The threat surface on which I can be attacked has increased dramatically because of GDPR—not by a little bit, but by an order of magnitude.”

Barlow, who says he is in favor of privacy controls, is seeing instances where security’s response to an attack is slowed because they can’t access the data they need due to privacy concerns. Those same concerns are giving “bad guys places to hide and get away, because the bad guys have private information, too.”

“This could literally cause some of the largest privacy losses in history,” Barlow predicts.

What follows are some of the most serious examples of unexpected vulnerabilities or other difficulties that security teams face as a result of the GDPR and other privacy regulations.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.