The smallest well-intentioned acts can have significant unintended negative consequences. When those acts have a global impact on individuals and businesses, the unanticipated negative effects could potentially be catastrophic. That\u2019s what some experts fear when it comes to the ability of security teams to do their jobs in the wake of new privacy regulations, in particular the European Union\u2019s General Data Protection Regulation (GDPR).In some cases, the GDPR and laws such as the California Consumer Privacy Act (CCPA) make it harder to stop bad actors from stealing the personal information that the regulations are supposed to protect. The regulations often lack specifics about how to comply, and companies take actions that impede security out of fear of potential penalties.\u201cThe penalty for violating [the GDPR] is so egregious that you are getting these unforeseen consequences, and at the same time you\u2019ve increased the threat surface due to the loss of Whois data,\u201d says Caleb Barlow, vice president of threat intelligence at IBM Security. \u201cThe threat surface on which I can be attacked has increased dramatically because of GDPR\u2014not by a little bit, but by an order of magnitude.\u201dBarlow, who says he is in favor of privacy controls, is seeing instances where security\u2019s response to an attack is slowed because they can\u2019t access the data they need due to privacy concerns.\u00a0 Those same concerns are giving \u201cbad guys places to hide and get away, because the bad guys have private information, too.\u201d\u201cThis could literally cause some of the largest privacy losses in history,\u201d Barlow predicts.In some cases, companies have over-reacted regarding how security responds to incidents. Recital 49 of the GDPR, for example, appears to exempt security teams from the regulations while performing their duties:The processing of personal data to the extent strictly necessary and proportionate for the\u00a0purposes of ensuring network and information security, i.e. the ability of a network or an\u00a0information system to resist, at a given level of confidence, accidental events or unlawful\u00a0or malicious actions that compromise the availability, authenticity, integrity andconfidentiality of stored or transmitted personal data, and the security of the related\u00a0services offered by, or accessible via, those networks and systems, by public authorities, by\u00a0computer emergency response teams (CERTs), computer security incident response teams\u00a0(CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data\u00a0controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial\u00a0of service' attacks and damage to computer and electronic communication systems.What follows are some of the most serious examples of unexpected vulnerabilities or other difficulties that security teams face as a result of the GDPR and other privacy regulations.1. Hackers get more personal data due to right-of-access requestsNone of the privacy regulations will prevent hackers from taking over individual accounts. The information needed to do so is easily available for a small fee on the internet. Most of the privacy regulations, however, give consumers the right to request all personally identifiable information (PII) an organization has for them.That\u2019s great, as long as the person requesting the PII is indeed that individual. The problem is that hackers can get enough information on someone to make a successful fraudulent request for more data, thus gaining the ability to do more damage.\u201cThe old scenario is you get into some account with a retailer that I bought something from,\u201d says Barlow. \u201cThe problem nowadays is that every retailer buys and collects all kinds of information on you. Once I get into that account, I can request all that additional information, which gives you the ability to move laterally into other accounts. Now I actually have more PII than [the victim] gave the retailer.\u201d2. Disappearing Whois data prevents shutdown of malicious domainsRather than risk running afoul of GDPR rules around exposing private data, many internet domain registries are removing PII from the public Whois database\u2014not just data about European domains, but all domains. That data is vital to researchers trying to identify domains that are responsible for phishing, ransomware and other attacks. Yes, hackers will use phony PII to register domains, but that false data is important to researchers trying to find other domains an attacker might be using.\u201cHistorically, you\u2019d use a combination of Whois data and other tools to find where [a malicious] website is coming from,\u201d says Barlow. Obviously fake data indicates quickly that the website is owned by a bad actor, he adds. The only real information would be an email address and phone number.\u201cOf course, they are using a burner phone and some free email service,\u201d Barlow says. \u201dYou can figure that out almost instantaneously and in many cases in an automated way. Even if it was a bad buy and you don\u2019t know who the bad guy is, you have enough information to pivot and say OK, has this entity registered any other domains? Oh look, it registered 1,000 domains,\u201d he says.\u201cI also see that phone number is associated with 10,000 more domains. Bad guys are lazy. They\u2019re not going to get a new burner phone for every domain they register. They\u2019re going to use the same burner phone for thousands if not tens of thousands of malicious URLs,\u201d says Barlow. \u201cThen I can look at that email address and say oh, here\u2019s another 5,000 domains that are associated with that email address.\u201dOne malicious indicator, even if it\u2019s not real data, could lead to the blocking of thousands of suspect domains. \u201cThat could happen instantly, and people could be protected almost instantly,\u201d says Barlow. \u201cNow [that process is] basically useless.\u201dThe GDPR has put the domain registrars in a position of choosing between following ICANN rules for registering domains or minimizing the risk of a fine from EU commissioners. ICANN does not sanction registrars for not following its rules, so now the Whois database \u201cis basically going dark,\u201d says Barlow. \u201cNow I don\u2019t see the phone number, I don\u2019t see the address, I don\u2019t see the name of the individual, and I can\u2019t block anything other than that one domain. That alone could result in the largest privacy losses in history, which could far outweigh any positive goal the GDPR was trying to achieve.Barlow believes that the EU and ICANN can come to a workable solution regarding Whois data. The European regulators have got to sit down with ICANN and figure this out. It's going to take a few more months before we realize the size of [the problem],\u201d he says.3. Bigger workloads for security teamsReaction to privacy regulations is putting more responsibility on the shoulders of security teams while at the same time making it harder for them to do their jobs. \u201cThe security and IT teams now serve as the last line of defense to ensure that the principles like data minimization, purpose limitation, security of processing and privacy by design requirements are met,\u201d says Matt Dumiak, director of privacy services at CompliancePoint.Joan Antokol, managing partner at data protection law firm Park Legal, says she sees security and IT professionals at corporations working long hours.\u00a0\u201cIn-house security teams are given increasing responsibilities in light of the GDPR, and some are really over-extended and worried. They can\u2019t do their jobs properly if they are being pulled in so many different directions.\u201dOne area where Antokol sees security and IT doing extra, possibly unnecessary work is in relation to using excessively detailed or complicated data protection impact assessment (DPIA) forms that require an extraordinary amount of information\u2014well beyond regulator expectations. She noted that one client produced a 67-page DPIA template with 500 or more questions, which they planned to use to conduct 50 or more DPIAs."It would take an inordinate amount of time to complete a single DPIA using a 67-page form containing that many questions, and that\u2019s not what the regulators expect,\u201d Antokol says. Businesses need to adopt procedures and measures that are fully aligned with the GDPR requirements and guidance documents, while at the same time are reasonable and practical.The level of perceived risk of penalties is helping to generate this pressure, Antokol adds, and she sees a parallel to an earlier regulation that governs financial reporting. \u201cLike Sarbanes-Oxley, there\u2019s real risk to companies that don\u2019t comply,\u201d she says, \u201cand there are a number of things that are uncertain.\u201d As has been the case with Sarbanes-Oxley, though, the pressure on IT subsided once organizations learned what to expect. She anticipates the same will happen with GDPR, once companies adjust their practices to the new standards and obligations and operationalize them.4. Slower response to active breachesWhen a breach occurs, responders need to work quickly to identify the problem, stop the damage, shut down the attacker, and take steps to ensure it doesn\u2019t happen again. Barlow has seen instances, particularly in Europe, where that process has ground to a halt because of concerns over violating GDPR rules.He cites an example where the victimized company needs to deploy endpoint protection to detect if an attack happens again. \u201cYou want to deploy these tools as fast as possible because the bad guys are still in there and you can\u2019t root them out until you have a way to kick them out, but also you want to make sure that you do it all at once so the bad guys don\u2019t see what you\u2019re doing and then go hide somewhere else where you can\u2019t detect them,\u201d says Barlow.A large company might have thousands of endpoints at which to deploy the new tool in a short period of time. \u201cThe problem is you can\u2019t do that in Europe now because these same tools work by ultimately gathering a lot of information about what\u2019s going on at the endpoint, including potentially PII,\u201d says Barlow. \u201cTheir job is not to collect private information, but they look at the files and servers running on a machine and of course, there may be some PII that you can derive from that.\u201dWhat\u2019s happening in Europe, particularly in Germany, now is that companies need to get permission to deploy those tools, often from a worker\u2019s council. Barlow says that can take 30 to 90 days.Barlow would like to see policies in place around GDPR compliance during an active investigation of a breach that allow security teams to act quickly, \u201cCompanies and governments need to have a level of freedom to do what needs to be done to stop the losses and get business back up and running,\u201d he says.5. Safe havens for cyber criminals in countries with strict PII protectionsIf you aren\u2019t worried about the above scenario because your organization is outside the EU, you should be. Strict interpretations of PII protections are creating safe havens for cyber criminals to operate from.\u201cThink about this from the bad guy\u2019s perspective,\u201d says Barlow. \u201cWhere are you going to put your command and control servers? Where are you going to put your infrastructure? You\u2019re going to put them in Germany.\u201d With their center of operations there, a victimized company can\u2019t shut them down immediately even if they are caught.\u201cIt\u2019s the analog of bad guy breaks into a bank, police show up and see the bad guys in the vault. They walk in, shake hands and say, \u2018Hey, nice to meet you but don\u2019t tell me your name. I\u2019ll be back in 30 to 60 days to arrest you and get that information,\u201d says Barlow. \u201cWhat are the bad buys going to do? They\u2019ll hang around, empty the vault and do whatever they were going to do and clean up after themselves.\u201d6. Cyber criminals using the threat of GDPR fines to extort paymentsAlthough CSO could not confirm that this has actually happened, several experts agreed that it\u2019s very likely a hacker will threaten to go public about a breach they executed and put the company at risk of a large fine. It might not need to be a breach. Antokol believes we\u2019ll see cyber criminals finding vulnerabilities that show an organization is out of compliance and extort companies by threatening to go public.\u00a0 The hackers might explain that it is less expensive to pay them than deal with an EU data protection investigation, including fines and adverse publicity, she adds.Given the success of other types of extortion like ransomware, it\u2019s easy to see the appeal to cyber criminals. It\u2019s something companies should prepare for.7. Roadblocks to investigate insider threatsWhen suspicious activity is detected on an employee\u2019s computer or device, you need to determine if that activity was done by the employee or a third party that compromised the employee\u2019s account or device. Some companies, particularly in Europe, have made that investigation more difficult due to concerns over GDPR.A proper investigation of an insider threat will require access to the employee\u2019s PII. \u201cNormally, you would look at a variety of things. You might look at email accounts; you might look at badge swipe data,\u201d says Barlow. That data can show quickly whether the employee was involved. \u201cNow it\u2019s all PII data that you don\u2019t necessarily have permission to gather.\u201dThis scenario played out at a European telecommunications company, which CSO reported earlier. A third-party security vendor found evidence of an insider threat and presented it to the company. Because the company\u2019s employee union adopted language regarding privacy protections from the GDPR, the company could not investigate further even though the data resided on company computers.