Are you letting GDPR’s privacy rules trump security?

When incident detection vendor SecBI found suspicious activity on company devices at one of its clients, they passed on the data with the expectation that the client, a large European enterprise, would investigate further. That didn’t happen. The client’s security team was not allowed to look at the data due to privacy concerns.

A contract with the company’s employee union prohibited anyone in the organization from looking at employees’ personal data (e.g., browsing data, banking transactions, or healthcare provider interactions) stored on their work computers, even though they were owned by the company. Although SecBI’s data indicated possible bad behavior on the part of an employee, the company did not have sufficient cause to investigate under the terms of the union contract.

Here’s the kicker: The union used language from the EU’s General Data Protection Regulation (GDPR) in its contract with the company to keep it from accessing employees’ personal data on company devices. That put the company’s security team, itself part of the union, in an awkward position: The data showed a potential threat, but they could not confirm the threat without breaching the union contract. If there indeed was a data breach, they risked breaking the GDPR’s 72-hour reporting rule.

“This organization has a security operations center. It has tools and sensors to capture log data coming from the various devices deployed or assigned to employees, but the people in the SOC are very restricted from looking at the data being collected that is necessary to do their job, whether some laptop is compromised or somebody is misbehaving in a way that might pose a risk to the organization,” says Alex Vaystikh, CTO and cofounder at SecBI. “The organization is now struggling to balance between the privacy and the [GDPR requirement] to find and disclose compromise within 72 hours. They have a chicken-and-egg problem.”