The Dark Side of the GDPR

Written by

While bringing a new dawn of data protection to Europe, the GDPR could also bring a negative side with fraudsters, activists and phishers all ready to pounce on the regulation’s capabilities. Dan Raywood looks at the potential dark side of the GDPR.

The General Data Protection Regulation (GDPR) has hung over the security and privacy sectors for most of this decade and with the May 25 2018 deadline looming, the effort to understand and gain compliance with the regulation should have been a priority for all European businesses for the past couple of years.

With new regulation comes more than a required effort to gain compliance, however; it brings the opportunity for many to make money. In addition to those selling services and solutions to aid compliance, is it possible that we could see a negative industry emerge because of the greater transparency of data breaches and personal information loss because of the GDPR.

“There is no case law as no one is being prosecuted at any time, but you can bet it will happen"

Ambulance Chasing Culture
The pervasive ambulance chasing personal lawyer has seen many people receive unwarranted and random phone calls, and according to Garner’s Dictionary of Legal Usage, an ambulance chaser is “a lawyer who solicits business from accident victims at the scene of an accident or shortly thereafter.”

After more data breaches were reported in 2017 than any previous year, and more are expected to be disclosed to privacy regulators under the GDPR’s mandatory data breach notification laws, could the ambulance chasing lawyer be about to realize the opportunities presented in cybersecurity?

In this case, a lawyer could see the opportunity to win some easy money by telling victims of a major breach that they could claim compensation from the company who lost their data, or collectively bring a class action case with other victims.
The class action case in cybersecurity is not unprecedented: in 2013, Katie Szpyrka and Khalilah Gilmore-Wright filed a class action complaint against LinkedIn, alleging that its poor password security storage enabled the breach the company suffered. This was dismissed, as was a class action lawsuit brought in 2016 against Keystone Mercy Health Plan and Amerihealth Mercy Health Plan for losing a USB flash drive that allegedly contained sensitive information on approximately 300,000 patients.

Under GDPR, details of breaches will be more available due to mandatory notifications, so could this lead to an increase of ‘carpet bagging’ companies offering ‘privacy lawyers 4 U?’ One person who believes this may be the case is information security director Quentyn Taylor, who initially made these claims on Twitter. He tells Infosecurity that with data breaches, people focus on the reasons why a breach happened in the first place, and feels there is realistic potential for money to be claimed in the wake of a data breach as you “never know until it happens for the first time.”

On the likelihood of an ambulance chasing company calling individuals to inform them that they can claim compensation, Taylor says: “Under the current data protection legislation it would be very hard to do and here in the UK we don’t have the legal statutes to be able to do that, but it is my belief that in the future it will become easier to do that.

“There is no case law as no one is being prosecuted at any time, but you can bet it will happen and that someone will make an attempt at doing it. If you’re a corporate activist you could use it as well.”

In December 2017, supermarket chain Morrisons was found to be liable for the theft of staff data by a former employee, paving the way for former and current workers to seek compensation. Nick McAleenan, a partner at JMW Solicitors, who represented the claimants said that this was a “landmark decision, being the first data leak class action in the UK.”
Although Taylor says that the data protection law has not been put there to punish big business, it has been put there “to balance data protection.”

Opportunities for Predatory Lawyers
Some privacy and compliance experts speaking to Infosecurity are of the opinion that it’s not a case of whether there could be GDPR-related legal cases, but when. Rowenna Fielding, data protection expert with Protecture, thinks it is possible that data protection law will provide wider opportunities for predatory lawyers, as well as “the usual cohort of scammers and chancers, particularly if we don’t get an equivalent to Article 80.2.”

She claims that GDPR will increase awareness by data subjects of their rights, and in article 80.2 there is a provision for non-profit groups to represent data subjects rather than them having to bring their own individual litigation.

So will GDPR-related scams happen? Fielding believes that phishers will be the first to seize the opportunity, as they will push the message of “we’re from a security agency and you got caught in a data breach, so click here to restore your credit and check your details.”

In terms of scammers, Fielding says that in some cases, chasing ambulances can result in genuine exposure of malpractice and litigation for people who would not normally get a payout. “So it is not an inherently bad thing, but there is a gap in the market where companies are doing stuff wrong. I’m not inherently against ‘no win no fee’ claims provided that they are done right.”

Nick Caley is ForgeRock’s vice-president – financial services and regulatory, EMEA. He feels it is likely that there will be ‘outfits’ who are benefiting from PPI mis-selling, who will turn their focus to other issues and opportunities. With data breaches, he argues, there is the possibility of a class action and compensation.

Taylor admits that he would not be surprised if we start seeing PPI compensation type attempts related to GDPR, “and it will depend on how the harm is calculated as to how it goes on.”

Fielding also makes a very key point about any scammers making plans for GDPR-related calls. “Fake calls are in breach of privacy law,” she says. She recommends ignoring anyone calling you saying that they will represent you and your interests in a privacy issue “as they don’t know or care about data protection.”

“When you think that the average organization takes between 100 to 300 hours to deal with a SAR, the likelihood of them coping with 100 at once is pretty slim.”

Malicious Subject Access Requests
Another area where GDPR could rear its dark side is regarding Subject Access Requests (SARs), where the public will be able to find out what records a company owns on a subject without having to pay a fee. This all sounds fair enough, but could this be a way to overwhelm businesses if enough people congregated to deliver individual SARs at once?

That’s the view of Jonathan Armstrong, partner at Cordery, who explains that he has spoken to the Information Commissioner’s Office and the Irish commissioner “and they both think it is potentially a pretty big issue” as it could provide a version of a Denial of Service attack.
“We know from Max Schrems that one individual can have an impact on how a company operates, and Facebook has spent tens of millions of dollars on defending itself and not many companies could afford to do that,” says Armstrong.

In the case of Austrian lawyer, author and privacy activist Max Schrems, he accused Facebook of violating European privacy laws. Armstrong says that for most organizations there are two issues with SARs: first is locating the data and second is the redaction – where you may need to remove user details.

“The ICO has said that SARs need to be made in writing, but that can include social media content, so you could invent an app that sits on Facebook and collects people’s data and makes SARs on their behalf,” Armstrong says.

“When you think that the average organization takes between 100 to 300 hours to deal with a SAR, the likelihood of them coping with 100 at once is pretty slim and if they do not reply in time then there is either an investigation or court proceedings.”

“SARs will reveal some of the cracks in data protection that have appeared over the last 20 years.”

Fielding admits that the possibility of tactical SARs was something she could see, but she does not think it is a major threat: “I am sure it will undoubtedly be used against banks, and organizations with the power to really mess up someone’s life, but I’m hesitant to describe it as a Denial of Service as while the result is the same, it is a bunch of people asserting their rights in law.”

Taylor is in agreement, as he doesn’t think “it is going to be dramatically more than it currently is as costs go down”, but he does add that we could see more ‘click here and go’ for the SAR option.

Is there a solution to en masse SARs? Fielding thinks the answer lies in organizations having good enough data management tools in place to be able to give people access to their data for a request not to be an issue.

“The threat of the SAR Denial of Service may drive some ‘manage your own data portals’, but what SARs will do is reveal some of the cracks in data protection that have appeared over the last 20 years.”

Armstrong agrees, saying that most organizations have a few individuals who know their way around a system well enough to do SARs on a regular basis. Further, he recommends having a SARs policy so you can at least act when you have a problem.

“However, I’d say only 10% of the people we see are ready to deal with SARs, and many organizations will receive even more SARs than they have to date,” he warns. “From our point of view, I’d say that in 2017 the number of SARs were up five- or six-times that of 2016, but most would not be followed through. When that cost becomes zero, you could see up to 20 million SARs a year, and that is a big volume to handle when it takes 200 to 300 man hours to process.”

Caley also thinks that awareness of how companies should respond is lacking and unless they are prepared, there will need to be a rapid change in awareness and control when GDPR comes into force. He claims that if an organization suffers a data breach, then customers will be more aware of their rights and will raise SARs in the wake of it.”

There is a chance that groups of affected people could get organized and make tactical SARs a reality. However, organizations who receive a SAR are required to respond within a one-month period – although extensions can be applied for – which should give companies enough time to deal with any potential overload. 

Overall, the weight of anticipation around GDPR has been so great since its initial announcement in 2012 and confirmation in 2016 that this potential dark side has likely not even been considered by many. This does not mean it will not happen, but more that the fraudulent and malicious opportunities have not yet been realized.

It’s not a case of ‘if’ there will be ambulance chasing lawyers following the scent of data breaches for an easy cash win, it’s how much they make the public aware and get them riled up to take action – that’s where the dark side of GDPR could appear.

“We know from Max Schrems that one individual can have an impact on how a company operates.”

What’s hot on Infosecurity Magazine?