Will The Data Protection Regulation Open New Avenues For Cyber Criminals?

The proposed regulations will make information more valuable to cyber criminals. Data hostage takings and ransom demands will no doubt be part of the cybercriminal business plan for profits

Once we have recognized “Privacy” as a fundamental right, it becomes imperative to have legislation for data protection. The Srikrishna Committee’s proposed draft bill has adopted various principles like right to access and correction, right to portability, and right to be forgotten. It is clear that the regulation will be a positive first step in trying to provide greater accountability and much-needed control for individuals over their personal data. But along with the brighter side, it is highly essential to critically analyze the flip side of the new proposed regulation.

Good times ahead for cyber criminals

The most significant step to comply with the new regulation will be auditing and classifying the data that is held. This will be an incredibly important step to take, as it will lead to the identification of the data types being stored or processed. The data so far which was scattered and not even known to the IT firms will now be classified and stored. One of the first rules of cybercriminals is they will not miss an opportunity to maximize profits at the expense of a multitude of unsecured, untrained and under-resourced organizations. The types of cyber crimes which may increase, due to the advent of new regulations are: -

The increase of Ransom incidents against Personally Identifiable Information

Checking the misuse or violations of Personally Identifiable Information (PII) will be the primary goal of the proposed Data Protection legal framework. When cybercriminals realize the value of PII, they can steal those data from the IT firms, leverage it to their benefit and subsequently threaten to report the security breach to the compliance authorities.

If the cyber attackers do not receive the ransom, they will proceed to leak the data and the companies will face dire consequences. On one hand, the applicable fines that come with a breach, as well as the possible compensation claimed by the victims, will definitely bring substantial losses to the companies and the reputational damage to the business itself, will force the companies to pay the ransom. But the fact that there will be no guarantee that the data will be returned, and companies will not be blackmailed in the future, will always be a reason for worry.

 Leveraging the provision of “Right to be forgotten”.

The Cyber criminals will surely take advantage of the provision of “right to be forgotten” This provision means that, at any time, a consumer may request to Data holder companies that their information be deleted from their institutional database. Failure to meet this consumer request could result in severe consequences. In such circumstances, a cyber-criminal can blackmail and seek a ransom from a company if he or she manages to access a database containing information that should have been erased. If the new regulation makes obligation on the part of the company to notify on the data breach incidents within a specific time period, then the notification time period could be like a time bomb for the company. With leaked personal data, organizations will have to choose between paying the ransom or the fine and given the urgency of the decision, they could end up facing both.

Cyberwarfare by State-sponsored hackers or Hacktivist.

A state-sponsored hacker can easily cause much disruption to the infrastructure of the country. First, the hacker will create a large target list of vulnerable infrastructures and next they would hack these systems, steal and publish their data as widely as possible forcing the competent authority to audit and penalise the organisations. The hacker will keep attacking it repeatedly until the infrastructure is completely shut down.

 Right to access personal data

In EU GDPR, Individuals can get access to all of their data from a given firm, including their employer, by filing a subject access request, and the firm has to provide the information in 30 days. This provision can give the cyber criminals to launch another form of DDoS attack. Imagine a situation if the company is bombarded with thousands of access request. This will be the biggest challenge most organisations will face, and it will cripple any business. Not only hackers but protesters, hacktivists, trade unionists and agitation of any colour will have a new, legal and very powerful tool at their disposal.

 Malicious and disgruntled employees (Insider threat risks)

Many organisations will understand this, to mean ensuring that their databases have the necessary security in place, however, even with the best processes and security systems, organisations are not immune to data breaches. It is increasingly apparent that the threat is not only coming from external sources but from internal sources too. The possibility of a malicious employee leaking the information to criminals, stealing the data or absconding with a database backup from the system with the intention to monetise the stolen data cannot be ruled out.

Hinderance in the investigations of Cybercrimes

Investigation agencies face difficulty to trace the cyber offender, in the existing privacy laws itself, the provisions of new data protection regulation will further provide protection to the cyber criminals. Getting evidence from IT giants was very tedious, time taking and difficult, and most of the request of investigating officers was denied in the name of ‘Privacy’. The data which was readily available till now will be subjected to privacy laws after the regulation is enacted. Such difficulties are being faced by all investigation agencies across the world.

For example: Internet “WHOIS” data is a fundamental resource for investigators and law enforcement officials who work to prevent or investigate cyber-crimes. It comprises the Internet’s database of record, containing the names, addresses and email addresses of those who register domain names for websites on the Internet. Access to WHOIS data is crucial in performing investigations that allow for the recovery of these stolen funds, identifying the persons involved, and providing vital information for law enforcement to arrest and prosecute these criminals.

Enforcement will be big challenge

How far the new Data protection regulations will be able to protect the privacy of individual or enforce its provisions is big question for me. Huge confusion still exists between “consent” and “explicit consent”. Whether “legitimate interest” will outweigh privacy concerns. After GDPR has come in force, we all might have received dozens of privacy policy updates in the past few weeks. I'm talking about updates from email providers, social media companies, and what seems like every random internet service you've ever interacted with- all letting you know how they're collecting and using your data. But here's the thing: When you click "accept" on a privacy policy, even if you've read it from start to finish, you're most likely still in the dark about what you're consenting to.

As per new regulation, the State will fix the responsibility of data breach and its illegitimate use upon the data holder IT firms. In compliance to the new regulations the companies have to invest in technology, hire professionals, train the staff, invest more in testing their security, also shell money for legal assistance, and doing all this will cost billions of dollars. Not only that the IT firms will be slapped with huge fines even in cases of cyber-attacks and data breach. If no provision is made to nail down the cyber criminals and ensure the enforcement, the success of Data protection regulation will be limited in only creating business and making IT firms invest in cybersecurity procedures. But will it really address the problems for which the regulation is brought for?

K Sanjay Kumar, an IPS officer of 2005 batch, Kerala cadre, is a socially conscious cop, a well-known cyber expert, and an author of the must-read book “IS YOUR CHILD SAFE?”...

[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]