Cybersecurity Monitoring and GDPR

by Al Hartmann

May 24, 2018

access_time 9 min read

Disclaimer: This blog is intended for information only and not as legal advice.

Robust enterprise cybersecurity naturally includes monitoring of network, endpoint, application, database, and user activity to prevent, detect, and respond to cyber threats that could breach privacy of enterprise staff, partners, suppliers, or customers. In cyber space, any blind spots become free fire zones for the legions of attackers seeking to do harm. But monitoring also captures event records that may include user "personal data" under the broad European Union GDPR interpretation of that term. Enterprise staff are "natural persons" and hence "data subjects" under the regulation. Prudently balancing security and privacy concerns across the enterprise can be challenging—let's discuss.

The Mandate for Cybersecurity Monitoring

GDPR Chapter 4 governs controller and processor roles under the regulation. While not explicitly mandating cybersecurity monitoring, this can be inferred from its text:

  • "...In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…" [Art. 33(1)]
  • "...the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…" [Art. 32(1)]
  • "Each supervisory authority shall have [the power] to carry out investigations in the form of data protection audits." [Art. 58(1)]

One can well reason that to detect a breach one must monitor, or that to confirm and to scope a breach and provide timely breach notification to the supervisory authority that one must also monitor, or that to implement appropriate technical measures that one must monitor, or that to respond to a data protection audit that one should have an audit trail and that audit trails are produced by monitoring. In short, for an enterprise to protect its cyberspace and the personal data therein and verify its compliance, it reasonably must monitor that space.

The Enterprise as Data Controller

Under the GDPR it is the controller that "determines the purposes and means of the processing of personal data." The enterprise decides the purposes and scope of monitoring, chooses the tools for such monitoring, determines the probe, sensor, and agent deployments for the monitoring, selects the services or staff which will access and review the monitored data, and decides the actions to be taken as a result. In short, the enterprise serves in the controller role. The processor supports the controller by providing processing services on their behalf.

The enterprise also employs the staff whose personal data may be included in the event records captured by monitoring. Personal data is defined quite broadly under GDPR and may include login names, system names, network addresses, filepaths that include the user profile directory, or any other incidental information that could reasonably be linked to "a natural person". Event data will often include these elements. An event data stream from a particular probe, sensor, or agent could then be linked to an individual, and reveal aspects of that individual's work performance, policy compliance, or even aspects of their personal lives (if enterprise devices or networks are misemployed for personal business). Although not the object of cybersecurity monitoring, potential privacy or profiling concerns could be raised.

Achieving Transparency via Fair Processing Notices

As the enterprise employs the staff whose personal data may be caught in the cybersecurity monitoring dragnet, they have the opportunity in employment agreements or in separate disclosures to inform staff of the need and purpose of cybersecurity monitoring and obtain informed consent directly from the data subjects. While it might be argued that the lawful basis for cybersecurity monitoring does not necessarily demand informed consent (per GDPR Art, 6(1)), but is a consequence of the data security level the enterprise must maintain to otherwise comply with law, it is far preferable to be open and transparent with staff. Employment agreements have long contained such provisions specifying that employees consent to have their workplace communications and devices monitored, as a condition of employment. But the GDPR raises the bar considerably for the specificity and clarity of such consents, termed Fair Processing Notices, which must be “freely given, specific, informed and unambiguous”.

Fair Processing Notices should clearly lay out the identity of the data controller, the types of data collected, the purpose and lawful basis for this collection, the data subject rights, as well as contact information for the data controller and for the supervisory authority having jurisdiction. The notice should be clear and easily understood, and not buried in some lengthy legalistic employment agreement or contract. While numerous sample notices can be found with a simple web search, they will require adaptation to fit a cybersecurity monitoring context, where data subject rights may conflict with forensic data retention mandates. For example, an insider attacker might demand the deletion of all their activity data (to destroy evidence), which would subvert privacy regulations into a tool for the obstruction of justice. For other guidance, the widely employed NIST Cybersecurity Framework addresses this balance in Sec. 3.6 ("Methodology to Protect Privacy and Civil Liberties").

Think Globally, Act Locally

Given the viral jurisdictional nature of the GDPR, the draconian penalties imposed upon violators, the challenging dynamics of tweezing out EEA from non-EEA data subjects, and the likely spread of similar regulations globally—the safe course is to apply stringent privacy regulations across the board, as Microsoft has done.

In contrast to global application stands local implementation, where the safe course is to place cybersecurity monitoring infrastructure in geographic locales, rather than to grapple with trans-border data transfers. Even remotely querying and viewing personal data may count as such a transfer and argue for pseudonymization (tokenizing personal data fields) or anonymization (redacting personal data fields) across non-cooperating jurisdictional boundaries. Only in the final stages of cybersecurity analytics would natural person identification of data subjects become relevant, and then likely only be of actionable value locally.