Month: October 2017

Could the GDPR be Weaponized?

I will be participating in a webinar on the General Data Protection Regulation (GDPR) on November 9th along with ZL Technologies and Viewpointe (you can sign up for it here).

In one of our planning meetings for this event, the topic of Subject Access Requests (SARs) was discussed. One of the presenters wondered if SARs could somehow be used by anarchists or others to cause massive disruption to an organization. Given that data subjects in the European Union have the right to request any information about them that a data controller possesses, usually without a fee, and that requests must be processed within a month, what would happen if an organized group (are anarchists, by definition, organized?) flooded an organization with SARs in a very short period of time. There are situations in which data controllers are not obligated to provided data under an SAR, such as GDPR Article 23 which allows the Legal Professional Privilege (LPP) as an exemption to fulfillment of an SAR. However, this is a fairly limited exemption and would not prevent the type of planned disruption that might be made possible under the GDPR.

The potential for causing mass disruption using SARs is not as far-fetched as some might consider it to be. Given that it will take several hours to process a single request for a company that has not implemented an appropriate classification and archiving capability for all of the potentially relevant organization it has on data subjects, the potential for disruption is enormous. For example, if we very conservatively assume that just two person-hours would be required to process an SAR and someone wanted to “attack” an organization with 5,000 SARs in a single week, that would obligate a data controller to spend 10,000 person-hours — about five person-years — processing these requests in a very short period of time. While such a scenario against any single entity is unlikely, the likelihood that it will occur to some company is rather high, as is the risk: few organizations’ legal or IT teams have such an excess of labor available to them to deal with this type of occurrence.

This is just one of the topics we will be discussing at the webinar on November 9th. I hope you can join us.

Monitor Your Social Media Exposure

Social media is an amazingly useful tool to share meaningful information (along with lots of drivel, humblebrags and photos of that amazing breakfast your friends are about to eat in Cancun). However, the ease with which social media can be used as a vehicle for sharing good information enables users to share some really stupid things, as well. The most recent case in point is the (now former) CBS Vice President and senior counsel who posted some very insensitive comments on Facebook about the victims of the horrific shooting in Las Vegas earlier this week. In 2016 a (now former) faculty member of York University in Toronto posted links on Facebook to anti-Semitic web sites and made a number of derogatory comments about Jews. Also in 2016, a (now former) employee of Express Oil Change and Tire Engineers in Alabama posted on Facebook that the wildfire victims of Gatlinburg, Tennessee are, “….mouth-breathing, toothless, diabetic, cousin-humpin, mountain-dew-chuggin, moon-pie-munchin, pall-mall-smoking, trump-suckin pond scum.” In 2013, the (now former) communications chair of the Democratic Party of Sacramento County, California tweeted to the senior communications adviser to Ted Cruz, “May your children all die from debilitating, painful and incurable diseases”.

These types of posts represent a lack of self-control, something of which the vast majority of us are guilty at one time or another (but, hopefully, in less public ways). But they also represent a massive liability for a company’s brand. In each case, the offender was fired by his or her employer, but that does little to mitigate the enormous damage that these types of posts can inflict on the innocent employers who get caught up in the firestorm that normally ensues after these types of posts go viral.

As an employer, what can you do about this? Here are some suggestions:

  • First and foremost, establish detailed and thorough policies about what constitutes acceptable and unacceptable employee behavior, both during and after work hours. Obviously, an employer has less control over their employees when they’re not at work, but some reference to acting like a decent human being on a 24×7 basis while employed by the company is a good starting point.
  • To back up these policies, provide good training for employees about how to respond to social media posts, how to avoid making inappropriate comments on social media, and how to escalate sensitive issues like customer complaints.
  • Implement good monitoring, DLP and scanning technologies for all work-related systems, including social media. The goal is not only to identify intentionally inappropriate and mistaken posts from employees, but also to protect against data loss and malware infiltration through the social media channel, to identify if a social media account has been hacked, or to identify if someone is falsely purporting to be a representative of your company/brand.
  • Archive content from your social media channels, including any employee posts made using company infrastructure. Having a good archive of social media content will enable decision makers, counsel, etc. to review social media posts for inappropriate content after the fact, and can be useful as part of litigation efforts and regulatory audits.
  • For social media accounts under company control, enable appropriate access controls to minimize the potential for inappropriate posts.
  • Where necessary, implement a supervisory program (something akin to what financial services firms do for broker-dealers) that will sample employee social media posts to look for violations of corporate policy.

We will shortly be publishing a white paper and survey results focused on social media security and archiving. Let us know if you’d like to see an advance copy of the survey results or the paper.