When incident detection vendor SecBI found suspicious activity on company devices at one of its clients, they passed on the data with the expectation that the client, a large European enterprise, would investigate further. That didn’t happen. The client’s security team was not allowed to look at the data due to privacy concerns. A contract with the company’s employee union prohibited anyone in the organization from looking at employees’ personal data stored on their work computers, even though they were owned by the company.
Here’s the kicker: The union used language from the EU’s General Data Protection Regulation (GDPR) in its contract with the company to keep it from accessing employees’ personal data on company devices. That put the company’s security team, itself part of the union, in an awkward position: The data showed a potential threat, but they could not confirm the threat without breaching the union contract. If there indeed was a data breach, they risked breaking the GDPR’s 72-hour reporting rule.
Read more about this story, and why Michael Nadeau thinks that companies struggling to meet GDPR compliance should learn from it that they should protect privacy, but not weaken their ability to detect and respond to threats in the process, on CSO.