An interesting, though depressing, figure from Verizon’s 2012 Data Breach Investigations Report is that 92% of information security breaches were discovered and reported by a third party. Not by the organisation that suffered the breach, nor by its customers who are likely to be the victims of any loss of personal data, but by someone else. In many cases, I suspect, the information will have come from observant system and network administrators who, while looking out for problems on their own systems, saw signs – scanning, malware transmission or spam runs – of problems on others’. Fortunately, many of those people feel that helping clean up problems on the Internet is important, even if it’s not formally part of their job.
So it’s vital for privacy that third parties are able to report information about security breaches to the affected organisation, its network or incident response team. At the moment European privacy law does seem to allow that. Although incident response is only explicitly mentioned in a Directive covering telecommunications operators, Article 7f of the general Data Protection Directive allows personal data (which in many countries includes IP and e-mail addresses) to be disclosed to an organisation if it is in the legitimate interests of either the sender or the recipient organisation, provided doing so doesn’t injure the fundamental rights of the individual. Reporting a security breach will generally be in the interests of both the organisation suffering the breach and its affected customers so that justification seems to fit the bill.
The draft Data Protection Regulation changes the wording of this section, removing the separate mention of the sender and the recipient of the personal data. Instead, according to Article 6f, disclosure will be allowed so long as it is in the legitimate interests of a data controller. I very much hope that includes the data controller who receives it, otherwise the Regulation’s new statement on incident response in Recital 39 will be of much less value. The new draft also places further conditions on using the legitimate interests justification, some of which will be impossible for third party reporters to satisfy: if what you have found is an IP address, username or credit card number then you can’t “explicitly inform” the owner, only try to pass the information on to their ISP or bank. Such provisions need to be very carefully drafted and explained, otherwise they risk choking off information flows that are essential to protect privacy.
There are several current proposals for European laws to require organisations to notify regulators and customers when they suffer security or privacy breaches. The Verizon figures are a reminder that these can only be effective if the law also supports and protects third parties who discover and report the breaches in the first place.