I was asked recently how I saw current legal developments in Europe affecting the work of incident response teams, so here’s a summary of my thoughts.
Understanding Data Protection law has always been a problem for incident response. Some of the information needed to detect and resolve incidents is personal data but laws are unclear and sometimes even contradictory on which. Fortunately there is now recognition in the amended Telecoms Privacy Directive and the draft Data Protection Regulation that detecting and responding to incidents are important tools in protecting privacy (if your computer has been compromised, so has your privacy) that need to be supported by the law. The proposed Regulation should reduce the differences in legal interpretations that cause concern when working across borders; it should also provide a clearer basis for working with teams outside Europe. Incidents rarely stay within a continent.
One area where I do see potential problems is a trend to treat “national CERTs” (a term with many different definitions) as different in law. The reform of data protection law will continue the current special status of organisations involved in justice and home affairs, who will have different data protection rules from the rest of us. Some countries have gone as far as creating specific legislation to set out the powers of their national CERT. That could make it tricky to share information between the two types of CERT: if I have a particular duty to protect information and you don’t then it could be risky for me to share the information with you. One way to address this would be formal information sharing agreements to maintain the protection of information. I wouldn’t be surprised to see these becoming more common, especially as most national CERTs rely on others for a lot of their information about what is happening.
Finally there seems to be a very wide range of political opinions on what information network operators need to collect about their users. The Data Retention Directive, which requires public phone and data networks to keep call logs from their phone and e-mail services, became law in 2006 but a number of European countries have still not implemented it, or have had their implementations overturned by constitutional courts, on the grounds that it is a disproportionate interference with privacy. At the same time, successive UK Governments have proposed laws requiring networks to do much more than is already in the Directive. The Directive was supposed to solve the problem of different evidence retention practices; if anything those policies seem to be more diverse now than they were in 2005. It’s not clear whether these developments will increase the amount of information available to incident responders, leave it the same, or decrease it (if logs are now locked away in “law-enforcement only” containers). But adding confusion – for example “I have the information but don’t know if I can share it with you” – rarely helps.
So, on the whole, I’m reasonably positive, but there are still some things that need watching.