Attackers, CSIRTs, and Individual Rights

Incident response teams often share information when investigating incidents. Some patterns may only become apparent when data from different networks are compared; other teams may have skills – such as analysing malware – to understand data in ways we cannot. Since much of this information includes IP or email addresses – information classed as Personal under data protection law – concerns have arisen that attackers might be able to use the law to frustrate this sharing.

Article 14 of the General Data Protection Regulation (GDPR) normally means that as soon as an organisation receives personal information, it must ensure that the individual knows about this. If attackers had to be informed every time their information was shared, this would tell them when they needed to modify their tactics or to wipe compromised systems to conceal their traces. Fortunately, Article 14(5) suspends the duty to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”. Investigating an attack seems exactly the kind of processing this clause is designed for.

There have also been concerns that an attacker might use their “Right to Be Forgotten” to erase evidence. However the Article 17 Right to Erasure only arises once there is no lawful reason to continue processing. That’s unlikely to be the case while an investigation is in progress. Since the Right also requires the intruder to identify themselves and to help the data controller find the information relating to them, incident responders might actually welcome such requests…

Of course, victims of attacks also have a right to be notified under Article 14. Providing such notifications is one of the main aims of Incident Response. There will normally be a natural point – once an incident has been confirmed and its likely consequences and victims are understood – when that is most beneficial. Until then, it is likely to be better to rely on Article 14(5) again, on the basis that premature, uncertain notices to people who may not be victims are likely to cause more distress than benefit and would therefore be disproportionate, as well as “impairing the achievement of the objectives” by causing unncessary alarm.

While applying the Article 14(5) postponement, there is a special duty to “protect the data subject’s rights and freedoms and legitimate interests”. Again, this is absolutely compatible with what Incident Response requires: failure to keep shared information secure, or using it for anything other than network and information security, is likely to undermine those purposes, or even make the situation worse.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *