Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Data Protection Proposal: Incident Response

The Commission’s proposed Data Protection Regulation seems very positive for Incident Response. Indeed Recital 39 explicitly supports the work of Incident Response Teams:

The processing of data to the extent strictly necessary for the purposes of ensuring network and information security … by public authorities, Computer Emergency Response Teams … providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the concerned data controller. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

The mention of “legitimate interests” indicates that such activities would be justified by Article 6(f) of the Regulation (as was suggested in my paper on Privacy and Incident Response for the equivalent Article 7(f) of the current Directive), and now also supports necessary transfers of information outside Europe (for example when dealing with an attack coming from elsewhere in the world), since those, too, are permitted for “legitimate interests” by Article 44(1)(h). International transfers covered by this article are required not to be “frequent or massive” but this will rarely be the case when responding to an incident, and “appropriate safeguards”, such as transferring to a trusted partner CERT, must be applied. Although a similar recital about Incident Response was recently added to the Electronic Commerce Directive, having it in the main Data Protection Regulation confirms that it applies to all CERTs, not just those associated with electronic communications networks.

For those organisations that do not have an Incident Response capability, Recital 69 seems to encourage them to establish one, since if an organisation suffers a security breach that affects personal data, it will be judged on whether it has “implemented and applied appropriate technological protection and organisational measures to establish immediately whether a personal data breach has taken place”. An Incident Response capability could well be one of those organisational measures.

The Regulation also appears to address one of the unusual features of Incident Response – that although it often involves identifiers such as IP addresses that are regarded as personal data, the Incident Response team will rarely be able to identify the individual to inform them that their personal information is being processed. Article 10 recognises that this situation may arise, and clarifies that “if the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation”. It would be perverse indeed if a law on privacy compelled Incident Response teams to seek out the personal identities of all the Internet users who may be associated with incidents!

There is one concern in the apparent contradiction that Recital 39 encourages “public authorities” to also use the “legitimate interests” justification for their incident response activities, while Article 6(f) says that it may not be used by public authorities. If different justifications are used by different CERTs this may create problems for transferring information between them, since a CERT processing information under Article 6(f) – required to ensure such processing is not overridden by the fundamental rights of the individual – may be reluctant to share information with a CERT operating under Article 6(e) which is not subject to that limitation. The potential for difficulties if national CERTs were handled differently from others was highlighted in ENISA’s recent report on legal aspects of information sharing and will need to be borne in mind in implementing this part of the legislation.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *