After (too) many years, I’ve turned the ideas from my original TF-CSIRT documents into a formal academic paper, which has just been published in the open access law journal, SCRIPTed:
The new General Data Protection Regulation provides explicit support for the idea that protecting the security of computers, networks and data is a legitimate interest of organisations. That has recently been confirmed by the European Court of Justice in the Breyer case.
After discussing the need for incident response, the very diverse legal approaches that have been taken to it in the past, and the problems those have created for collaboration, the paper looks at the rules that data protection law applies when processing for a “legitimate interest”. This produces a framework for assessing the impact and benefit of security and incident response activities. Finally there are a series of practical case studies, suggested by various CSIRT teams, analysed against that framework. Reassuringly, the conclusion is that most current CSIRT practice – which is already designed to protect the security of sensitive information – also satisfies the requirements for privacy and data protection.
Thanks to everyone who has, knowingly or not, contributed to the final result.
