Posts relating to responding to security incidents, CERTs, CSIRTs and similar acronyms
It’s only lunchtime on the first day of the FIRST Conference 2018, and already two talks have stressed the importance and value of reviewing incidents over both the short and long terms. In the very different contexts of an open science research lab (LBNL) and an online IPR-based business on IPR (Netflix), a common message […]
The Article 29 Working Party has recently highlighted the importance of detecting and mitigating information security breaches. One of the key tools in doing this is logfiles: the European Court of Justice in Breyer v Germany recognised the role of web server logs, the Article 29 Working Party guidelines mention logs and network flow data. […]
When incident response teams (CSIRTs) detect an attack on their systems, they normally report details back to the network or organisation from which the attack comes. This can have two benefits for the reporter: in the short term, making the attack stop; in the longer term helping that organisation to improve the security of its […]
The Article 29 Working Party’s guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. […]
Article 22 of the GDPR contains a new, and oddly-worded, “right not to be subject to a decision based solely on automated processing”. This only applies to decisions that “produce[] legal effects … or similarly significantly affect[]” the individual. Last year, the Article 29 Working Party’s draft guidance on interpreting this Article noted that an […]
Concern has sometimes been expressed whether the General Data Protection Regulation’s (GDPR) requirement to notify individuals of all processing of their personal data would cause difficulties for security and incident response teams. These activities involve a lot of processing of IP addresses, which the GDPR and case law seem to indicate will normally count as […]
The Forum of Incident Response and Security Teams (FIRST) invited me to write a piece on how GDPR affects security and incident response. Summary: it makes them pretty much essential 🙂
The Article 29 Working Party’s draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I’ve been warning since 2012, giving priority to notification. Now the Working Party is explicit that “immediately […]
Education Technology have just published an article I wrote (though I didn’t choose the headline!) on how security and incident response fit into the General Data Protection Regulation. It aims to be an easy read: if you want something more challenging follow the “incident response protects privacy” link to get the full legal analysis.
Having had my own concerns that the European Commission’s draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it’s very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities. Strikingly, this comes in an […]