While cyberattacks continue to increase in frequency and sophistication, organizations across all industries are working diligently to ensure their systems and data are secure. One efficient and cost-effective tool often used to mitigate the risk of a costly cyberattack is threat-information sharing.
As many risk managers know, cyber incidents are rarely organization-specific, meaning a security breach into one network could provide hackers with the means to breach another organization’s system using the same techniques, tactics and procedures. Thus, a successful cyberattack could initiate a chain of security breaches compromising numerous networks and effecting countless businesses. Threat-information sharing helps circumvent the cycle of chain security breaches by providing operators with real-time information to patch vulnerabilities and safeguard information.
Unfortunately, a critical misunderstanding of the General Data Privacy Regulation (GDPR), and the fear of GDPR fines of up to €20 million under Article 83, is threatening the use of threat-information sharing and could result in significant consequences for businesses. The issue—does the processing and exchange of personal information embedded in some threat information violate GDPR and thus expose companies to severe fines? Companies want to fight cybercrime and cyber terrorism. But, it is difficult for risk managers to employ information sharing if they are told that by doing so, they could expose their organizations to bet-the-company liability.
The irony and unfortunate nature of this misunderstanding is that threat information sharing can be lawful under GDPR. In fact, it advances a fundamental tenet of GDPR—the protection of individual’s data. The Financial Services Information Sharing Analysis Center (FS-ISAC) has shed light on this misunderstanding with a recent white paper analyzing the legality of threat-information sharing as it pertains to GDPR. It is recommended that organizations, including Information Sharing Analysis Centers (ISACs), consult Article 6(1)(f) of GDPR to model information sharing protocols.
Article 6(1)(f) declares that processing personal data is lawful when it “is necessary for the purpose of the legitimate interests pursued by the controller [loosely, the organization collecting the information] or by a third party.” The inclusion of “third party” is critical, because it concludes that the interests of the organizations combatting cyberrisks, as well as the interests of governments, individuals and the general public, are all relevant for determining the lawfulness of the personal data processing. To establish lawfulness, organizations must meet a three-step test: legitimacy, necessity and a balancing of interests.
- Legitimacy: According to Article 29 Working Party (A29WP), guidance on legitimate interests, Opinion 06/2014, an interest is legitimate if it is lawful, clearly articulated, and real and present. The interests of organizations processing personal data through threat information sharing meet these criteria. First, threat information sharing is lawful when it is taken under a legal directive, such as for public welfare. Second, the interests can be clearly articulated when using internal confidentiality controls to help meet Article 6’s balancing test (discussed below). Finally, organizations should have very little trouble demonstrating the third criteria—cyberattacks and the interests to thwart them are real and present.
- Necessity: In order to establish “necessity,” the organization must show that the processing of personal data is necessary and proportionate. To be necessary (or strictly necessary), there must be no other viable or practical alternative to achieve the purpose behind the threat-information sharing. For instance, the processing of personal data is not necessary if there is a more obvious or less intrusive way to achieve the same result. It should be easy for organizations to achieve this test. Sharing certain personal data can help organizations rapidly identify and prevent chain security breaches, and subsequently the further exploitation of discovered network vulnerabilities. In addition, organizations can demonstrate proportionality through the balancing test discussed below.
- Balance: The Article 6(1)(f) balancing of interests weighs the legitimate interests of the organization collecting and analyzing the data against the interests and fundamental privacy rights of the individual whose personal data is being processed. Essentially, the benefit to the organization utilizing threat-information sharing cannot outweigh the benefit to the individual. The goal of threat-information sharing is network security and crime prevention, which ultimately protects individuals from fraud and harm. For example, the processing of stolen/victim personal data would advance his or her interests by preventing further fraud and even aiding in validating the loss and providing an opportunity for recovery.
Threat-information sharing is a vital tool in the cybersecurity arsenal. Now more than ever, it is vital that businesses employ all means necessary to protect their data. The belief that GDPR prevents threat-information sharing is an unfortunate misunderstanding. After all, threat-information sharing and GDPR have the same goals: to protect data security and individual privacy.