The General Data Privacy Regulation (GDPR) is intended to protect the fundamental rights of EU data subjects. However, where GDPR intersects with cybersecurity is little understood. This, in turn, has undermined threat information sharing as an essential tool for combating cyberattacks, including attacks engineered by criminal and terrorist organizations, and Nation States.
March 06, 2019 Feature
Threat Information Sharing Under GDPR
By Richard Borden, Joshua Mooney, Mark Taylor, and Matthew Sharkey
As cyberattacks continue to increase in number and sophistication, threat information sharing may (and should) be employed by banks, brokers, insurance carriers, and other areas of critical infrastructure to identify vulnerabilities and prevent the spread of successful cyberattacks to other organizations. Vulnerabilities and incidents are rarely specific to one organization. Thus, by employing effective threat information sharing, particularly between organizations of a similar nature, an active threat actor will have only one opportunity to attack a system with success, as threat information shared in real-time will pre-warn other organizations. Yet, an ironic and unforeseen effect of GDPR has been to stifle the practice of threat information sharing, in turn increasing the threat of successful attacks.
This article addresses threat information sharing and discusses why it is lawful under GDPR. Indeed, the purpose of threat information sharing—to preserve networks and data from unauthorized acquisition, alteration, or loss—is a cornerstone of GDPR’s aim to protect personal data and prevent any collateral human harm from a personal data breach. Part I of this article discusses Information Sharing and Analysis Centers (ISACs) and the types of threat information shared to combat cyberattacks. Part II discusses GDPR’s framework in the context of ISACs. Part III explains why threat information sharing is lawful under GDPR as a means to combat cyberattacks. Part IV offers the authors’ conclusions.
ISACs and Threat Information Sharing
A security breach into one organization’s network can provide hackers with the ability to breach the security of another organization by using the same tactics, techniques, and procedures (TTPs). Thus, a security breach into one organization may initiate a chain of security breaches compromising multiple networks and systems of numerous organizations. Threat information sharing can short-circuit, if not prevent, a chain of security breaches by providing invaluable information to mitigate or remedy vulnerabilities as they become known to thwart further cyberattacks targeting those vulnerabilities.
ISACs serve a critical role in cybersecurity through threat information sharing. ISACs are non-profit organizations that provide a central resource to gather and exchange information on cyber threats between member organizations to improve the members’ cybersecurity posture. Sometimes oriented on a specific, critical sector (e.g., financial services, health, energy) or focal point (e.g., national level), ISACs attract members to establish communities within the private sector to gather and analyze information about cyber threats and incidents. Effective threat information sharing in cybersecurity means that the threat actor may have only one opportunity to render a successful attack against a system because threat information sharing will prevent the same or a copycat threat actor from breaching a second organization using the same means.
A majority of information processed and exchanged by ISACs in threat information does not constitute “personal data,” as defined by GDPR. Instead, ISACs primarily exchange information about threats, incidents, or vulnerabilities. They exchange Indicators, Tactics, Techniques and Procedures (TTPs), Security Alerts, Threat Intelligence Reports, and Tool Configurations—all categories of information that often are devoid of personal data. Nevertheless, to the extent that ISACs do exchange personal data in threat information, such data most often consists of email addresses and IP addresses. Less often, the data may include names and bank account/credit card information of victims, or the names of threat actors themselves. In short, the personal data involved is relatively low in volume, and generally of low sensitivity.
Specifically, personal data processed and shared for the purpose of threat information sharing may be broken down into three categories:
Falsified Personal Data – when an identity, or a partial identity, has been created and used by someone who is hiding their identity behind the falsified personal data.
Stolen/Victim Personal Data – when a third party has stolen the personal data of an actual data subject.
Personal Data of Threat Actors – the personal data of the individuals committing fraud or other crimes.
When sharing threat information, ISACs and their Members use the Traffic Light Protocol (TLP), which is a set of designations used to ensure that dissemination of confidential or sensitive information is restricted to appropriate audiences based on the sensitivity of the information and its source.2 TLP employs four colors to indicate sharing and dissemination restrictions: Red, Amber, Green, and White. Thus, to the extent ISACs process person data, the information is shared subject to TLP restrictions.
The GDPR Framework
GDPR governs the processing of “personal data” with the aim to protect “fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.” The law constitutes the most significant change in the data protection regime in the EU in the last twenty years, and its extra-jurisdictional reach has a profound impact upon the operations of organizations around the world.
GDPR defines “processing” in very broad terms to mean “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.” This expressly includes any collection, recording, organization, storage, alteration, use, disclosure by transmission, or destruction of data. Thus, the regulation effectively governs any activity carried out with the personal data, subject to its jurisdictional reach as set out in Article 3.3
GDPR distinguishes between the actions of data controllers and data processors. Data controllers are those parties, whether acting alone or with others, that determine the means and purposes of data processing. Data processors are those parties that process personal data on behalf of a data controller. The distinction is important because the data controller primarily is responsible for ensuring that personal data is processed lawfully in accordance with the regulation, and is required to have a lawful basis to process personal data. In the context of threat information sharing, both the ISAC and its Members may act as independent data controllers. At times, the ISAC also may act as a data processor.4
ISAC Threat Information Sharing Is Lawful Under Article 6(1)(f) of GDPR
GDPR defines the sole lawful purposes for processing of personal data. If a processing of personal data does not fit within the authorization of GDPR, a data controller and data processor run afoul with the law and be subject to steep fines and penalties. This has caused some consternation in threat information sharing communities for fear of sharing threat information in a manner that violates GDPR.
To process personal data lawfully, data controllers must possess a lawful basis as prescribed under GDPR.5 In threat information sharing, both the sharing and receiving party each must possess a lawful basis to process any personal data contained within the threat information being shared. Article 6 provides an exhaustive list of lawful grounds for processing personal data. However, the most relevant to threat information sharing is the so-called “legitimate interests” ground in Article 6(1)(f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.
Thus, this Article effectively provides a three-step test—necessity, legitimacy, and balancing interests—for determining the lawfulness of processing of personal data. GDPR considers the legitimacy of the interests pursued by the data controller “or by a third party” for determining whether the processing of personal data is lawful. Therefore, in the context of threat information sharing, the interests of the ISAC, its Members, as well as the interests of governments, data subjects, and the general public are relevant for determining the lawfulness of the processing.
The relevant interests render the processing of personal data in threat information lawful. As discussed below, the legitimacy of these interests is illustrated by both the guidance of the Article 29 Working Party and the GDPR Recitals. The processing and sharing of personal data in threat information is strictly necessary and proportionate to achieve these purposes behind the legitimate interests, including the prevention of fraud and ensuring network and information security. The processing also satisfies the balancing test under Article 6(1)(f).
Illustrations of Legitimacy: A29WP’s Guidance and the GDPR Recitals
Guidance from the Article 29 Working Party (replaced by the European Data Protection Board) and the GDPR Recitals both illustrate the legitimacy of the interests in sharing threat information. Under the Article 29 Working Party’s guidance on legitimate interests, an interest is “legitimate” if the interest is:
- lawful (i.e., in accordance with applicable EU and national law);
- sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e., sufficiently specific); and
- represents a real and present interest (i.e., it is not speculative).6
The interests of the ISAC and its Members in processing personal data in threat information meet these criteria. First, the interests are lawful. Threat information sharing is exercised pursuant to specific directives in the United States. Indeed, ISACs originally were created by Presidential Executive Order (EO) in response to two significant terrorist attacks occurring in the United States. ISACs, as defined by EO 12472 and the national critical infrastructure protection goals of Presidential Decision Directive 63 (PDD-63), are essential drivers of effective cybersecurity collaboration for specific industrial sectors such as banking and financial services, energy, and telecommunications. More recently, EO 13691 issued under the Obama administration “promotes private sector cybersecurity information sharing” to respond to specific emerging cyber threats.7
The interests are clearly articulated to allow the Article 6(1)(f) balancing test (discussed below). The goal and purpose of threat information sharing is to preserve networks, systems, and associated personal data from unauthorized acquisition, alteration, or loss. If networks and systems do not have adequate security and protection, the privacy of personal data in those networks and systems cannot be secured and maintained. Such a result would undermine a basic tenet of GDPR: to protect privacy as a fundamental right.
The interests are real and ever-present. It has become critical for organizations to share threat information as part of their resiliency and security program. Threat actors’ techniques have grown in sophistication and speed for exploiting discovered vulnerabilities. The interconnectivity of global networks is ever-expanding. Threat actors share information for exploitation of discovered vulnerabilities. The general public also shares broad and important interests to combat cybercrime, including the prevention of financial and consumer fraud and the protection of critical financial infrastructure in national and global economies.
The GDPR Recitals also expressly illustrate that the purposes of processing personal data contained within threat information constitute a legitimate interest. Specifically, GDPR Recitals 47, 49, and 50 state that processing personal data for the purpose of fraud prevention, ensuring network and information security, and/or indicating possible criminal acts or threats to public security may constitute a legitimate interest. An ISAC and its Members process personal data contained within threat information for all three of these purposes.
The Processing Is Strictly Necessary and Proportionate under Article 6(1)(f)
Under Article 6(1)(f), the processing of personal data must be (1) necessary, and (2) proportionate to the pursuit of the legitimate interest. The processing of personal data by ISACs or their members for threat information sharing meets both these requirements.
To be necessary, or strictly necessary, there must be no viable or practical alternative method to achieve the purpose behind the interest, such as the prevention of fraud.8 For example, the controller should satisfy itself that it is not possible to achieve the relevant purpose in another more obvious or less intrusive way. The processing of personal data in threat information sharing is very likely to meet these criteria.
Threat information sharing is a critical and proven component of ensuring network and system security. Sharing certain personal data (such as IP or email addresses) can prove to be “essential” in rapidly identifying and preventing security breaches or the exploitation of discovered vulnerabilities. It also may prevent further crime. For instance, the processing of Threat Actor Personal Data relating to an unsuccessful cyber incident against one ISAC member can help other members secure their systems against cyber threats from that same individual. In addition, sharing Stolen/Victim Personal Data within the member community is the quickest and most efficient and effective way for members to prevent a data subject from being a victim of further fraud or criminal activity. In addition, any attempt to remove personal data from the threat information that is shared, would be disproportionately onerous and would undermine the value and effectiveness of the threat information; thereby debilitating the very purpose of threat sharing and making network security more unfeasible. Thus, the processing would be strictly necessary.
The processing of personal data in threat information should be deemed proportionate under Article 6(1)(f). Given the weight of the interests of an ISAC and its Members (as well as governmental entities, consumers, and the public at large), the impact of processing threat information on data subjects is neither excessive nor unwarranted. In fact, the processing of personal data in threat information by ISACs complements interests to protect personal data while minimizing the impact on data subjects. For example, the processing of Stolen/Victim Personal Data could prevent further crime against the affected data subjects. The sharing of information also is governed by TLP restrictions to minimize the dissemination of information based upon the information’s sensitivity or the reliability of the source. Also, ISACs do not process personal data to take action against the data subjects. Instead, threat information is processed to enable the ISAC’s Members to improve security and take defensive measures to withstand possible or anticipated cyberattacks. Thus, the processing would be proportionate.
The Balancing Test under Article 6(1)(f)
Finally, the lawfulness of processing personal data by the ISAC satisfies the Article 6(1)(f) balancing test, which weighs the legitimate interests of the controller or the third party against the interests and fundamental rights and freedoms of the data subject. In the context of threat information sharing and the categories of personal data processed in threat information, the legitimate interests of the ISAC and its Members would not be outweighed by the interests or rights of the data subject, especially when considering the types of personal data contained in threat information.
For instance, the processing of Stolen/Victim Personal Data to prevent further fraudulent crimes against that data subject would not be overridden by the data subject’s interests. A data subject who has had his or her personal data stolen could be a victim of fraud, identify theft, or other crimes. An ISAC’s processing of Stolen/Victim Personal Data would not impose a detrimental effect upon the data subject’s rights or interests, but would benefit them and the data subject. The processing could stop further identity theft and harm to the data subject, or help validate the theft’s occurrence to give the data subject avenues for restitution and recovery.
Nor would the interests of threat actors override the processing of personal data contained in threat information. Again, the Article 29 Working Party’s guidance on legitimate interests is illustrative. There, the Article 29 Working Party stated that when a data subject is engaged in illegal activity, although his or her interests should not be disregarded in totem, any interference simply must not be “disproportionate” to the threat actor’s rights and interests. It used a scenario to explain this concept:
Even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. For example, an individual who may have perpetrated theft in a supermarket could still see his interests prevailing against the publication of his picture and private address on the walls of the supermarket and/or on the Internet by the owner of the shop.9
The theory in this example is that the consequences of publishing the thief’s picture and private address would outweigh the crime. Processing of a threat actor’s personal data in threat information would not have such a disproportionate effect. Threat information sharing is not akin to the Article 29 Working Party’s example of publishing the thief’s photo and private address, an action that exhibits punitive and arbitrary qualities. The purpose of threat information sharing is to prevent crime, and ultimately to protect data subjects from harm. Processing personal data of threat actors to stop fraud, to identify theft, or to enhance network security would not be disproportionate to a threat actor’s interests.
Other Factors Illustrate the Legitimate Interests Are Not Outweighed
Finally, additional factors may be considered under Article 6(1)(f) when conducting a balancing test and which further illustrate the lawfulness under GDPR of processing personal data in threat information. Those factors are: the nature of the personal data being processed; the reasonable expectations of the individual data subjects; the likely impact of the processing on the individual; and whether any safeguards can be put in place to mitigate negative impacts.
The nature of the personal data being processed in the context of threat information sharing is not sensitive or intrusive. The majority of personal data processed and shared includes IP addresses (or other online identifiers) of threat actors. Such data is not special, sensitive, or even particularly personal. Other personal data may be bank details of victims, but such information usually is shared to prevent further fraud on those victims, which leads into the second factor: the data subjects’ reasonable expectations.
The data subject’s reasonable expectations require that a reasonable person in the data subjects’ position would expect the processing of their personal data in light of the particular circumstances. In its guidance, the Article 29 Working Party opined that “the more compelling the interest of the controller, and the more clearly acknowledged and expected it is in the wider community that the controller may take action and process data in pursuit of such an interest, the more heavily this legitimate interest weighs in the balance.”10 In the context of threat information sharing, ISACs and their members have compelling interests that are expected in the wider community: the prevention of fraud, ensuring network security against cyberattacks, and the possible identification of criminal activity or threats to the public. Thus, it is reasonable to assert that both victims and threat actors reasonably expect that (for example) banks and other financial institutions share personal information for the purposes of fraud protection, ensuring network and information security, and identifying possible criminal activity.
The impact of the processing also weighs in favor of ISACs and their members. The impact of processing Stolen/Victim Personal Data would be positive for data subjects. For data subjects whose personal data has been stolen and who are victims of crime, the sharing of such data can prevent further fraud against the victim and the community at large. It also may assist with providing the victim with relief and restitution. While the sharing of threat actors’ personal data would have a more significant impact on their rights and freedoms, the impact would not be disproportionate given that the processing would be to prevent further crime, permit law enforcement to protect the security of critical networks and systems, and to permit possible restitution for victims.
Finally, ISACs and their members employ safeguards to mitigate negative impacts from the processing and sharing of personal data in threat information. Typical safeguards employed by ISACs and their Members include TLP, encryption, annual cybersecurity assessments and robust cybersecurity programs aimed at early detection and mitigation of cyber events. The safeguards help to provide further weight to processing performed by ISACs and their Members when balancing their respective legitimate interests against the interests of data subjects.
Conclusion
Threat information sharing is an essential tool in a cybersecurity arsenal, and ISACs provide a fundamental platform for the dissemination of threat information to combat cyberattacks and improve cybersecurity posture. In the wake of GDPR, there has been some question as to whether ISACs and their members have the necessary lawful grounds to continue to engage in threat information sharing under the new EU law. The short answer is that they do.
The purposes and goals of threat information sharing serves to protect organizations and communities, including critical infrastructure, from fraud and crime, and to ensure network security. In fact, it advances the fundamental tenet of GDPR: the protection of personal data and, consequently, the protection of privacy as a fundamental human right. Processing personal data in threat information should comply with and fall squarely within Article 6(1)(f). The processing of such personal data is necessary for the legitimate interests pursued by ISACs and their members, as well as the interests of the community at large. Such processing also satisfies Article 6(1)(f)’s balancing test. Finally, additional factors weigh in further favor of the processing as a lawful exercise, as well as A29WP’s guidance and the GDPR Recitals themselves.
Endnotes
1. The authors would like to thank the Financial Services Information Sharing and Analysis Center (FS-ISAC) for directing and underwriting the white paper upon which this article is based. The full white paper (White Paper) and a complete list of references for the statements in this article can be found at https://www.whiteandwilliams.com/resources-alerts-Threat-Information-Sharing-and-GDPR-A-Lawful-Activity-that-Protects-Personal-Data.html. Opinions and conclusions expressed herein are the authors’ own.
2. US-CERT, Traffic Light Protocol (TLP) Definitions and Usage, https://www.us-cert.gov/tlp.
3. Generally, GDPR applies only to the processing of personal data (1) in the context of the activities of an establishment of a controller or a processor in the EU; (2) the processing of personal data of an EU data subject that relates to offering the data subject goods or services, or monitoring his or her behavior in the EU; or (3) where an EU Member State’s law otherwise applies by virtue of public international law.
4. For a fuller discussion of ISACs’ and members’ roles as controllers and processors, see the White Paper, https://www.whiteandwilliams.com/resources-alerts-Threat-Information-Sharing-and-GDPR-A-Lawful-Activity-that-Protects-Personal-Data.html.
. Id., for a discussion of GDPR’s transparency requirements, and how they are met by ISACs in threat information sharing.
6. Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (hereinafter The A29WP Opinion), available at http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf at 25. Although the A29WP Opinion predates the GDPR, it still provides a sound explanation of legitimate interests and key issues to consider.
7. See Cyber Threat Intelligence, ISAOs, https://ctin.us/site/isaos.
8. Id. at 55.
9. Id. at 30 (emphasis added).
10. Id. at 35.