Regulatory Developments

Last updated: 
2 weeks 4 days ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Incident Response and Data Protection

Wednesday, June 6, 2012 - 10:11

Incident response, as performed by CERTs, CSIRTs and other related acronyms, is an essential part of keeping the Internet habitable, however it raises some interesting data protection issues. In most data protection scenarios, you know in advance what people and what information you are going to be processing, so you can give them prior notice, design systems and processes to be compliant, and so on.

Incident response turns all that round: when you are given a compromised machine, or if you run a network traffic monitor, you have no idea what may turn up. A  compromised host is likely to contain a wide range of information belonging to the legitimate owner, but also potentially lots of fallout from whatever else the machine has been mis-used for: that could be credit card or e-banking details if it has been used for phishing, lists of other compromised hosts if it has been part of a botnet, or any kind of large volume file  if it has been used as a distribution point for unlawfully copied information. Any network monitoring system will pick up a mix of legitimate traffic, mis-configurations and malicious activity. It's pretty unlikely that any of this will be neatly tagged with the e-mail address of the affected people, so even informing them of what has happened may be impossible.

Fortunately EU data protection law does contain provisions that allow this sort of activity and provide as much protection as possible for those whose personal information may be caught up in it. Over the past year or so I've been working with members of various international Incident Response Teams to remind myself of what they need to do in these circumstances, to work out how that fits in with the legal requirements, and to provide a framework that I hope will help them in making sometimes hard decisions.

The resulting paper has now been published by TERENA. As with all my publications, it's not legal advice, but I hope it will be useful guidance and reassurance both to the teams and to Internet users that their interests are being taken care of. Thanks are due to all those who have contributed ideas, suggestions and corrections; any mistakes are mine.

Privacy
incident response
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo