Main Menu
Print PDF

Threat Information Sharing and GDPR: A Lawful Activity that Protects Personal Data

Fall 2018
By: White and Williams LLP and Osborne Clark LLP

Partner and Chief Privacy Officer Rick Borden and Partner and Co-Chair of the Cyber Law and Data Protection Group Josh Mooney, together with Mark Taylor and Matthew Sharkey of Osborne Clarke LLP, tackle the legality of threat information sharing under GDPR in a white paper prepared for the Financial Services Information Sharing and Analysis Center.

General Data Privacy Regulation (GDPR) is intended to protect the fundamental rights of EU data subjects. However, where GDPR intersects with cybersecurity is little understood, which, in turn, could undermine an essential tool in combating cybercrime. It also poses significant risks to businesses. 

As cyberattacks continue to increase in number and sophistication, threat information sharing is an essential tool in a cybersecurity arsenal. It may be employed by banks, brokers, insurance carriers, other areas of critical infrastructure and more to identify vulnerabilities and prevent the spread of successful cyberattacks to other organizations. Yet, an ironic and unforeseen effect of the GDPR has been to stifle the practice of threat information sharing, in turn increasing the threat of successful attacks. Thus, understanding what is shared and the legitimate interests of the parties who share and process such information is critical. This white paper explains the purpose and necessity of threat information sharing and why it is a legitimate interest of financial institutions under GDPR.

Read the full white paper.

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page