Threat Information Sharing and GDPR: A Lawful Activity that Protects Personal Data
Partner and Chief Privacy Officer Rick Borden and Partner and Co-Chair of the Cyber Law and Data Protection Group Josh Mooney, together with Mark Taylor and Matthew Sharkey of Osborne Clarke LLP, tackle the legality of threat information sharing under GDPR in a white paper prepared for the Financial Services Information Sharing and Analysis Center.
General Data Privacy Regulation (GDPR) is intended to protect the fundamental rights of EU data subjects. However, where GDPR intersects with cybersecurity is little understood, which, in turn, could undermine an essential tool in combating cybercrime. It also poses significant risks to businesses.
As cyberattacks continue to increase in number and sophistication, threat information sharing is an essential tool in a cybersecurity arsenal. It may be employed by banks, brokers, insurance carriers, other areas of critical infrastructure and more to identify vulnerabilities and prevent the spread of successful cyberattacks to other organizations. Yet, an ironic and unforeseen effect of the GDPR has been to stifle the practice of threat information sharing, in turn increasing the threat of successful attacks. Thus, understanding what is shared and the legitimate interests of the parties who share and process such information is critical. This white paper explains the purpose and necessity of threat information sharing and why it is a legitimate interest of financial institutions under GDPR.