Threat information sharing and GDPR | A lawful activity that protects personal data

Written on 2 Jan 2019

In a white paper prepared for the Financial Services Information Sharing and Analysis Center (FS-ISAC), Mark Taylor and Matthew Sharkey of Osborne Clarke LLP, together with Rick Borden and Josh Mooney of White & Williams LLP, tackle the legality of threat information sharing under GDPR.

The General Data Protection Regulation (GDPR) is intended to protect the fundamental rights of EU data subjects. However, where GDPR intersects with cybersecurity is little understood, which, in turn, could undermine an essential tool in combating cybercrime. It also poses significant risks to businesses.

As cyberattacks continue to increase in number and sophistication, threat information sharing is an essential tool in a cybersecurity arsenal. It may be employed by banks, brokers, insurance carriers, other areas of critical infrastructure and more to identify vulnerabilities and prevent the spread of successful cyberattacks to other organizations. Yet, an ironic and unforeseen effect of the GDPR has been to stifle the practice of threat information sharing, in turn increasing the threat of successful attacks. Thus, understanding what is shared and the legitimate interests of the parties who share and process such information is critical. This white paper explains the purpose and necessity of threat information sharing and why it is a legitimate interest of financial institutions under GDPR.

Read the full white paper.