No Contradiction Between Cyber-Security and Data Protection? Designing a Data Protecton Compliant Incident Response System
Incident Response has become an important component of cybersecurity. The usual security measures are often powerless against new and targeted attacks, also known as IT-Security incidents. Key issues such as information exchange formats and sharing platforms remain on the agenda of the cybersecurity community, especially for incident responders. Incident Response activities require additional processing of personal data, so may themselves create a privacy risk. Current developments towards Incident Response show that systems are increasingly insecure to data breaches, especially due to the massive amounts of personal data and the possibility of linking this data to personal identifiers. Therefore, the joint project ITS.Overview has set itself the goal of creating a detailed overview of IT-Security incidents in different industrial sectors that can be correlated and exchanged among companies to be able to quickly identify cyberattacks.
This article aims to offer an initial assessment of data protection measures using Incident Response management. The key problems in this context are legal and technical barriers. The main factors are the possibility of entering free text in Ticketing Systems and the legal obligations for sharing information under the General Data Protection Regulation (GDPR), as well as lack of interest and, due to trust issues, the fear of sharing information. Furthermore, the conflict between IT-Security on the one hand and informational self-determination on the other hand must be resolved by the technically and legally correct use of Incident Response.