Information leakage of threat intelligence, incident data, and status data can have several legal consequences for organizations. Information leakage can occur due to the misconduct of disgruntled employees or results in by virtue of a nefarious cyber-attack. The underlying sections will take a deep dive into two different scenarios—namely, The Trauma of IP Address Leakage and The Menace of Product Vulnerability Leakage. Understanding these scenarios, you will be able to know how IP address leakage and product vulnerability leakage can affect your company and CSIRT team.
IP address leakage cause an IP address to go public that can further lead to the enormous data breaches. As a last resort, users employ VPN services to thwart IP leakage problems. The loss of information due to an IP address leakage can be an outcome of either internal or external security breaches. Internal security breach incorporates the misconduct of a civil servant or disgruntled employees. When it comes to the external security measures, the role of Computer Security Incident Security Team (CSIRT) has paramount importance. If an external breach occurs due to the cyber-attack, then it will certainly put a question mark on CSIRT performance. It is the prime responsibility of the CSIRT team to investigate and analyze the incidents, create and maintain an Incident Response Plan (IRP), and mitigate the impact of a cyber-attack. The information leakage may pose a grave threat to organizations in terms of penalties and reputational damage. According to Article 33 of GDPR, the information leakage leading to personal data breach will trigger the obligatory notification to a supervisory authority. Once the breach occurs, the CSIRT (or a controller) should immediately report to the supervisory authority, which should not be delayed more than 72 hours. After that, the CSIRT will undertake the responsibility to document data breaches, encompassing the facts with regard to that breaches, their effects, and the countermeasures that should be taken as soon as possible. Having an ample knowledge of Security Information and Event Management (SIEM) is also invaluable for the CSIRT team, which will certainly help them to better respond to cyber-attacks. In addition to GDPR, the information leakage is also addressed in the NIS Directive, the first piece of European Union (EU)-wide cybersecurity legislation. According to the article 14 of this act, the operator of crucial services is the victim of a Distributed Denial of Service (DDoS) attack and apprise the CSIRT of that incident. Moreover, the operator will also share the IP address of a command and control server with the CSIRT in the course of the incident handling process.
A product vulnerability often occurs on the part of the provider or vendor. A security product may incorporate technology or services. The vendor of such technology or services must notify the CSIRT if there is any vulnerability in the product and where information gets leaked. The CSIRT is not allowed to reveal the information about the leak publicly. In fact, the information with regard to a product vulnerability does not relate to a natural person. Rather, it relates to a company. Therefore, data protection laws don’t protect this information. Since a CSIRT and company are affected parties in this scenario, they can sign a Non-Disclosure Agreement (NDA) to share confidential information regarding the product vulnerabilities in IT systems. The CSIRT must keep the information secure if the vulnerability occurs. Otherwise, they will be liable for the leakage. Another possible scenario may include the seeking of indemnification from the employee instead of the CSIRT team. The owner of the information claims damages from the perpetrator. The details and nature of the actions for damages depend heavily on the legal system, which is being applied. Damages can have different categories that include material or immaterial damage and commercial or reputational damage. The legal system also investigates that whether the leakage was due to employee’s negligence or he commits deliberately. The type of damage will help the legal system to decide the extent of the compensation claims.
As a result, it has been realized that the prevention of threat intelligence data, incident response, status data—such as the safeguard of IP address leakage and product vulnerability leakage—is inevitable for organizations, no matter if it’s a misconduct of the employee or a CSIRT team. The leakage of information can create numerous legal issues for both the company and its CSIRT team. NIS Directive and GDPR have strict terms in this regard. To prevent these issues, you must have a viable security solution such as the deployment of an effective SIEM to ensure the security of sensitive information.