The EU-funded H2020 project PROACTIVE led by the UIC Security Division held an online data breach tabletop exercise on 4 March 2021 with members of their Security Advisory Board and External Ethics Advisory Board.
The purpose of the event was to identify preparedness and response tools, strategies and protocols when using the current version of the PROACTIVE online web collaborative platform and mobile app for practitioners.
This was accomplished by first presenting the PROACTIVE system, including a focus on how the PROACTIVE system works with regard to data flows.
Participants were then provided with a fictitious CBRNE scenario, which included a data breach from the PROACTIVE system: photos and videos of the incident, which included photos of individuals labelled as migrants or terrorists, are uploaded to the PROACTIVE system and were validated by the PROACTIVE system data manager. This data, while not made public, is later found on social media and reproduced by traditional media. Further details included the fact that a law enforcement agent’s phone was stolen.
Based on this, the following aspects were discussed:
- Unauthorised access-attacks or non-intentional breaches, which might be partial or complete. Possible psychical access and/or informational violations. This could potentially have other implications, such as false positives, discrimination and/or misinformation. Other aspects included source identification and mitigation, technical (i.e., automatic alerts) and operational capacities (i.e., identification) response mechanisms.
- The management and mitigation of these issues, technical and operational response scenarios, including automated and human filtering, were addressed.
Members of the External Ethics Advisory Board stressed that, under these circumstances, data protection law would require LEAs using the tool to communicate the breach to their supervisory authority and the data subjects (the citizens) under certain circumstances.
Members of the Security Advisory Board stressed that units on-site would need information about the potential source of the data breach from the system managers and then could switch off the false data source. In this regard, different options for using PROACTIVE collaborative web and Apps to identify the source of the data were proposed. Timely information about the data breach and data subjects involved is crucial for effective response. As system managers should be able to rapidly establish whether the case is about human error, misuse or an intentional attack, participants pointed out that the PROACTIVE system could:
- Include a system to catalogue received information according to the source in some way;
- Use specific tools and protocols for mapping and registering logs to the system to be integrated into the platform;
- Establish data breach communication protocols for a) data subjects involved, b) supervisor authorities, c) media. This should be adapted to each type of scenario.
The findings from this data breach tabletop exercise will be used to improve the PROACTICE system and suggestions from both advisory boards will be implemented in the PROACTIVE online web collaborative platform and mobile apps.