• No results found

Navigating the Privacy Law Landscape - US and Europe

N/A
N/A
Protected

Academic year: 2021

Share "Navigating the Privacy Law Landscape - US and Europe"

Copied!
48
0
0

Loading.... (view fulltext now)

Full text

(1)

Navigating the Privacy Law

Landscape - US and Europe

21 January, 2015

Roberta Anderson, Partner, K&L Gates, Pittsburgh

(2)

Data Breach and Notification – a U.S.

Perspective

(3)
(4)

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

(5)

Source:

Ponemon Institute LLC

Cost of Data Breach Study: Global Analysis

(6)

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ klgates.com v v Source: Ponemon Institute LLC

Global Report on the Cost of Cyber Crime (October 2014) v v v 6

(7)

 Different Types of Notice

 Industry-Specific, e.g. HIPAA / HITECH

 47 Different State Notification Laws

 e.g., Pennsylvania

 Business Partners

 e.g., New Jersey

 Comprehensive Federal Law?

 Others, e.g., Regulators, AGs, Consumer Reporting Agencies, Law Enforcement?

 Media

 Social Media

 SEC Filings

(8)

klgates.com

Source:

Ponemon Institute LLC

Cost of Data Breach Study: Global Analysis (May 2014) v v 8

NOTICE REQUIREMENTS

(9)

v v

NOTICE REQUIREMENTS

(10)

klgates.com 10

 47 different state notification laws, e.g., Pennsylvania

(11)

Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records

immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person.

NOTICE REQUIREMENTS

(12)

klgates.com 12

NOTICE REQUIREMENTS

(13)
(14)

14 klgates.com

(15)
(16)

 “[A]ppropriate disclosures may include”:

 “Discussion of aspects of the registrant’s business or operations

that give rise to material cybersecurity risks and the potential costs and consequences”;

 “To the extent the registrant outsources functions that have

material cybersecurity risks, description of those functions and how the registrant addresses those risks”;

 “Description of cyber incidents experienced by the registrant that

are individually, or in the aggregate, material, including a description of the costs and other consequences”;

 “Risks related to cyber incidents that may remain undetected for an

extended period”; and

 “Description of relevant insurance coverage.”

16

Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,

http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

(17)

We note your disclosure that an unauthorized party

was able to gain access to your computer network “in

a prior fiscal year.” So that an investor is better able to

understand the materiality of this cybersecurity

incident, please revise your disclosure to identify when

the cyber incident occurred and describe any material

costs or consequences to you as a result of the

incident. Please also further describe your cyber

security insurance policy, including any material limits

on coverage.

- Alion Science and Technology Corp. S-1 filing (March 2014)

(18)

Personal Data Breaches and Notifications – a

UK perspective

(19)

LEGISLATIVE REQUIREMENTS

 Directive 95/46/EC transposed into UK law by the Data Protection Act 1998

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. (Part 1(7), Schedule 1 to DPA) – 7th principle.

 No prescriptive requirements, unless sector specific regulation.

 No “one size fits all” but three principles:

1. Risk assessment – what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach.

2. Reliability of employees

3. Vet your data processors – written contracts

 Guidance from regulator (UK Information Commissioner’s Office):

 Encryption? Data storage vs. transmission.

 International Standard 27001 / Cyber Essentials Scheme.

 Anonymisation?

 Data Sharing Code of Practice

 Internal policies – IT Internet use / data retention and destruction / data security / training

 Processes and security protocols – staff vetting and access control

 Disposal (CESG approved?) / decommissioning

 Software Updates (remedy vulnerabilities) / SQL Injections (high risk)

(20)

WHO DO WE NEED TO NOTIFY?

What sector are you in?

PECR 2003 - Notifications only compulsory for “publically available electronic communication services” – same across all of EU – i.e. telcoms / ISPs. 24 hours after breach detection – UK ICO.

Other regulated sectors – Gambling Commission / FCA / Public sector.

Everyone else – no legal requirement, but ICO guidance. Should notify if “serious”. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying.

 Notify data subjects? Do they need to take steps to protect

themselves?

 Contractual obligation to notify?

 Police / insurers / professional bodies / bank or credit card

(21)

UK ICO ENFORCEMENT

Make assessments (re-active or pro-active)

Serving Information Notices / Special Information Notices

Enforcement Notices

Powers of entry, inspection, seizure of documents / equipment

Fines of up to £500,000 – serious breaches

“contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it”. (s.55(A) DPA).

Selective enforcement / limited resources

Individual has a direct right of action and right to compensation

Criminal offences – failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted).

(22)

ENFORCEMENT TRENDS

Leading video games provider (Jan 2013)

Network platform subject to several DDoS (“distributed denial of service”) attacks

Hacker access customer details and passwords (no cardholder information)

100 million customers thought to be affected.

Data Controller didn’t keep up to date with technical developments.

Didn’t deal with system vulnerabilities even though update available

Didn’t use cryptographic controls for passwords

History of attacks but still used platform to hold vast amounts of personal data

Didn’t react quickly enough

Voluntarily reported (mitigating factor)

£250,000 fine

Internal cost to Data Controller thought to be in region of $171 million.

Booking agent for travel services (Dec 2012)

SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active).

Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills)

No evidence of actual harm / fraud

Voluntarily reported (mitigating factor)

(23)
(24)

JULY –

SEPT 2014

Source: https://ico.org.uk/action-weve-taken/data-breach-trends/

(25)

FUTURE DEVELOPMENTS

 Nov 2011 - Cyber Security Strategy produced. Set agenda until 2015/16. Set up National Cyber Security Programme (NCSP) with £860 million

funding over five years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec 2014.

 September 2012 - BIS issued guidance for companies

 CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices

 CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field – as will be required under upcoming European Cyber-Security Directive.

 5 Jun 2014 - New ISO Standard – based on ISO27000. Certification to demonstrate that industry-minimum cyber security measures adopted.

From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified.

 No UK specific legislation on horizon – but watch out for European Data Protection Regulation and Network and Information Security Directive.

(26)

Personal Data Breaches and Notifications – a

German perspective

(27)

LEGISLATIVE REQUIREMENTS

 Directive 95/46/EC transposed into German law by the Federal

Data Protection Act (BDSG)

 Sect. 9 / Annex 1 to sec. 9 BDSG requires data

processors/controllers to implement adequate technical and organisational measures for data security, in particular:

1. Access control:

Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access.

2. Disclosure control:

Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to.

3. Input control:

Ensuring possibility to trace alteration or deletion of data.

4. Job control:

Ensuring in case of commissioned data processing compliance with the controllers instructions

5. Availability control:

(28)

WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT?

Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to

criminal offences or subject to professional secrecy)

Threatening serious harm to the rights or legitimate

interests of data subjects

klgates.com

 General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG):

 Information to DPA:

 Without undue delay

 Nature of the disclosure and possible harmful consequences  Information to Data Subject:

 Without undue delay, as soon as data is secured and criminal investigation is not endangered

(29)

ENFORCEMENT BY THE DPAS IN

GERMANY

German DPAs may (Sect. 38 BDSG):

 Monitor the implementation of the BDSG and other

provisions on data protection matters including

 Right to request information by processors and

 Right to enter the property and premises for inspections

 Notify data subjects in case of violation and report to

prosecution authorities

 Order measures to remedy violations (e.g. prohibiting data

processing)

 Raise fines up to EUR 300,000 in case of intended or

negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)

(30)

ENFORCEMENT TRENDS

There still is no common code of practice among DPAs,

which leads to varying practices in different German

states (“Länder”).

In the past, German DPAs were not very strict in enforcing

data protection laws by raising fines.

Example 1: Google StreetView (2008-2010):

 Google provides panorama pictures for ‘Street View’

 While taking these pictures, surrounding WiFi data were scanned accidentally

 Competent DPA (Hamburg) raised fine of EUR 145,000

Example 2: AOL Server Breakdown (2014):

 Server Breakdown caused a leak of 500,000 user access data sets

 Stolen data was used for spam-mail wave

 Provider did not notify breach to DPA but informed users

(31)

NUMBERS AND TABLES

No absolute numbers on breaches and notifications; all

DPAs are obliged to publish data protection reports, but

they vary and can hardly be compared

Statement of Federal Commissioner for Data Protection:

March 2011 – October 2013: 501 notifications in total

TelCom Sector:

2012: 27 notifications

(32)

FUTURE DEVELOPMENTS

Federal Commissioner for Data Protection

endorses stricter enforcement of data protection,

especially in the telecommunications sector

Legislative framework:

Draft version of a German Regulation for IT-Security

(33)

Personal Data Breaches and Notifications

The French perspective

(34)

LEGISLATIVE REQUIREMENTS

Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of

1978

Directive 2009/136/EC “ePrivacy” implementing data breach requirements in August 2010

 “Breach of personal data” - The French definition and scope

 Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public.

 Data breach notifications are only required from telco

operators and internet access providers

For any breach of personal data processed “by electronic

communication service providers operating electronic communication networks with open public access.”

(35)

LEGISLATIVE REQUIREMENTS

 Two categories of notifications

1.

To the French DPA

 Within 24 hours of the effective knowledge, through an

electronic procedure, whatever is the potential impact of the breach of personal data

 Notify at least the existence of the breach

 Within 72 hours of the effective knowledge, through an

electronic procedure, describing the breach in details:

 Categories of data breached,

 Origin, specificities and duration of the breach,  Security measures and patches implemented,

 Potential impact on the privacy of the “affected parties”,  Spontaneous information of the “affected parties”.

(36)

LEGISLATIVE REQUIREMENTS

 Two categories of notifications

2.

To the “affected parties”

 If said breach is likely to breach personal data security or the

privacy of a subscriber or any other individual.

 Unless the French DPA has found that appropriate

protection measures have been implemented by the service provider to ensure that the personal data are made

undecipherable to any unauthorised individuals and have been applied to the data affected by said breach.

 Failing this, the French DPA may serve the service provider

with a formal notice to inform the “affected parties” as well, after investigating the severity of the breach.

(37)

LEGISLATIVE REQUIREMENTS

 Recording of all breaches

Each provider of electronic communication services

must keep and make available to the French DPA

upon request, an updated record of all breaches of

personal data, listing the conditions, effects and

measures taken as remedies.

(38)

ANALYSIS PERFORMED BY THE FRENCH

DPA

The DPA has up to two months to:

Consider the potential impacts of the breach on data

security and privacy protection;

Estimate whether security measures implemented

before the breach were appropriate;

Evaluate whether information measures taken

(39)

ENFORCEMENT

The DPA may:

Require the company (Telcos and ISPs) to inform

“affected parties” or the general public.

Apply any administrative fine up to €150,000

 After an adversarial public or closed procedure where the

company may be assisted by its counsel.

Publish a description of the breach:

 on its website, or

 on any appropriate medium at the company’s expense.

Publish whole or part of the ruling against the company

 on its website, or

(40)

ENFORCEMENT

As of now:

7 condemnations in 2013

29 condemnations in 2014

Fines between €20,000 and €100,000 (max.)

The French DPA has almost systematically been publishing

its rulings regarding data breaches

During 2015:

A draft bill will be discussed starting June 2015:

 extending data breach notification requirements to any data

controller or processor, in any sector (public or private)

 providing for penalties up to:

 €1,000,000, or

 2% of the global annual turnover, whichever the highest.

(41)

New Draft EU Data Protection Regulation –

Mandatory Data Breach Notification

(42)

INTRODUCTION

Draft EU Data Protection Regulation

COM(2012)0011 – C7-0025/2012 – 2012/0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC

What are the goals ?

Protection of individuals with regard to the processing of personal data

Free movement of personal data

Protection of the fundamental rights and freedoms of natural persons

Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; co-operation and consistency; remedies, liability and sanctions

(43)

THE "DATA BREACH" REGULATION

2013/611

“Electronic communications service providers” must

report any personal data breach to the relevant national

data protection authorities and, as the case may be, to the

data subjects themselves.

 The notification requirement targets Internet service providers

and telco operators. Email service providers are not impacted… yet.

 The draft Privacy Regulation will extend data breach notification

to any controller (expected in 2016)

 Non-compliance with the notification requirement is subject to

(44)

MANDATORY NOTIFICATION OBLIGATION -

DETAILS

Who has to notify? All data processors and commissioned data processors

To whom?

Data processors to the competent DPA

Commissioned data processors to data processor

Reason?

Personal data breach

To whom? Data subject

Who has to communicate? All data processors

Reason?

Personal data breach is likely to adversely affect the protection of

personal data or privacy

klgates.com 44

(45)

MANDATORY NOTIFICATION OBLIGATION -

DETAILS

When has to be notified? Without undue delay and where feasable not later than 24 hours after

having become aware of the breach

What has to be notified?

Nature and consequences of the breach, contact information, measures to mitigate possible

adverse effects

What has to be communicated? Nature of the breach and measures

to mitigate the possible adverse effects

When has to be communicated? After notification to DPA without

undue delay

(46)

ENFORCEMENT

Competent supervisory authority may sanction

administrative offences

Amount of fine shall depend on the technical and

organisational measures implemented and on the

collaboration with the supervisory authority

Fine can be fixed up to EUR 100,000,000 or 5 % of

annual worldwide turnover, whichever is higher

(47)

Next Cyber Risk webinar

Insuring against Cyber Risks:

What are the options, and how can you

maximize coverage?

25 February 2015

(48)

References

Related documents

This chapter describes the development of a rock mass classification for use within UK coal mines. The classification parameters have been identified from a thorough assessment

1996 Rocío Rodríguez Five Years , Nexus Contemporary Art Center, Atlanta, GA 1995 Paintings and Works on Paper , Sandler Hudson Gallery, Atlanta, GA 1993 Paintings and Drawings

During your stay in Hong Kong, you'll visit the Stanley Market, ride down Victoria Peak on the historic tram, cross the harbor on the famous Star Ferry and enjoy Hong Kong

Lecturer in international and domestic forums on arbitration; Professor of Civil Procedure Law at Universidad Sergio Arboleda in Bogotá.. Professor and lecturer of the PhD Program on

This was also seen in melanoma cells, namely, KCa3.1 inhibition by TRAM-34 decreased cell proliferation without directly affecting apoptosis, but it strongly sensitized melanoma

In patients with chronic kidney failure, increased serum calcium phosphate product and hyperphosphatemia are important contributors to the higher incidence of arterial

While in most monetary DSGE models it is assumed that the agents have full in- formation about the state of monetary policy, the goal of this paper is to study the effect of

Another purpose of the study was concerned with whether a combination of student and/or learning environment characteristics could produce a model that would accurately