Navigating the Privacy Law
Landscape - US and Europe
21 January, 2015
Roberta Anderson, Partner, K&L Gates, Pittsburgh
Data Breach and Notification – a U.S.
Perspective
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Source:
Ponemon Institute LLC
Cost of Data Breach Study: Global Analysis
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ klgates.com v v Source: Ponemon Institute LLC
Global Report on the Cost of Cyber Crime (October 2014) v v v 6
Different Types of Notice
Industry-Specific, e.g. HIPAA / HITECH
47 Different State Notification Laws
e.g., Pennsylvania
Business Partners
e.g., New Jersey
Comprehensive Federal Law?
Others, e.g., Regulators, AGs, Consumer Reporting Agencies, Law Enforcement?
Media
Social Media
SEC Filings
klgates.com
Source:
Ponemon Institute LLC
Cost of Data Breach Study: Global Analysis (May 2014) v v 8
NOTICE REQUIREMENTS
v v
NOTICE REQUIREMENTS
klgates.com 10
47 different state notification laws, e.g., Pennsylvania
Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records
immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person.
NOTICE REQUIREMENTS
klgates.com 12
NOTICE REQUIREMENTS
14 klgates.com
“[A]ppropriate disclosures may include”:
“Discussion of aspects of the registrant’s business or operations
that give rise to material cybersecurity risks and the potential costs and consequences”;
“To the extent the registrant outsources functions that have
material cybersecurity risks, description of those functions and how the registrant addresses those risks”;
“Description of cyber incidents experienced by the registrant that
are individually, or in the aggregate, material, including a description of the costs and other consequences”;
“Risks related to cyber incidents that may remain undetected for an
extended period”; and
“Description of relevant insurance coverage.”
16
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,
http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
We note your disclosure that an unauthorized party
was able to gain access to your computer network “in
a prior fiscal year.” So that an investor is better able to
understand the materiality of this cybersecurity
incident, please revise your disclosure to identify when
the cyber incident occurred and describe any material
costs or consequences to you as a result of the
incident. Please also further describe your cyber
security insurance policy, including any material limits
on coverage.
- Alion Science and Technology Corp. S-1 filing (March 2014)
Personal Data Breaches and Notifications – a
UK perspective
LEGISLATIVE REQUIREMENTS
Directive 95/46/EC transposed into UK law by the Data Protection Act 1998
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. (Part 1(7), Schedule 1 to DPA) – 7th principle.
No prescriptive requirements, unless sector specific regulation.
No “one size fits all” but three principles:
1. Risk assessment – what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach.
2. Reliability of employees
3. Vet your data processors – written contracts
Guidance from regulator (UK Information Commissioner’s Office):
Encryption? Data storage vs. transmission.
International Standard 27001 / Cyber Essentials Scheme.
Anonymisation?
Data Sharing Code of Practice
Internal policies – IT Internet use / data retention and destruction / data security / training
Processes and security protocols – staff vetting and access control
Disposal (CESG approved?) / decommissioning
Software Updates (remedy vulnerabilities) / SQL Injections (high risk)
WHO DO WE NEED TO NOTIFY?
What sector are you in?
PECR 2003 - Notifications only compulsory for “publically available electronic communication services” – same across all of EU – i.e. telcoms / ISPs. 24 hours after breach detection – UK ICO.
Other regulated sectors – Gambling Commission / FCA / Public sector.
Everyone else – no legal requirement, but ICO guidance. Should notify if “serious”. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying.
Notify data subjects? Do they need to take steps to protect
themselves?
Contractual obligation to notify?
Police / insurers / professional bodies / bank or credit card
UK ICO ENFORCEMENT
Make assessments (re-active or pro-active)
Serving Information Notices / Special Information Notices
Enforcement Notices
Powers of entry, inspection, seizure of documents / equipment
Fines of up to £500,000 – serious breaches
“contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it”. (s.55(A) DPA).
Selective enforcement / limited resources
Individual has a direct right of action and right to compensation
Criminal offences – failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted).
ENFORCEMENT TRENDS
Leading video games provider (Jan 2013)
Network platform subject to several DDoS (“distributed denial of service”) attacks
Hacker access customer details and passwords (no cardholder information)
100 million customers thought to be affected.
Data Controller didn’t keep up to date with technical developments.
Didn’t deal with system vulnerabilities even though update available
Didn’t use cryptographic controls for passwords
History of attacks but still used platform to hold vast amounts of personal data
Didn’t react quickly enough
Voluntarily reported (mitigating factor)
£250,000 fine
Internal cost to Data Controller thought to be in region of $171 million.
Booking agent for travel services (Dec 2012)
SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active).
Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills)
No evidence of actual harm / fraud
Voluntarily reported (mitigating factor)
JULY –
SEPT 2014
Source: https://ico.org.uk/action-weve-taken/data-breach-trends/
FUTURE DEVELOPMENTS
Nov 2011 - Cyber Security Strategy produced. Set agenda until 2015/16. Set up National Cyber Security Programme (NCSP) with £860 million
funding over five years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec 2014.
September 2012 - BIS issued guidance for companies
CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices
CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field – as will be required under upcoming European Cyber-Security Directive.
5 Jun 2014 - New ISO Standard – based on ISO27000. Certification to demonstrate that industry-minimum cyber security measures adopted.
From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified.
No UK specific legislation on horizon – but watch out for European Data Protection Regulation and Network and Information Security Directive.
Personal Data Breaches and Notifications – a
German perspective
LEGISLATIVE REQUIREMENTS
Directive 95/46/EC transposed into German law by the Federal
Data Protection Act (BDSG)
Sect. 9 / Annex 1 to sec. 9 BDSG requires data
processors/controllers to implement adequate technical and organisational measures for data security, in particular:
1. Access control:
Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access.
2. Disclosure control:
Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to.
3. Input control:
Ensuring possibility to trace alteration or deletion of data.
4. Job control:
Ensuring in case of commissioned data processing compliance with the controllers instructions
5. Availability control:
WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT?
Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to
criminal offences or subject to professional secrecy)
Threatening serious harm to the rights or legitimate
interests of data subjects
klgates.com
General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG):
Information to DPA:
Without undue delay
Nature of the disclosure and possible harmful consequences Information to Data Subject:
Without undue delay, as soon as data is secured and criminal investigation is not endangered
ENFORCEMENT BY THE DPAS IN
GERMANY
German DPAs may (Sect. 38 BDSG):
Monitor the implementation of the BDSG and other
provisions on data protection matters including
Right to request information by processors and
Right to enter the property and premises for inspections
Notify data subjects in case of violation and report to
prosecution authorities
Order measures to remedy violations (e.g. prohibiting data
processing)
Raise fines up to EUR 300,000 in case of intended or
negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)
ENFORCEMENT TRENDS
There still is no common code of practice among DPAs,
which leads to varying practices in different German
states (“Länder”).
In the past, German DPAs were not very strict in enforcing
data protection laws by raising fines.
Example 1: Google StreetView (2008-2010):
Google provides panorama pictures for ‘Street View’
While taking these pictures, surrounding WiFi data were scanned accidentally
Competent DPA (Hamburg) raised fine of EUR 145,000
Example 2: AOL Server Breakdown (2014):
Server Breakdown caused a leak of 500,000 user access data sets
Stolen data was used for spam-mail wave
Provider did not notify breach to DPA but informed users
NUMBERS AND TABLES
No absolute numbers on breaches and notifications; all
DPAs are obliged to publish data protection reports, but
they vary and can hardly be compared
Statement of Federal Commissioner for Data Protection:
March 2011 – October 2013: 501 notifications in total
TelCom Sector:
2012: 27 notifications
FUTURE DEVELOPMENTS
Federal Commissioner for Data Protection
endorses stricter enforcement of data protection,
especially in the telecommunications sector
Legislative framework:
Draft version of a German Regulation for IT-Security
Personal Data Breaches and Notifications
The French perspective
LEGISLATIVE REQUIREMENTS
Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of
1978
Directive 2009/136/EC “ePrivacy” implementing data breach requirements in August 2010
“Breach of personal data” - The French definition and scope
Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public.
Data breach notifications are only required from telco
operators and internet access providers
For any breach of personal data processed “by electronic
communication service providers operating electronic communication networks with open public access.”
LEGISLATIVE REQUIREMENTS
Two categories of notifications
1.
To the French DPA
Within 24 hours of the effective knowledge, through an
electronic procedure, whatever is the potential impact of the breach of personal data
Notify at least the existence of the breach
Within 72 hours of the effective knowledge, through an
electronic procedure, describing the breach in details:
Categories of data breached,
Origin, specificities and duration of the breach, Security measures and patches implemented,
Potential impact on the privacy of the “affected parties”, Spontaneous information of the “affected parties”.
LEGISLATIVE REQUIREMENTS
Two categories of notifications
2.
To the “affected parties”
If said breach is likely to breach personal data security or the
privacy of a subscriber or any other individual.
Unless the French DPA has found that appropriate
protection measures have been implemented by the service provider to ensure that the personal data are made
undecipherable to any unauthorised individuals and have been applied to the data affected by said breach.
Failing this, the French DPA may serve the service provider
with a formal notice to inform the “affected parties” as well, after investigating the severity of the breach.
LEGISLATIVE REQUIREMENTS
Recording of all breaches
Each provider of electronic communication services
must keep and make available to the French DPA
upon request, an updated record of all breaches of
personal data, listing the conditions, effects and
measures taken as remedies.
ANALYSIS PERFORMED BY THE FRENCH
DPA
The DPA has up to two months to:
Consider the potential impacts of the breach on data
security and privacy protection;
Estimate whether security measures implemented
before the breach were appropriate;
Evaluate whether information measures taken
ENFORCEMENT
The DPA may:
Require the company (Telcos and ISPs) to inform
“affected parties” or the general public.
Apply any administrative fine up to €150,000
After an adversarial public or closed procedure where the
company may be assisted by its counsel.
Publish a description of the breach:
on its website, or
on any appropriate medium at the company’s expense.
Publish whole or part of the ruling against the company
on its website, or
ENFORCEMENT
As of now:
7 condemnations in 2013
29 condemnations in 2014
Fines between €20,000 and €100,000 (max.)
The French DPA has almost systematically been publishing
its rulings regarding data breaches
During 2015:
A draft bill will be discussed starting June 2015:
extending data breach notification requirements to any data
controller or processor, in any sector (public or private)
providing for penalties up to:
€1,000,000, or
2% of the global annual turnover, whichever the highest.
New Draft EU Data Protection Regulation –
Mandatory Data Breach Notification
INTRODUCTION
Draft EU Data Protection Regulation
COM(2012)0011 – C7-0025/2012 – 2012/0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC
What are the goals ?
Protection of individuals with regard to the processing of personal data
Free movement of personal data
Protection of the fundamental rights and freedoms of natural persons
Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; co-operation and consistency; remedies, liability and sanctions
THE "DATA BREACH" REGULATION
2013/611
“Electronic communications service providers” must
report any personal data breach to the relevant national
data protection authorities and, as the case may be, to the
data subjects themselves.
The notification requirement targets Internet service providers
and telco operators. Email service providers are not impacted… yet.
The draft Privacy Regulation will extend data breach notification
to any controller (expected in 2016)
Non-compliance with the notification requirement is subject to
MANDATORY NOTIFICATION OBLIGATION -
DETAILS
Who has to notify? All data processors and commissioned data processors
To whom?
Data processors to the competent DPA
Commissioned data processors to data processor
Reason?
Personal data breach
To whom? Data subject
Who has to communicate? All data processors
Reason?
Personal data breach is likely to adversely affect the protection of
personal data or privacy
klgates.com 44
MANDATORY NOTIFICATION OBLIGATION -
DETAILS
When has to be notified? Without undue delay and where feasable not later than 24 hours after
having become aware of the breach
What has to be notified?
Nature and consequences of the breach, contact information, measures to mitigate possible
adverse effects
What has to be communicated? Nature of the breach and measures
to mitigate the possible adverse effects
When has to be communicated? After notification to DPA without
undue delay