Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Transcription

1 Data Breach Notification Duty Dr. Elisabeth Thole 31 October 2015 UIA Valencia

2 Van Doorne 2 How is your cyber crime awareness? Either you have been data breached or you just do not know that you have been data breached.

3 Van Doorne 3 Examples (I) Target Breach of its point-of-sale terminals Credit card compromised Settlement with VISA

4 Van Doorne 4 Examples (II) Hackers have stolen the customer data of Ashley Madison - including s, names, home addresses, credit card information and even their sexual fantasies - and posted these data online.

5 Van Doorne 5 Examples of data breaches The encrypted laptop of an employee has been stolen from the boot of his car. All the details of financial assessments of the data subjects were affected. The encryption key, the passphrase, is not compromised, but no backup is available. Personal data was unduly accessed on the server. The data subjects were identified by name and address, and the completed history of debt collection was included.

6 Van Doorne 6 Data Breach - Causes Human errors (too simple passwords / attaching wrong files) Technical failures (ICT errors) Criminal actions (cyber crime, hacking, identity fraud)

7 Van Doorne 7 Damages and Costs Damaged reputation Notification costs Forensic investigation costs Reparation costs Legal costs Interruption business activities Profit losses Fines The average costs per security incident for a large organization are EUR 843K 1,6 mio, and for a SME EUR 91K 162K (Report Information Security Breaches Overview; UK Department for Business Innovation & Skills, 2014).

8 Van Doorne 8 Legal Framework Directive 95/46 - Proposed General Data Protection Regulation Directive 2002/58 - amended in 2009/136 Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications Cybercrime Directive NIS Directive In the Netherlands: State Gazette 2015, 230 and 2015, 281 Amending the Dutch Data Protection Act and the Dutch Telecommunications Act (per 1 January 2016) Article 29 Working Party (WP 213)

9 Van Doorne 9 Security obligations / Agreements appropiate technical and organisational measures. The state of the art, the costs of implementation, the risks associated with the processing and the nature of the personal data to be protected, Guidelines of local data protection authority Action: Review the security measures and status of the systems on a regular basis. Action: Ensure that the data processing agreements take into account the applicable notification requirements.

10 Van Doorne 10 The Netherlands Data Breach Notification Duty 1 January 2016 Notification of breach of security of personal data Notification to: College Bescherming Persoonsgegevens / new name: Autoriteit Persoonsgegevens and /or data subject(s)

11 Van Doorne 11 Who should notify? All data controllers that fall under the scope of the Dutch DPA Relevance for data processor(s)? Possible data breaches: Within the organisation of the data controller(s); joint or differentiated controllership Within the organisation of a data processor Action: Check to which entities the notification duty applies.

12 Van Doorne 12 When, to whom, and how? DPA: without undue delay and/or any data security breaches that have or are likely to have serious adverse consequences for the protection of personal data. Data subject(s): without undue delay if the breach reasonably is likely to have a negative impact on the data subject's privacy

13 Van Doorne 13 How should data breaches be reported? The notification is form free, but further rules can be adopted. The DPA will come with a web form, where it concerns the notification to the DPA. How to transmit the form? Language? Confirmation of receipt? Notification to data subject(s): by letter, , website, newspaper? Draft DPA Guidelines for the data breach notification duties Action: Check who will be involved in the handling of the notification (incident team)/ Who will be authorized to perform the notification (power of attorney).

14 Van Doorne 14 Internal Data Breach Register Maintain an internal data breach register recording all security breaches that have been notified to the DPA: information about the breach, mitigating measures, and the text of notifications to the individuals affected. Self- learning effect? Language? There is no obligation to make this register public Role of the DPA. Actions: Check how and where such register will be implemented, who may have access to the register. Check the role of the Data Protection Officer.

15 Van Doorne 15 Enforcement DPA and Sanctions Draft DPA Guidelines on Fining Policy Rules 22 October 2015 DPA: on request of the data subject, a third party or on its own initiative. Proactive or reactive: Investigation powers. Ask for additional information, request documents and copy these. Coercive administrative action or impose an incremental penalty. Administrative fines: maximum fine of EUR 810,000 (or more), or 10% of net annual turnover from the previous year; Only after binding instruction of DPA, unless the violation has been committed intentionally or is due to serious culpable negligence: a tit-for-tat policy.

16 Van Doorne 16 The Incident Road Map Three phases Pre-incident measures Incident measures Post-incident measures Cyber Insurance

17 Van Doorne 17 Pre-incident Measures Analyze the types of (personal) data Who has access to the data? Where are the data processed and by whom? Perform PIA s / Document Check Privacy Compliance / position of the relevant entities Check ICT facilities / Regular audits Develop an Incident Policy /Timing /Budget / Persons involved Check Insurances

18 Van Doorne 18 Incident Measures Identify the incident Qualify the incident Check emergency facilities Inform Management Keep it centralized Inform and engage the Incident Team Verify whether there is a notification duty Check Media Strategy Check whether incident should be reported to insurance company

19 Van Doorne 19 Post-Incident Measures Isolate and preserve the affected system/data Investigate and take measures Follow-up on notification duties Determine Media Strategy Assess damages / costs Document / Breach Register Update policies /agreements etc. Handle claims

20 Van Doorne 20 How to proceed? Implement Roadmap Check the security measures Check Agreements Check Insurance Budget/ Timing

21 Van Doorne 21 Contact Follow us on Twitter: VDPrivacy Elisabeth P.M. Thole LLM PhD Head of the Van Doorne Privacy Team t m thole@vandoorne.com