Cloud Security Alliance EMEA Congress

Transcription

1 Cloud Security Alliance EMEA Congress Berlin, Germany Greenberg Traurig, LLP A1orneys at Law Greenberg Traurig, LLP. All rights reserved November 17-19, 2015 Security Breach Disclosure Laws Lessons Learned Francoise Gilbert A:orney at Law, CIPP US/EU, CIPM Partner, Greenberg Traurig Silicon Valley, California, USA

2 Francoise Gilbert A1orney at Law Partner, Greenberg Traurig LLP East Palo Alto, Silicon Valley, California, USA InformaKon Privacy & Security, Emerging Technologies specialist Author & Editor, Global Privacy & Security Law (2 volumes, 3,600 pages, 68 countries) (Aspen / Wolters Kluwer Law & Business) Founding Member & General Counsel of the Cloud Security Alliance CIPP/US; CIPP/EU; CIPM Admi1ed to prackce law in California, Illinois and France 2

3 100+ Security Breach Laws, Guidelines Worldwide, 100+ Security Breach nokficakon laws, guidelines Laws / RegulaKons ArgenKna Canada Germany Mexico Netherlands South Korea USA Guidelines United Kingdom New Zealand Australia Hong Kong 3

4 In the US, over 60 Breach Laws 48 States Businesses Government Agencies District of Columbia 3 US Territories Federal Laws / RegulaKons: Healthcare organizakons: HIPAA (2 regulakons) Financial insktukons: governed by FI regulators Government agencies: FISMA and related regulakons In prackce: More than 5,500 breaches reported US wide since 2005 More than 786 million records affected 4

5 Security Breach Disclosure Law California Vintage 2003 Applied to enkkes that conduct business in California and that own, license, or maintain personal data Also applied to California Government Agencies Limited to first name/last name in combinakon with: Social Security number; or Driver s license number or ID Card; Account number, Credit or debit card number, + access code Only informakon in electronic format Required that nokficakon to the affected individual be sent In wrikng in the most expedient Kme possible and without unreasonable delay If large number of individuals affected, ability to provide subsktute nokce by publishing nokficakon through press, company website 5

6 California Law Vintage years later, and ajer periodic amendments, new version effeckve as of January 1, 2016; length of the law has tripled More types of informaaon protected Medical informakon Health insurance informakon Data collected through automated license plate recognikon system User name or address + password or security queskon /answer More obligaaons for the enkty that is responsible (directly or indirectly) for the breach NoKficaKon of State A1orney General if >500 individuals affected List of the specific informakon to be provided; including headings Specific format for le1er to individual; sample form provided 6

7 Elements of Security Breach NoKce Laws Worldwide, laws, regulakons, guidelines, with significant similarikes, and even more discrepancies: Type of informaaon protected: personal informakon Specific categories Social Security Number Driver's license, ID card number, passport number Payment card number Financial account number + password Health informakon Health insurance informakon User ID + password used to access an account Mother s maiden name, Etc. 7

8 Elements / Who is subject to the law NaKonal law (Mexico, Netherlands) Sectoral law: Financial InsKtuKons (ArgenKna), Telecom (EU) Who is affected: data collector only? Also data processor? DefiniAon of breach : unencrypted informakon was, or is reasonably believed to have been acquired by an unauthorized person accidental or unlawful destruckon, loss, alterakon, unauthorized disclosure of, or access to personal data transmi1ed, stored or processed Risk of harm analysis: what criteria? 8

9 Elements / Format for the data protected: electronic, paper, aural Time frame to send the disclosure noaces Within 24 / 48/ 72 hours (General Data ProtecKon RegulaKon) Within 60 days (HIPAA) without unreasonable delay Ability to delay if nokficakon would impeded criminal inveskgakon Who must be noafied: Government Agencies: Regulatory Agency, e.g. Financial Industry Regulatory Agency Consumer ProtecKon Agency: State A1orney General Data ProtecKon Commissioner Other: e.g. NaKonal Credit ReporKng Agencies Whether individual must be nokfied before or aler these enkkes 9

10 Elements / Content of the NoAce; explain what happened: Use of plain language Minimum / maximum amount of informakon to be provided Whether specific, detailed informakon must be provided in the nokce Format to be used to make the disclosure: clear, plain language No guidance: any outline, any format Specified content, outline; e.g. headings, font size, Specified form or format to be used How to give the noace Electronically On paper 10

11 Elements / Use of mass media Whether large breaches can be nokfied through mass media What mas media can be used: newspaper, website Threshold for nokficakon though mass media Access to credit monitoring and idenaty thel protecaon services at no cost to affected individuals Oversight, redress Role of Consumer proteckon agencies, State A1orney General Role of the Data Supervisory authorikes LiAgaAon Whether individuals have the right to sue directly the enkty that suffered the breach Preparedness: Incident Response Plan 11

12 Security Breach Preparedness Incident Response Plan What is or might be a breach of security What to do when a potenkal breach is detected Who should be nokfied internally Who may have to be nokfied externally AcKviKes to be performed, e.g. idenkfy source of breach; contain the breach; shut down access to the system; contact police; file a police report PrecauKons to be taken, e.g. to preserve evidence Record keeping Whom to call for help, e.g. police, forensics, lawyers Sample documents, e.g. sample nokce 12

13 Security Breach Ecosystem Third party services to assist in breach response Forensics services Call center services Mailing services CommunicaKons Lawyers Expect significant financial consequences Significant financial consequences: reputakon, hard costs, likgakon costs, value of the company, stock price Insurance LiKgaKon: class ackons, cost, disrupkon, damages InvesKgaKon by Enforcement Agencies, DP AuthoriKes; fines 13

14 See also my paper in the conference material Or contact me. 14

15 Francoise Gilbert Shareholder, Greenberg Traurig 1900 University Avenue 5 th Floor E. Palo Alto, CA USA gilbert@gtlaw.com 15