Cyber Risk and Global Security Issues: is your business fully prepared

Transcription

1 Cyber Risk and Global Security Issues: is your business fully prepared Thursday 2 October 2014 Copyright 2014 by K&L Gates LLP. All rights reserved.

2 Identifying cyber risks and how they impact your business klgates.com

3 klgates.com

4 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com

5 The Practical Risks of Cyber Attacks Loss of crown jewels, IP and trade secrets Compromise of customer information, credit cards and other PII Loss of web presence and online business Interception of and data communications Loss of customer funds and reimbursement of charges Brand tarnishment and reputational harm Legal and regulatory complications klgates.com

6 Advanced Persistent Threats Targeted, persistent, evasive and advanced Nation state sponsored P.L.A. Unit Comment Crew klgates.com

7 Advanced Persistent Threats United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the greatest transfer of wealth in history. Source: New York Times, June 1, klgates.com

8 Advanced Persistent Threats The Director-General of MI5 warned that one London business suffered 800 million in losses following an attack The UK s National Security Council has judged that the four highest priority risks are currently those arising from: International terrorism Cyber attack International military crises and Major accidents or natural hazards** *Source: Cyber crime a global threat, MI5 head warns (2012) ** Source: A Strong Britain in an Age of Uncertainty: The National Security Strategy (October 2010) klgates.com

9 Advanced Persistent Threats A survey by anti-virus specialists Kaspersky found that cyber security measures taken by UK businesses were woefully inadequate Only 25% of IT specialists thought that their company was completely protected from cyber threats - although can there ever be complete protection? When questioned, 33% of IT managers did not know anything about the common cyber threats that have been targeting corporates *Source: BCS The Chartered Institute for IT - klgates.com

10 Advanced Persistent Threats Penetration: 67% of organisations admit that their current security activities are insufficient to stop a targeted attack.* Duration: average = 356 days** Discovery: External Alerts 55 percent are not even aware of intrusions* *Source: Trend Micro, USA. **Source: Mandiant, APT1, Exposing One of China s Cyber Espionage Units klgates.com

11 Advanced Persistent Threats: Penetration Spear Phishing Watering Hole Attack rely on insecurity of frequently visited websites Infected Thumb Drive **Source: Mandiant, APT1, Exposing One of China s Cyber Espionage Units *Source: Trend Micro, USA. es/advance-targeted-attacks/index.html klgates.com

12 Advanced Persistent Threats Target Profiles Industry: Government Information Technology Aerospace Telecom/Satellite Energy and Infrastructure Engineering/Research/Defense Chemical/Pharma Activities: Announcements of China deals China presence klgates.com

13 Advanced Persistent Threats klgates.com

14 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com

15 Cybercriminals, Exploits and Malware klgates.com

16 Cybercriminals, Exploits and Malware 60,000 known software vulnerabilities 23 new zero-day exploits in 2014 Risk = threat + vulnerability klgates.com

17 Cybercriminals, Exploits and Malware Ransomware UK Law Enforcement CryptoLocker klgates.com

18 The Spectrum of Cyber Attacks Advanced Persistent Threats ( APT ) Cybercriminals, Exploits and Malware Denial of Service attacks ( DDoS ) Domain name hijacking Corporate impersonation and Phishing Employee mobility and disgruntled employees Lost or stolen laptops and mobile devices Inadequate security and systems: thirdparty vendors klgates.com

19 Inadequate security and systems: thirdparty vendors Vendors with client data Vendors with password access Vendors with direct system integration Point-of-sale klgates.com

20 Inadequate security and systems: thirdparty vendors klgates.com

21 Cybercriminals, Exploits and Malware In the UK, a government report found that the cost of cyber security breaches nearly doubled in 2013 For large organisations the worst breaches cost between 600,000 and million (up from k a year ago) *Source: UK Government press release, 29 April klgates.com

22 Cybercriminals, Exploits and Malware Cost Per Record: $158 Notification Costs: $509,000 Post-Breach Costs: $1.6M Business Loss: $3.3M *Source: Symantec Internet Security Trend Report 2014 klgates.com

23 Dangers of new and emerging risks klgates.com

24 Cloud Computing Risks Exporting security function and control Geographical uncertainty creates exposure to civil and criminal legal standards Risk of collateral damage klgates.com

25 Mobile Device Risks 52% of mobile users store sensitive files online 24% of mobile users store work and personal info in same account 21% of mobile users share logins with families Mobile malware: apps Insufficient mobile platform security klgates.com

26 Social Media Risks Consumer harm and reputational damage klgates.com

27 Example Peter Pan virus phishing (September 2014) purportedly came from real company BH Live Ticketing and entertainment company based in Bournemouth Claimed recipients had tickets to see Peter Pan Invited people to open attached e-tickets Opening attachment may have downloaded viruses BH Live inundated with phone calls from worried recipients klgates.com

28 Protection and Risk Mitigation klgates.com

29 WHY MITIGATE CYBER RISK? Consequences of a cyber attack could be catastrophic Consider How long could a business that relies on internet sales survive if no one could access its website? What would be the impact on its sales if no one was prepared to enter their credit card details? klgates.com

30 LEGAL CONSEQUENCES The Data Protection Act 1998 ( DPA ) requires the data controller to implement appropriate technical and organisational security measures against unauthorised or unlawful processing, accidental loss, destruction or damage of personal data. Regulatory penalties may be imposed on the company for breach of the DPA including: Fines; Enforcement notices; and Director disqualification Personal data owners may claim compensation from the data controller for such breaches under the DPA. klgates.com

31 PRACTICAL CONSEQUENCES As important to companies subject to a cyber attack are what the consequences of such an attack are in practice for the business. Loss of customer information, credit card details and other personal information. Data owners seeks compensation against a business under the Data Protection Act, especially if the hacker cannot be identified. Prevention of sales. Retailers with an online presence that are subject to a Denial of Service attack lose customers to competitors. You may eventually get your site back up, but will the customer be back? This risk is heightened at times of traditional high online sales klgates.com

32 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL Not an IT problem - board level support is required to ensure that the resources both in time and capital are expended. Ensure that a cybercrime management policy is part of the company s governance framework and that this is given the same level of attention as financial and other risk management regimes. klgates.com

33 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (2) How would the board answer the following questions: What strategy did you have in place to prevent this cyber attack from happening? Who was responsible for the strategy? What was done in advance to limit the damage from attacks of this nature? klgates.com

34 PRO-ACTIVE MANAGEMENT AT BOARD LEVEL (3) Basic information risk management will highlight potential cyber attacks, allowing a board to see what constitute the most potent risks to the company. Understand what data you hold how sensitive the data is which systems control the management of key information how critical is the information to the management of the business klgates.com

35 ENSURING INTERNET SAFETY AND NETWORK SECURITY Methods to reduce cyber risk include: Mobile working - ensure that a mobile working policy is in place to ensure the security of documents away from the office. Control access to removable media such as memory sticks and removable hard drives and avoid their use where possible, especially with regards to storage of sensitive data. All removable data should be encrypted. Establish a policy on appropriate use and educate staff regarding the appropriate way to use the company s IT systems. Implement an incident response plan to ensure effective response to a cyber attack. klgates.com

36 ENSURING INTERNET SAFETY AND NETWORK SECURITY (2) Create an incident management team and provide specialist training to it who can carry out this process. Control and limit access - Only allow employees access to the information they require to carry out their roles. Scan all media before incorporating them into IT systems to detect any malware. Monitor ICT systems for unusual activity. Implement malware protection to all business areas and produce a policy on dealing with any malware issues. Install security patches Implement basic security controls on networks. Exemployees should immediately be denied access. klgates.com

37 ADEQUATE TRAINING AND INTERNAL PROCEDURES A cyber attack can take many forms including deliberate attacks, technology issues or simple human error or negligence. Every company has a cyber defence weak spot in its own employees. An adequate defence system protecting a company from cyber attacks should not only have the relevant defences and policies in place, but staff must be trained on the relevant policies. klgates.com

38 ADEQUATE TRAINING AND INTERNAL PROCEDURES (2) Implementing staff training and clear mechanisms for staff to report concerns regarding other members of staff noncompliance with polices Not knowing what devices are held significantly increases a company's cyber risk profile Every company should draft and implement a home and mobile working policy, and train staff to adhere to it klgates.com

39 ONGOING MANAGEMENT Planning and analysis of risk serves no purpose unless a company also properly implements its findings. As cybercrime evolves over time, companies must constantly monitor the adequacy of their cyber defences and re-evaluate the threats pertinent to their business. klgates.com

40 IMMEDIATE DAMAGE TO REPUTATION Cyber attacks naturally affect customer confidence, especially when customer information or funds are stolen. Exacerbated by online communication forums that spread news of such an attack Crisis management costs include: Informing affected customers; PR campaigns to restore reputation; Management time; Retrieving data; Suspending customer access to data and websites where relevant; Forensic investigation of the attack; and Repairing cyber defences. klgates.com

41 IMMEDIATE DAMAGE TO REPUTATION (2) 82% of the UK public would stop dealing with an organisation if their online data was breached (Unisys survey, 2011) Brand damage may also come in the form of intellectual property infringement with fake websites or counterfeit products sold online. IP theft can result in loss of first-to-market advantage and a consequential loss of competitive advantage. klgates.com

42 POSSIBLE LONG TERM IMPACT ON BUSINESS STRATEGY AND FINANCIAL STABILITY Research and development may be scaled back to preserve current financial stability or because frequent IP theft has made it unprofitable. Businesses may shy away from exploiting the online market for fear of incurring another costly cyber attack klgates.com

43 A GROWING ISSUE Consumers are becoming increasingly receptive to interacting with businesses online As customer interaction with online technology grows, so too does their disclosure of sensitive, personal information. A cyber attack that results in a loss of customer information can cause huge reputational damage The prominence of social media and the speed at which information can be disseminated can cause reputational damage at an unprecedented speed. klgates.com

44 COFFEE BREAK

45 Personal Data Breaches and Notifications a U.S. Perspective

46 LEGAL AND REGULATORY FRAMEWORK Federal Privacy Laws Gramm-Leach-Bliley Act Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health Act (HITECH) Fair Credit Reporting Act/The Fair and Accurate Credit Transactions Act Federal Trade Commission Act State Privacy Laws/Consumer Protection Statutes SEC Cybersecurity Guidance NIST Cybersecurity Framework Payment Card Industry Data Security Standards (PCI DSS) 46

47 FEDERAL PRIVACY LAWS Gramm-Leach-Bliley Act U.S. financial services organisations shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards-- 1. (1) to insure the security and confidentiality of customer records and information; 2. (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and 3. (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer. (15 U.S.C ) 47

48 FEDERAL PRIVACY LAWS HIPAA A covered entity or business associate must, in accordance with [ Security standards: General rules ] [i]implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart. (45 C.F.R (a).) HITECH A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. (42 U.S.C )

49 FEDERAL PRIVACY LAWS Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilisation of such information in accordance with the requirements of this subchapter. (15 U.S.C ) Regulations promulgated by the FTC and other regulatory agencies require financial institutions and creditors to develop and implement written identity theft prevention programs which, among other things, detect warning signs of identity theft (16 CFR ) 49

50 FEDERAL PRIVACY LAWS Federal Trade Commission Act Section 5 empowers the FTC to prevent... unfair or deceptive acts or practices in or affecting commerce : The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a(f)(3) of this title, Federal credit unions described in section 57a(f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of Title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C.A. 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C.A. 227(b) ], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce. (15 U.S.C.A. 45(a)(2).) 50

51 STATE PRIVACY LAWS/CONSUMER PROTECTION LAWS Pennsylvania: Breach of Personal Information Notification Act (a) General rule.--an entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. [T]he notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth. (73 P.S. 2303(a).) The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation 51

52 SEC CYBERSECURITY GUIDANCE [A]ppropriate disclosures may include : Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences ; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks ; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences ; Risks related to cyber incidents that may remain undetected for an extended period ; and Description of relevant insurance coverage. Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, 52

53 NIST CYBERSECURITY FRAMEWORK NIST Cybersecurity Framework provides a common taxonomy and mechanism for organisations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; Communicate among internal and external stakeholders about cybersecurity risk. The Framework is voluntary (for now) 53

54 NIST CYBERSECURITY FRAMEWORK 85% of security budgets currently go here According to Gartner: By 2020, 75% of security budgets will go towards detection and response NIST Unveils Cybersecurity Framework, 54

55 NIST CYBERSECURITY FRAMEWORK 55

56 PCI DSS PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. 56

57 TRENDS ARTICLE III STANDING CLAPPER 57

58 TRENDS ARTICLE III STANDING GALARIA

59 TRENDS ARTICLE III STANDING NEIMAN MARCUS 59

60 TRENDS ARTICLE III STANDING SONY 60

61 TRENDS ARTICLE III STANDING MICHAELS STORES 61

62 TRENDS ARTICLE III STANDING ADOBE 62

63 TRENDS SHAREHOLDER LITIGATION TARGET 63

64 TRENDS SHAREHOLDER LITIGATION WYNDHAM 64

65 TRENDS FTC REGULATORY ACTION WYNDHAM 65

66 TRENDS FTC REGULATORY ACTION WYNDHAM 66

67 TRENDS SEC THE NEW SHERIFF 67

68 Personal Data Breaches and Notifications a UK perspective

69 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Part 1(7), Schedule 1 to DPA) 7 th principle. No prescriptive requirements, unless sector specific regulation. No one size fits all but three principles: 1. Risk assessment what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach. 2. Reliability of employees 3. Vet your data processors written contracts Guidance from regulator (UK Information Commissioner s Office): Encryption? Data storage vs. transmission. International Standard / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies IT Internet use / data retention and destruction / data security / training Processes and security protocols staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing

70 DO WE NEED TO NOTIFY TO UK ICO? What sector are you in? PECR Notifications only compulsory for publically available electronic communication services same across all of EU i.e. telcoms / ISPs. 24 hours after breach detection. Everyone else no legal requirement, but ICO guidance. Should notify if serious. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying. Notify data subjects? Do they need to take steps to protect themselves? Contractual obligation to notify? Public sector bodies may have own requirements health service organisations IG Toolkit Incident Reporting Tool. Financial institutions FCA / FMSA. Police / insurers / professional bodies / bank or credit card companies.

71 UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to 500,000 serious breaches contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it. (s.55(a) DPA). Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted).

72 ENFORCEMENT TRENDS Leading video games provider (Jan 2013) Network platform subject to several DDoS ( distributed denial of service ) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn t keep up to date with technical developments. Didn t deal with system vulnerabilities even though update available Didn t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn t react quickly enough Voluntarily reported (mitigating factor) 250,000 fine Internal cost to Data Controller thought to be in region of $171 million. Booking agent for travel services (Dec 2012) SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active). Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills) No evidence of actual harm / fraud Voluntarily reported (mitigating factor) 150,000 fine.

73 APRIL MARCH 2014

74 APRIL MARCH 2014

75 FUTURE DEVELOPMENTS CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices Nov Cyber Security Strategy produced. Set agenda for Set up National Cyber Security Programme (NCSP) with 650 million funding for four years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec Most recent progress published on 10 Sep September BIS issued guidance for companies 5 Jun New ISO Standard based on ISO Certification to demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified. CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field as will be required under upcoming European Cyber-Security Directive. No UK specific legislation on horizon but watch out for European Data Protection Regulation and Network and Information Security Directive.

76 Personal Data Breaches and Notifications a German perspective

77 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal Data Protection Act (BDSG) Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular: 1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access. 2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to. 3. Input control: Ensuring possibility to trace alteration or deletion of data. 4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions 5. Availability control: Ensuring personal data is protected against accidental destruction or loss

78 WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT? General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG): Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy) Threatening serious harm to the rights or legitimate interests of data subjects Information to DPA: Without undue delay Nature of the disclosure and possible harmful consequences Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is not endangered Nature of the disclosure; recommendations to minimise possible harm klgates.com

79 ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG): Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections Notify data subjects in case of violation and report to prosecution authorities Order measures to remedy violations (e.g. prohibiting data processing) Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)

80 ENFORCEMENT TRENDS There still is no common code of practice among DPAs, which leads to varying practices in different German states ( Länder ). In the past, German DPAs were not very strict in enforcing data protection laws by raising fines. Example 1: Google StreetView ( ): Google provides panorama pictures for Street View While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000 Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA

81 NUMBERS AND TABLES No absolute numbers on breaches and notifications; all DPAs are obliged to publish data protection reports, but they vary and can hardly be compared Statement of Federal Commissioner for Data Protection: March 2011 October 2013: 501 notifications in total TelCom Sector: 2012: 27 notifications 2013: 66 notifications

82 FUTURE DEVELOPMENTS Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation

83 Personal Data Breaches and Notifications A French perspective

84 LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of 1978 Directive 2009/136/EC eprivacy implementing data breach requirements in August 2010 Breach of personal data - The French definition and scope Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public. Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed by electronic communication service providers operating electronic communication networks with open public access.

85 LEGISLATIVE REQUIREMENTS Two categories of notifications 1. To the French DPA Within 24 hours of the effective knowledge, through an electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the affected parties, Spontaneous information of the affected parties.