Navigating the Privacy Law Landscape - US and Europe
|
|
- Eunice Hoover
- 8 years ago
- Views:
Transcription
1 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard, Partner, K&L Gates, Paris Andrew Gilchrist, Senior Associate, K&L Gates, London Copyright 2013 by K&L Gates LLP. All rights reserved.
2 Data Breach and Notification a U.S. Perspective
3 klgates.com 3
4 klgates.com 4
5 Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) klgates.com 5
6 v v v v Source: Ponemon Institute LLC Global Report on the Cost of Cyber Crime (October 2014) v klgates.com 6
7 NOTICE REQUIREMENTS Different Types of Notice Industry-Specific, e.g. HIPAA / HITECH 47 Different State Notification Laws e.g., Pennsylvania Business Partners e.g., New Jersey Comprehensive Federal Law? Others, e.g., Regulators, AGs, Consumer Reporting Agencies, Law Enforcement? Media Social Media SEC Filings klgates.com 7
8 NOTICE REQUIREMENTS v v Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) klgates.com 8
9 NOTICE REQUIREMENTS Industry-Specific, e.g. HIPAA / HITECH, GLB v v klgates.com 9
10 NOTICE REQUIREMENTS 47 different state notification laws, e.g., Pennsylvania klgates.com 10
11 NOTICE REQUIREMENTS Business Partners, e.g., New Jersey Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person. klgates.com 11
12 NOTICE REQUIREMENTS Comprehensive Federal Law? klgates.com 12
13 NOTICE REQUIREMENTS klgates.com 13
14 NOTICE REQUIREMENTS klgates.com 14
15 NOTICE REQUIREMENTS klgates.com 15
16 SEC CYBERSECURITY GUIDANCE [A]ppropriate disclosures may include : Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences ; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks ; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences ; Risks related to cyber incidents that may remain undetected for an extended period ; and Description of relevant insurance coverage. Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, 16
17 NOTICE REQUIREMENTS We note your disclosure that an unauthorized party was able to gain access to your computer network in a prior fiscal year. So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage. - Alion Science and Technology Corp. S-1 filing (March 2014) klgates.com 17
18 Personal Data Breaches and Notifications a UK perspective
19 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Part 1(7), Schedule 1 to DPA) 7 th principle. No prescriptive requirements, unless sector specific regulation. No one size fits all but three principles: 1. Risk assessment what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach. 2. Reliability of employees 3. Vet your data processors written contracts Guidance from regulator (UK Information Commissioner s Office): Encryption? Data storage vs. transmission. International Standard / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies IT Internet use / data retention and destruction / data security / training Processes and security protocols staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing
20 WHO DO WE NEED TO NOTIFY? What sector are you in? PECR Notifications only compulsory for publically available electronic communication services same across all of EU i.e. telcoms / ISPs. 24 hours after breach detection UK ICO. Other regulated sectors Gambling Commission / FCA / Public sector. Everyone else no legal requirement, but ICO guidance. Should notify if serious. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying. Notify data subjects? Do they need to take steps to protect themselves? Contractual obligation to notify? Police / insurers / professional bodies / bank or credit card companies.
21 UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to 500,000 serious breaches contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it. (s.55(a) DPA). Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted).
22 ENFORCEMENT TRENDS Leading video games provider (Jan 2013) Network platform subject to several DDoS ( distributed denial of service ) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn t keep up to date with technical developments. Didn t deal with system vulnerabilities even though update available Didn t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn t react quickly enough Voluntarily reported (mitigating factor) 250,000 fine Internal cost to Data Controller thought to be in region of $171 million. Booking agent for travel services (Dec 2012) SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active). Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills) No evidence of actual harm / fraud Voluntarily reported (mitigating factor) 150,000 fine.
23 JULY SEPT 2014 Source:
24 JULY SEPT 2014 Source:
25 FUTURE DEVELOPMENTS Nov Cyber Security Strategy produced. Set agenda until 2015/16. Set up National Cyber Security Programme (NCSP) with 860 million funding over five years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec September BIS issued guidance for companies CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field as will be required under upcoming European Cyber-Security Directive. 5 Jun New ISO Standard based on ISO Certification to demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified. No UK specific legislation on horizon but watch out for European Data Protection Regulation and Network and Information Security Directive.
26 Personal Data Breaches and Notifications a German perspective
27 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal Data Protection Act (BDSG) Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular: 1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access. 2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to. 3. Input control: Ensuring possibility to trace alteration or deletion of data. 4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions 5. Availability control: Ensuring personal data is protected against accidental destruction or loss
28 WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT? General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG): Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy) Threatening serious harm to the rights or legitimate interests of data subjects Information to DPA: Without undue delay Nature of the disclosure and possible harmful consequences Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is not endangered Nature of the disclosure; recommendations to minimise possible harm klgates.com
29 ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG): Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections Notify data subjects in case of violation and report to prosecution authorities Order measures to remedy violations (e.g. prohibiting data processing) Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)
30 ENFORCEMENT TRENDS There still is no common code of practice among DPAs, which leads to varying practices in different German states ( Länder ). In the past, German DPAs were not very strict in enforcing data protection laws by raising fines. Example 1: Google StreetView ( ): Google provides panorama pictures for Street View While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000 Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA
31 NUMBERS AND TABLES No absolute numbers on breaches and notifications; all DPAs are obliged to publish data protection reports, but they vary and can hardly be compared Statement of Federal Commissioner for Data Protection: March 2011 October 2013: 501 notifications in total TelCom Sector: 2012: 27 notifications 2013: 66 notifications
32 FUTURE DEVELOPMENTS Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation
33 Personal Data Breaches and Notifications The French perspective
34 LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of 1978 Directive 2009/136/EC eprivacy implementing data breach requirements in August 2010 Breach of personal data - The French definition and scope Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public. Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed by electronic communication service providers operating electronic communication networks with open public access.
35 LEGISLATIVE REQUIREMENTS Two categories of notifications 1. To the French DPA Within 24 hours of the effective knowledge, through an electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the affected parties, Spontaneous information of the affected parties.
36 LEGISLATIVE REQUIREMENTS Two categories of notifications 2. To the affected parties If said breach is likely to breach personal data security or the privacy of a subscriber or any other individual. Unless the French DPA has found that appropriate protection measures have been implemented by the service provider to ensure that the personal data are made undecipherable to any unauthorised individuals and have been applied to the data affected by said breach. Failing this, the French DPA may serve the service provider with a formal notice to inform the affected parties as well, after investigating the severity of the breach.
37 LEGISLATIVE REQUIREMENTS Recording of all breaches Each provider of electronic communication services must keep and make available to the French DPA upon request, an updated record of all breaches of personal data, listing the conditions, effects and measures taken as remedies.
38 ANALYSIS PERFORMED BY THE FRENCH DPA The DPA has up to two months to: Consider the potential impacts of the breach on data security and privacy protection; Estimate whether security measures implemented before the breach were appropriate; Evaluate whether information measures taken towards the "affected parties" were sufficient.
39 ENFORCEMENT The DPA may: Require the company (Telcos and ISPs) to inform affected parties or the general public. Apply any administrative fine up to 150,000 After an adversarial public or closed procedure where the company may be assisted by its counsel. Publish a description of the breach: on its website, or on any appropriate medium at the company s expense. Publish whole or part of the ruling against the company on its website, or on any appropriate medium at the company s expense.
40 ENFORCEMENT As of now: 7 condemnations in condemnations in 2014 Fines between 20,000 and 100,000 (max.) The French DPA has almost systematically been publishing its rulings regarding data breaches During 2015: A draft bill will be discussed starting June 2015: extending data breach notification requirements to any data controller or processor, in any sector (public or private) providing for penalties up to: 1,000,000, or 2% of the global annual turnover, whichever the highest.
41 New Draft EU Data Protection Regulation Mandatory Data Breach Notification
42 INTRODUCTION Draft EU Data Protection Regulation COM(2012)0011 C7-0025/ /0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC What are the goals? Protection of individuals with regard to the processing of personal data Free movement of personal data Protection of the fundamental rights and freedoms of natural persons Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; cooperation and consistency; remedies, liability and sanctions
43 THE "DATA BREACH" REGULATION 2013/611 Electronic communications service providers must report any personal data breach to the relevant national data protection authorities and, as the case may be, to the data subjects themselves. The notification requirement targets Internet service providers and telco operators. service providers are not impacted yet. The draft Privacy Regulation will extend data breach notification to any controller (expected in 2016) Non-compliance with the notification requirement is subject to criminal sanctions
44 MANDATORY NOTIFICATION OBLIGATION - DETAILS Art. 31: Notification Art. 32: Communication Who has to notify? All data processors and commissioned data processors Who has to communicate? All data processors To whom? Data processors to the competent DPA Commissioned data processors to data processor To whom? Data subject Reason? Personal data breach Reason? Personal data breach is likely to adversely affect the protection of personal data or privacy klgates.com 44
45 MANDATORY NOTIFICATION OBLIGATION - DETAILS Art. 31: Notification Art. 32: Communication When has to be notified? Without undue delay and where feasable not later than 24 hours after having become aware of the breach When has to be communicated? After notification to DPA without undue delay What has to be notified? Nature and consequences of the breach, contact information, measures to mitigate possible adverse effects What has to be communicated? Nature of the breach and measures to mitigate the possible adverse effects klgates.com 45
46 ENFORCEMENT Competent supervisory authority may sanction administrative offences Amount of fine shall depend on the technical and organisational measures implemented and on the collaboration with the supervisory authority Fine can be fixed up to EUR 100,000,000 or 5 % of annual worldwide turnover, whichever is higher klgates.com
47 Next Cyber Risk webinar Insuring against Cyber Risks: What are the options, and how can you maximize coverage? 25 February :30 GMT, 11:30 EST, 08:30 PST klgates.com 47
48
Cyber Risk and Global Security Issues: is your business fully prepared
Cyber Risk and Global Security Issues: is your business fully prepared Thursday 2 October 2014 Copyright 2014 by K&L Gates LLP. All rights reserved. Identifying cyber risks and how they impact your business
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationMulti-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015
Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.
More informationSecurity breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison
Security breaches: A regulatory overview Jonathan Bamford Head of Strategic Liaison Security breaches and the DPA Data controllers security obligation - principle 7 of the DPA o Appropriate technical and
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationCyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen
Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or
More informationInformation Security Risks when going cloud. How to deal with data security: an EU perspective.
Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with
More informationSecurity breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)
Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Why is this a challenge? When personal data is compromised, mandatory or recommended notification
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationOUTSOURCING, HOSTING AND DATA PRIVACY ISSUES
OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with
More informationHacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows
Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationData and Cyber Laws Up-date 9 July 2015
Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR
More informationDealing with data breaches in Europe and beyond
Dealing with data breaches in Europe and beyond Karin Retzer and Joanna Łopatowska Morrison & Foerster LLP www.practicallaw.com/6-505-9638 The use of increasingly advanced technology means that the ways
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationData Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia
Data Breach Notification Duty Dr. Elisabeth Thole 31 October 2015 UIA Valencia Van Doorne 2 How is your cyber crime awareness? Either you have been data breached or you just do not know that you have been
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationEU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014
EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More information235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
More informationCOMMISSION REGULATION (EU) No /.. of XXX
EUROPEAN COMMISSION Brussels, XXX [ ](2013) XXX draft COMMISSION REGULATION (EU) No /.. of XXX on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationThe era of hacks and cyber regulation
6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationCyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day
Lloyd s of London (Reuters) May 8, 2000 Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day Rivers Casino, Pittsburgh November 17, 2014
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationCyber Risks in Italian market
Cyber Risks in Italian market Milano, 01.10.2014 Forum Ri&Assicurativo Gianmarco Capannini Agenda 1 Cyber Risk - USA 2 Cyber Risk Europe experience trends Market size and trends Market size and trends
More informationData Protection for Charities
Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationThe impact of the personal data security breach notification law
ICTRECHT The impact of the personal data security breach notification law On 1 January 2016 legislation will enter into force in The Netherlands requiring organisations to report personal data security
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationKey issues in data protection: a pan-european view
Key issues in data protection: a pan-european view 19 th March 2014 Nicola Fulford, Kemp Little LLP, UK Andreas Peschel-Mehner, SKW Schwarz, Germany Marco Bellezza, Portolano Cavallo, Italy Emmanuel Schulte,
More informationData Protection and Information Security. Procedure for reporting a breach of data security. April 2013
Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationOverview of Employment and Employee Privacy Laws and Key Trends in Austria
P a g e 1 Privacy Interviews with Experts August 2011 Toronto / Washington DC / Brussels www.nymity.com Rainer Knyrim Attorney and Partner Preslmayr Attorneys at Law Vienna, Austria Overview of Employment
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationPrivacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems
Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they
More informationLegal Aspects of the MonIKA-Project - Privacy meets Cybersecurity
Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity Sebastian Meissner Security Incident Information Sharing Workshop Berlin, 26.07.2013 Introduction Opening question Privacy & cybersecurity:
More informationFRANCE. Chapter XX OVERVIEW
Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationSTATUTORY INSTRUMENTS. S.I. No. 336 of 2011
STATUTORY INSTRUMENTS. S.I. No. 336 of 2011 EUROPEAN COMMUNITIES (ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES) (PRIVACY AND ELECTRONIC COMMUNICATIONS) REGULATIONS 2011 (Prn. A11/1165) 2 [336] S.I.
More informationFollow the trainer s instructions and explanations to complete the planned tasks.
CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationHelping to protect your business and your customers in the event of a data breach
Helping to protect your business and your customers in the event of a data breach Equifax Data Breach Assistance helps you respond more quickly and effectively, limiting the reputational damage to your
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More informationGuidance on data security breach management
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
More informationIntroduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com
More informationData, Privacy, Cookies and the FTC in 2013. Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller
Data, Privacy, Cookies and the FTC in 2013 Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller BIOS Kevin Stark: Product Manager at ExactTarget. Focused on data security,
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More information20. Exercise: CERT participation in incident handling related to Article 4 obligations
CERT Exercises Handbook 241 241 20. Exercise: CERT participation in incident handling related to Article 4 obligations Main Objective Targeted Audience Total Duration This exercise provides students with
More information2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012
The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 Legal Issues Involved in Creating Security Compliance Plans W. David Snead Attorney + Counselor Washington,
More informationData Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015
Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Mark Bailey - Partner charlesrussellspeechlys.com Introduction Why do data centres exist? process data? protect data?
More informationCOMPLYING WITH THE E-COMMERCE REGULATIONS 2002
COMPLYING WITH THE E-COMMERCE REGULATIONS 2002 You should read this guide if you. advertise goods or services online (i.e. via the Internet, interactive television or mobile telephone) sell goods or services
More informationData protection policy
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationPCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES
PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationThe Data Protection Landscape. Before and after GDPR: General Data Protection Regulation
The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)
More informationOBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
More informationBig Data for Mutuals. Marc Dautlich 25 November 2013
Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?
More informationDATA PROTECTION POLICY
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationLaw Firm Cyber Security & Compliance Risks
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
More informationLEGISLATION CONCERNING DATA PROTECTION
1. LEGISLATION CONCERNING DATA PROTECTION - EU in General - Selected countries BEFINE SOLUTIONS AG July-September 2013 By Paola Clavijo CONTENTS 1) Executive Summary 2 2) European Legislation 2 3) United
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationEXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS 2007. 2007 No. 2199
EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS 2007 2007 No. 2199 1. This explanatory memorandum has been prepared by the Home Office and is laid before Parliament by Command of
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationEveryone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session
Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private
More informationPRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
More informationPRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
More informationData Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationIdentifying Cyber Risks and How they Impact Your Business
10 December, 2014 Identifying Cyber Risks and How they Impact Your Business David Bateman, Partner, K&L Gates, Seattle Sasi-Kanth Mallela, Special Counsel, K&L Gates, London Copyright 2013 by K&L Gates
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More information13772/14 GS/np 1 DG D 2C
Council of the European Union Brussels, 3 October 2014 (OR. en) Interinstitutional File: 2012/0011 (COD) 13772/14 DATAPROTECT 129 JAI 730 MI 726 DRS 120 DAPIX 137 FREMP 164 COMIX 503 CODEC 1926 NOTE From:
More informationIndustrial Control Systems Cyber Emergency Response Team (ICS-CERT) 2014: 245 incidents reported
Protecting What Matters Most Christian Fahlke, Regional Sales Manager ALPS March 2015 Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) 2014: 245 incidents reported (Source: https://ics-cert.us-cert.gov/sites/default/files/monitors/ics-cert_monitor_sep2014-feb2015.pdf)
More informationGuidance on data security breach management
Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction
More informationCYBER RISK MANAGEMENT IN THE BOATING INDUSTRY
CYBER RISK MANAGEMENT IN THE BOATING INDUSTRY Carmelo Torraca, Esq. New Jersey Marine Trades Association March 2015 E-commerce has permanently transformed the way business-to-business and business-to-customer
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationData breach notifications in the EU
Data breach notifications in the EU About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created as a response to security issues of the European Union. The Agency's
More informationPrivacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
More information