Navigating the Privacy Law Landscape - US and Europe

Transcription

1 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard, Partner, K&L Gates, Paris Andrew Gilchrist, Senior Associate, K&L Gates, London Copyright 2013 by K&L Gates LLP. All rights reserved.

2 Data Breach and Notification a U.S. Perspective

3 klgates.com 3

4 klgates.com 4

5 Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) klgates.com 5

6 v v v v Source: Ponemon Institute LLC Global Report on the Cost of Cyber Crime (October 2014) v klgates.com 6

7 NOTICE REQUIREMENTS Different Types of Notice Industry-Specific, e.g. HIPAA / HITECH 47 Different State Notification Laws e.g., Pennsylvania Business Partners e.g., New Jersey Comprehensive Federal Law? Others, e.g., Regulators, AGs, Consumer Reporting Agencies, Law Enforcement? Media Social Media SEC Filings klgates.com 7

8 NOTICE REQUIREMENTS v v Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014) klgates.com 8

9 NOTICE REQUIREMENTS Industry-Specific, e.g. HIPAA / HITECH, GLB v v klgates.com 9

10 NOTICE REQUIREMENTS 47 different state notification laws, e.g., Pennsylvania klgates.com 10

11 NOTICE REQUIREMENTS Business Partners, e.g., New Jersey Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person. klgates.com 11

12 NOTICE REQUIREMENTS Comprehensive Federal Law? klgates.com 12

13 NOTICE REQUIREMENTS klgates.com 13

14 NOTICE REQUIREMENTS klgates.com 14

15 NOTICE REQUIREMENTS klgates.com 15

16 SEC CYBERSECURITY GUIDANCE [A]ppropriate disclosures may include : Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences ; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks ; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences ; Risks related to cyber incidents that may remain undetected for an extended period ; and Description of relevant insurance coverage. Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target, 16

17 NOTICE REQUIREMENTS We note your disclosure that an unauthorized party was able to gain access to your computer network in a prior fiscal year. So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage. - Alion Science and Technology Corp. S-1 filing (March 2014) klgates.com 17

18 Personal Data Breaches and Notifications a UK perspective

19 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Part 1(7), Schedule 1 to DPA) 7 th principle. No prescriptive requirements, unless sector specific regulation. No one size fits all but three principles: 1. Risk assessment what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach. 2. Reliability of employees 3. Vet your data processors written contracts Guidance from regulator (UK Information Commissioner s Office): Encryption? Data storage vs. transmission. International Standard / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies IT Internet use / data retention and destruction / data security / training Processes and security protocols staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing

20 WHO DO WE NEED TO NOTIFY? What sector are you in? PECR Notifications only compulsory for publically available electronic communication services same across all of EU i.e. telcoms / ISPs. 24 hours after breach detection UK ICO. Other regulated sectors Gambling Commission / FCA / Public sector. Everyone else no legal requirement, but ICO guidance. Should notify if serious. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying. Notify data subjects? Do they need to take steps to protect themselves? Contractual obligation to notify? Police / insurers / professional bodies / bank or credit card companies.

21 UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to 500,000 serious breaches contravention deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it. (s.55(a) DPA). Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences failure to comply with an Information / Enforcement Notice (Directors can also be prosecuted).

22 ENFORCEMENT TRENDS Leading video games provider (Jan 2013) Network platform subject to several DDoS ( distributed denial of service ) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn t keep up to date with technical developments. Didn t deal with system vulnerabilities even though update available Didn t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn t react quickly enough Voluntarily reported (mitigating factor) 250,000 fine Internal cost to Data Controller thought to be in region of $171 million. Booking agent for travel services (Dec 2012) SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active). Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills) No evidence of actual harm / fraud Voluntarily reported (mitigating factor) 150,000 fine.

23 JULY SEPT 2014 Source:

24 JULY SEPT 2014 Source:

25 FUTURE DEVELOPMENTS Nov Cyber Security Strategy produced. Set agenda until 2015/16. Set up National Cyber Security Programme (NCSP) with 860 million funding over five years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec September BIS issued guidance for companies CESQ (information security arm of GCHQ) - 80% of known attacks defeated by basic security practices CERT-UK set up on 31 March 2014 to take the lead in coordinating the management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field as will be required under upcoming European Cyber-Security Directive. 5 Jun New ISO Standard based on ISO Certification to demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified. No UK specific legislation on horizon but watch out for European Data Protection Regulation and Network and Information Security Directive.

26 Personal Data Breaches and Notifications a German perspective

27 LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal Data Protection Act (BDSG) Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular: 1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access. 2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to. 3. Input control: Ensuring possibility to trace alteration or deletion of data. 4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions 5. Availability control: Ensuring personal data is protected against accidental destruction or loss

28 WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT? General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG): Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy) Threatening serious harm to the rights or legitimate interests of data subjects Information to DPA: Without undue delay Nature of the disclosure and possible harmful consequences Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is not endangered Nature of the disclosure; recommendations to minimise possible harm klgates.com

29 ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG): Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections Notify data subjects in case of violation and report to prosecution authorities Order measures to remedy violations (e.g. prohibiting data processing) Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)

30 ENFORCEMENT TRENDS There still is no common code of practice among DPAs, which leads to varying practices in different German states ( Länder ). In the past, German DPAs were not very strict in enforcing data protection laws by raising fines. Example 1: Google StreetView ( ): Google provides panorama pictures for Street View While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000 Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA

31 NUMBERS AND TABLES No absolute numbers on breaches and notifications; all DPAs are obliged to publish data protection reports, but they vary and can hardly be compared Statement of Federal Commissioner for Data Protection: March 2011 October 2013: 501 notifications in total TelCom Sector: 2012: 27 notifications 2013: 66 notifications

32 FUTURE DEVELOPMENTS Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation

33 Personal Data Breaches and Notifications The French perspective

34 LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of 1978 Directive 2009/136/EC eprivacy implementing data breach requirements in August 2010 Breach of personal data - The French definition and scope Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public. Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed by electronic communication service providers operating electronic communication networks with open public access.

35 LEGISLATIVE REQUIREMENTS Two categories of notifications 1. To the French DPA Within 24 hours of the effective knowledge, through an electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the affected parties, Spontaneous information of the affected parties.

36 LEGISLATIVE REQUIREMENTS Two categories of notifications 2. To the affected parties If said breach is likely to breach personal data security or the privacy of a subscriber or any other individual. Unless the French DPA has found that appropriate protection measures have been implemented by the service provider to ensure that the personal data are made undecipherable to any unauthorised individuals and have been applied to the data affected by said breach. Failing this, the French DPA may serve the service provider with a formal notice to inform the affected parties as well, after investigating the severity of the breach.

37 LEGISLATIVE REQUIREMENTS Recording of all breaches Each provider of electronic communication services must keep and make available to the French DPA upon request, an updated record of all breaches of personal data, listing the conditions, effects and measures taken as remedies.

38 ANALYSIS PERFORMED BY THE FRENCH DPA The DPA has up to two months to: Consider the potential impacts of the breach on data security and privacy protection; Estimate whether security measures implemented before the breach were appropriate; Evaluate whether information measures taken towards the "affected parties" were sufficient.

39 ENFORCEMENT The DPA may: Require the company (Telcos and ISPs) to inform affected parties or the general public. Apply any administrative fine up to 150,000 After an adversarial public or closed procedure where the company may be assisted by its counsel. Publish a description of the breach: on its website, or on any appropriate medium at the company s expense. Publish whole or part of the ruling against the company on its website, or on any appropriate medium at the company s expense.

40 ENFORCEMENT As of now: 7 condemnations in condemnations in 2014 Fines between 20,000 and 100,000 (max.) The French DPA has almost systematically been publishing its rulings regarding data breaches During 2015: A draft bill will be discussed starting June 2015: extending data breach notification requirements to any data controller or processor, in any sector (public or private) providing for penalties up to: 1,000,000, or 2% of the global annual turnover, whichever the highest.

41 New Draft EU Data Protection Regulation Mandatory Data Breach Notification

42 INTRODUCTION Draft EU Data Protection Regulation COM(2012)0011 C7-0025/ /0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC What are the goals? Protection of individuals with regard to the processing of personal data Free movement of personal data Protection of the fundamental rights and freedoms of natural persons Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; cooperation and consistency; remedies, liability and sanctions

43 THE "DATA BREACH" REGULATION 2013/611 Electronic communications service providers must report any personal data breach to the relevant national data protection authorities and, as the case may be, to the data subjects themselves. The notification requirement targets Internet service providers and telco operators. service providers are not impacted yet. The draft Privacy Regulation will extend data breach notification to any controller (expected in 2016) Non-compliance with the notification requirement is subject to criminal sanctions

44 MANDATORY NOTIFICATION OBLIGATION - DETAILS Art. 31: Notification Art. 32: Communication Who has to notify? All data processors and commissioned data processors Who has to communicate? All data processors To whom? Data processors to the competent DPA Commissioned data processors to data processor To whom? Data subject Reason? Personal data breach Reason? Personal data breach is likely to adversely affect the protection of personal data or privacy klgates.com 44

45 MANDATORY NOTIFICATION OBLIGATION - DETAILS Art. 31: Notification Art. 32: Communication When has to be notified? Without undue delay and where feasable not later than 24 hours after having become aware of the breach When has to be communicated? After notification to DPA without undue delay What has to be notified? Nature and consequences of the breach, contact information, measures to mitigate possible adverse effects What has to be communicated? Nature of the breach and measures to mitigate the possible adverse effects klgates.com 45

46 ENFORCEMENT Competent supervisory authority may sanction administrative offences Amount of fine shall depend on the technical and organisational measures implemented and on the collaboration with the supervisory authority Fine can be fixed up to EUR 100,000,000 or 5 % of annual worldwide turnover, whichever is higher klgates.com

47 Next Cyber Risk webinar Insuring against Cyber Risks: What are the options, and how can you maximize coverage? 25 February :30 GMT, 11:30 EST, 08:30 PST klgates.com 47

48