Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Transcription

1 Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with data security: an EU perspective. Javier Fernández-Samaniego Partner Bird & Bird Page 1

2 Cloud computing raises a number of specific legal challenges in relation to the right of data protection and data security risks: cyber fraud or crime + loss of control over individual identity data issues of jurisdiction and responsibility data transfers / processing to third countries data breach management Page 2

3 Page 3 Data security: EU framework

4 Data security: relevant EU legislation Data Protection Directive 95/46/EC article 17 Amended e-privacy Directive 2002/58/EC article 4 Proposal for a EU General Data Protection Regulation articles Page 4

5 EU views on Cloud Computing Opinion 5/2012 on Cloud Computing of Art. 29 DP Working Party (July 2012) UK Information Commissioner's Office Guidance on the use of Cloud Computing (September 2012) Page 5

6 ISO New and improved ISO/IEC standards Page 6

7 Relevant EU Agencies EC3 - European Cybercrime Center at EUROPOL Focuses on following areas of cybercrimes: committed to organized groups to generate large criminal profit such as online fraud while causes serious harm to the victims such as online sexual exploitation which affects critical infrastructure and information systems in the EU ENISA - European Network and information Security Agency Hub for exchange information, best practices and knowledge of information security Page 7

8 The security of processing obligations under Directive 95/46/EC (I) The security obligation (art. 17): the controller must implement appropriate technical and organizational measures (TOMs) to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing of personal data. Organizations need to ensure an appropriate level of security taking into account: State of the art in security Cost of their implementation Level of security appropriate to: Nature of the data to be protected Nature of the risks Page 8

9 The Security of Processing obligations under Directive 95/46/EC (II) Using data processors art Processor must provide sufficient guarantees in respect of TOMs Processor must ensure compliance with those measures Need of Data Processing Agreements governing relationship between controller and processor Page 9

10 The Security of Processing obligations under Directive 95/46/EC (III) Implementation TOMs determined by controller Germany Netherlands Sweden Security guidelines issued by DPA UK Belgium TOMS imposed by law Spain Italy Page 10

11 TOMs International Transfer of Data Standard Contractual Clauses for transfer to third countries processors: Data exporter must provide sufficient guarantees in respect of TOMs of Appendix 2 SCCs Data importer: must implement TOMs of Appendix 2 SCC before processing promptly notify data exporter of security incidents submit data centres / processing facilities for audit Appendix 2: Description of TOM implemented by data importer Page 11

12 Security of processing under Proposal of EU Regulation Article 30 of the Proposal of EU Regulation: The controller and the processor shall implement appropriate TOMs Page 12

13 Information Security Incidents & Personal Data Breaches Page 13

14 Definitions and distinctions Personal Data Breach: Means a breach of Security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communication service in the Community (Amended e-privacy Directive) Information Security Incident: A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security Page 14

15 Definitions and distinctions A personal data breach can be the result of a security incident, but also a loss of user control. An information security incident does not necessarily entail a personal data breach and vis-versa. Page 15

16 Page 16 Global Breach Notification Laws

17 Page 17

18 Security breach notifications US: security breach notification laws in most States EU: Article 4 of amended e-privacy 2002/58/EC Directive: Requirement for the electronic communication sector Proposal of the EU General data Protection Regulation (Article 31 and 32) Towards a general obligation of reporting data breaches: to the supervisory authority to the individuals affected Page 18

19 Security breach notifications: EU Perspective To whom and in what circumstances and timeframes a notification required (trigger)? In the case of a personal data breach without delay (and where feasible, not later than 24 hours after having become aware of it*) TO: COMPETENT NATIONAL AUTHORITY The personal data breach is likely to adversely affect the personal data or privacy TO: INDIVIDUAL AFTER NOTIFICATION TO AUTHORITY (EXCEPTIONS) *Article 31 Proposal of DP Regulation Page 19

20 Security breach notifications: EU Perspective Who is obliged to notify? Amended e-privacy Directive: Providers of publicly available electronic communication services Proposal of DP Regulation Controllers shall notify Processors shall alert and inform the controller immediately after the establishment of a personal data breach. Page 20

21 Security breach notifications: EU Perspective Working Document 1/2011 on the current EU personal data breach framework and recomendations for future policy developments Page 21

22 Security breach notifications: EU Perspective April 2012 Recommendations on technical implementation guidelines of Article 4 e-privacy Directive See [presentation of Manuel García Sánchez, Spainsh DPA] Page 22

23 Security breach notifications: EU Perspective Conclusions: Importance of being proactive and prepared Need for a holistic personal data management procedure Two-phased assessments and twophased notifications Review and improve Page 23

24 Thank you Javier Fernández-Samaniego Partner Bird & Bird (Spain) LLP Jorge Juan, 8 1 Madrid Spain Page 24