Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule)

Similar documents
Privacy and Electronic Communications Regulations

The potential legal consequences of a personal data breach

COMMISSION REGULATION (EU) No /.. of XXX

Overview of the HIPAA Security Rule

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

So the security measures you put in place should seek to ensure that:

Practical Overview on responsibilities of Data Protection Officers. Security measures

HIPAA Security Rule Changes and Impacts

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Guidance on data security breach management

Procedure for Managing a Privacy Breach

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

SECTION-BY-SECTION ANALYSIS

Big Data, Big Risk, Big Rewards. Hussein Syed

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

Guidance on data security breach management

VMware vcloud Air HIPAA Matrix

SUPPORT TO KOSOVO INSTITUTIONS IN THE FIELD OF FOR PROTECTION OF PERSONAL DATA

Follow the trainer s instructions and explanations to complete the planned tasks.

Data Security Breach Management - A Guide

ST IVES CHAMBERS POLICY ON THE COLLECTION AND USE OF DIVERSITY DATA

POLICY. on the Protection of Personal Data of Persons of Concern to UNHCR DATA PROTECTION POLICY

EURODAC Central Unit. Inspection Report

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

My Docs Online HIPAA Compliance

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Appendix 11 - Swiss Data Protection Act

Cloud Computing Security Considerations

Working Practices for Protecting Electronic Information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Office 365 Data Processing Agreement with Model Clauses

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

M E M O R A N D U M. Definitions

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Data Processing Agreement for Oracle Cloud Services

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How to Practice Safely in an era of Cybercrime and Privacy Fears

BUSINESS ASSOCIATE AGREEMENT

Risk Management Policy

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Data Privacy & Security: Essential Questions Every Business Must Ask

20. Exercise: CERT participation in incident handling related to Article 4 obligations

Data Protection Act Bring your own device (BYOD)

Guidelines 1 on Information Technology Security

Applying the legislation

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Top Ten Technology Risks Facing Colleges and Universities

Big Data for Mutuals. Marc Dautlich 25 November 2013

GDPR & Cloud Providers Keynote Presentation

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Data Security Incident Response Plan. [Insert Organization Name]

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

UF IT Risk Assessment Standard

Information Security Program Management Standard

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Policy

New EU Data Protection legislation comes into force today. What does this mean for your business?

Data Protection Breach Management Policy

Network Security: Policies and Guidelines for Effective Network Management

BUSINESS ASSOCIATE AGREEMENT

Mitigating and managing cyber risk: ten issues to consider

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Cyber Security. John Leek Chief Strategist

COMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

13772/14 GS/np 1 DG D 2C

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Cloud Security under Forthcoming Laws

Attachment A. Identification of Risks/Cybersecurity Governance

Third Party Security Requirements Policy

Security Is Everyone s Concern:

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

ISO27001 Controls and Objectives

University of Sunderland Business Assurance Information Security Policy

Information Technology

Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines

Article 29 Working Party Issues Opinion on Cloud Computing

Data Management Policies. Sage ERP Online

Security Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments

Incident Reporting Guidelines for Constituents (Public)

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

Our Commitment to Information Security

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Data Breach Management Policy and Procedures for Education and Training Boards

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

DATA AND PAYMENT SECURITY PART 1

RFID and Privacy Impact Assessment (PIA)

Transcription:

Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule) DPO meeting 8 May 2015 Mario Guglielmetti Legal officer Unit Supervision and Enforcement

*** When law and technology come together, magical things happen

Security risks management: starting points! 1. The technological (digital) environment: high degree of interconnectivity and interdependency! Public-private networks; Networks-devices (smartphones, etc.); Controllers-processors* (cloud, etc.) 2. Variety of possible threats, vulnerability, events (the great plurality of incident source(s)-incidents points of entry!): Intentional/accidental; Internal/external; Human/technical; Basic/sophisticated.. 3. Variety of possible damages!: Impact on: (i) confidentiality; (ii) integrity; (iii) availability. Effect of: loss of reputation, trust, privacy, disruption of operation, loss of financial assets, lawsuits.. now, Your experience?

«Security breach, personal data breach, or..both?» What about the following? -Generic phishing attack is received by users (but the attack is promptly detected and no passwords, user names,.. are given) -An equipment failure has caused the temporary interruption of a main Information System -A user reports the theft of Agency s portable computer containing sensitive information -A staff member accessed personal data he/she is not authorised to access

«The Challenge» We need: A systemic and holistic approach and proximity (control works better when close to the possible incidents point of entry); Support by the highest level of leadership; A formal framework («write down what you do, do what you write down») subject to audit and review cycles still, flexible enough to allow forward looking responses to emerging risks.

«The RACI Matrix» Responsible: the concept of «ownership» of the incident; Responsibility may or may not be legal; R. even for risk reduced to an acceptable level (residual risk). Accountable (Internally): to whom R is accountable; Consulted: he/she has information and/or capability which are necessary for the handling of the incident; Informed: must be notified of results (of the incident handling), but doesn t need to be consulted. Who is responsible?/ Who is accountable? To whom?/ Who must be consulted? For what?/ Who must be informed?

«The Incident Management. Steps:» 1. Incident detection and reporting; 2. Incident handling: Assessment (different gravity assessment models in use, e.g.: SE = DPC x EI + CB*) Containement 3. Incident record How RACI fits into this? And in case of processor s DB? ENISA: Severity = data protection context x ease of identification + circumstances of the breach

«Communication:» - (internally and/or externally) Info to DS (after conclusion of the investigation) «except in cases in which such provision of info could cause serious harm to the organization» (examples?) (info to DS as containement?); - (internally) Info to LISO: all IT security incidents; - (internally) Info to DPO: all security incidents related to PD. Role of the DPO? (internal supervisor, contact point..)

*** Reporting mechanism for IT security incidents affecting personal data: «Information systems security events must be reported through designated channels as quickly as possible. In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to PD processed by Commission information systems, the system owner needs to inform the DPO» (COM Guidance on data breach) 10

«NIST incident response life-cycle»

finally.. Back to the future (law)! One (general) remark: the GDPR may seem to look at PDB from the perspective of a formal requirement (the top of the iceberg ). For (some) holistic view see interfaces of PDB with DPIA; Security measures; Privacy by design/by default Art. 30; 33; 23.

Why notifying? As a security safeguard As openness about privacy practices To restore control over personal information To ensure public trust

Question time (please vote)! Art. 31 (GDPR) The controller (the externally accountable person) shall notify the PDB to the supervisory authority. 1. On what: All DB OR DB likely to result in (high) risks for the individual such as... (note, second option implies a DB severity assessment focussed on the DS harm; should a different threshold be set out for DBN to supervisors?) 2. On when: 24 hours after having became aware (*upon notification from incident owner) or provide justification OR 72 hours OR two-steps, that is first preliminary and second phase notification?

3. On the content: * - Is it always possible and appropriate to describe categories and number of DS and categories and number of data records concerned? - Other elements of content are more stable : nature of PDB; contact details of DPO (or others *which?); measures recommended to mitigate adverse effects; consequences (*OR likely consequences?); measures taken or proposed to be taken by controller address the PDB. 4. On the Incident record: - Documentation to enable to verify complaince with DBN article OR and with article on security of processing? (Art. 30)

** Art. 32 (GDPR) The controller (the externally accountable person) shall notify the PDB to the DS. Questions (please vote): On what: DB likely to adversely affect the protection of PD or the legitimate interests of the DS OR DB likely to result in (high) risks for the individual such us...? (note: Art. 31 always implies a DB severity assessment focussed on the DS harm); On when: without undue delay (stable, no vote)

** 3. On the content of the DBN: Nature of the DB, plus: DPO contact details (stable, no vote); Consequences OR likely consequences as identified by controller (the legally R.); Measures taken or proposed by the controller to address the DB; Measures the DS should take to mitigate the adverse effects.

** 4. On when NOT to notify the DB: -The controller has implemented appropriate techological and organizational measures (e.g. encryption); or (additional cases): -The controller has taken subsequent measures that ensure that the risk thresold for the DS is no longer reached; -Disproportionate effort (and public communication instead?); -The DBN would adversely affect a substantial public interest (would it cover the «serious harm to the organization» referred before? Is postponing an option?)

Thank you for your participation! For more information: www.edps.europa.eu edps@edps.europa.eu @EU_EDPS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information