Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)

Similar documents
Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

The potential legal consequences of a personal data breach

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Knowhow briefs Privilege

ONLINE PAYMENTS: Bridging the Gap between Fraud Prevention and Data Protection

COMMISSION REGULATION (EU) No /.. of XXX

Data Centres North Data Centre Security is the tail wagging the dog? May

Welcome to our Summer London seminar programme 2016

Big Data for Mutuals. Marc Dautlich 25 November 2013

Privacy and Electronic Communications Regulations

Dealing with data breaches in Europe and beyond

Navigating the Privacy Law Landscape - US and Europe

Knowhow briefs Statute of limitation - EMEA comparative table

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

UK Employee Incentives and Benefits

Real estate transfer tax (RETT) Blocker

Key HR Legal Issues for Asset Managers. Andrea Finn, Ian Fraser & Julian Taylor

ENA SHE12 Major Incident H&S Aspects a Lawyer s perspective. Kevin Bridges Partner and Chartered Safety and Health Practitioner

Issue #5 July 9, 2015

Insurance and reinsurance news

Follow the trainer s instructions and explanations to complete the planned tasks.

Global investigations: what employers need to know about investigating employees

What is Cyber Security?

CSR Breach Reporting Service Frequently Asked Questions

Maintenance Repair Overhaul (MRO) and Supply Chain Contracts

Brand Management Services

The era of hacks and cyber regulation

Pinsent Masons. Competition Law Dawn Raid Checklist & Guidelines. What to do in the first hour of a dawn raid

Merger Control Issues and Private Equity Transactions

Data Protection Breach Management Policy

What is Cyber Security? Why work with us?

IAPP Practical Privacy Series. Data Breach Hypothetical

The supplier shall have appropriate policies and procedures in place to ensure compliance with

An introduction to European employment law for Japanese companies

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Personal Data (Privacy) (Amendment) Ordinance Use and Sale of Personal Data for Direct Marketing.

THE ANATOMY OF A CYBER POLICY. Jamie Monck-Mason & Andrew Hill

Entrepreneurs' Relief and Growth Shares

An introduction to European employment law for Korean companies

Knowhow briefs Without Prejudice

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Trading Halt Conclusions from the Hong Kong Stock Exchange s Consultation

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

MORRISON I FOERSTER. Legal Updates & News. Data Breach Notification: Debate in the EU May 2008 by Ann Bevitt, Karin Retzer. Bulletins.

IP & IT Bytes. Copyright: website-blocking order against internet service providers

Local expertise & multinational deals & fresh ingredients & brand innovations & added value in regulation & from raw materials to consumer products &

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Changes to Consumer Credit Regulation

Small businesses: What you need to know about cyber security

Cyber and Data Security. Proposal form

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

20. Exercise: CERT participation in incident handling related to Article 4 obligations

China's New Company Registration Regime.

Insurance issues for commercial development

Cyber Risks in Italian market

Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC

The HR Skinny: Effectively managing international employee data flows

Managing tax disputes: What the non-tax-lawyers need to know

Tracking Compliance: Data Protection Risks and Remedies for Retail Janine Regan. charlesrussellspeechlys.com

Utica College. Information Security Plan

Enterprise Management Incentives ("EMI")

Cyber Risks and Insurance Solutions Malaysia, November 2013

Knowhow briefs The Brussels regulation at a glance

The impact of the personal data security breach notification law

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Network Security & Privacy Landscape

Long Term Incentive Plans and Deferred Bonus Plans

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

The Most Innovative Law Firm in Europe. Corporate Seminar programme 2016

New board pay rules are they working? Key statistics

A practical guide to IT security

Law Firm Cyber Security & Compliance Risks

The Legal Pitfalls of Failing to Develop Secure Cloud Services

b. USNH requires that all campus organizations and departments collecting credit card receipts:

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked

Cybersecurity y Managing g the Risks

cloud accounting FACTS AND FICTION

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

Guidance on data security breach management

MiFID II: The New Investor Protection Regime

Table of Contents. Acknowledgement

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

APRIL 2015 ARE YOU READY FOR THE SENIOR MANAGERS AND CERTIFICATION REGIME?

Cyber Insurance Presentation

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Cyber/ Network Security. FINEX Global

FSA paper on conflicts of interest between asset managers and their customers

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Data Protection and Cloud Computing: an Overview of the Legal Issues

Am I a Business Associate?

Data Processing Agreement for Oracle Cloud Services

Transcription:

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)

Why is this a challenge? When personal data is compromised, mandatory or recommended notification requirements may apply. This means for your organisation, possible obligations to inform: Competent authorities; and/or Affected individuals If not addressed properly: Possible risks of sanctions (e.g. criminal liability, fines, damages) Potential impact on share price or bad publicity (e.g. Target & theft of customer data) It is therefore of the utmost importance to have a very practical understanding of the issue Page 2

Current legal NORAC framework Countries General breach notification regime? YES: well established patchwork of multiple and sometimes conflicting mandatory notification regimes YES: distinctions per province (i.e. mandatory regime in Alberta, recommended regimes elsewhere) YES: mandatory regime Page 3

Current legal EU framework EU LEVEL Only PECS (e.g. telco or ISP) are subject to data breach requirements from Directive 2002/58/EC updated by Regulation 611/2013 MS LEVEL Possible recommended or mandatory general data breach requirements from member states (e.g. UK, Ireland, Germany, Belgium) Keep an eye on EU developments (i.e. draft DP regulation, cyber security directive) Possible sectorial breach requirements (e.g. financial institutions, critical infrastructure providers in France) Page 4

Sample of the legal APAC framework Countries General breach notification regime? NO YES: mandatory regime YES: recommended regime Page 5

What amounts to a 'breach'? Issue to be looked at from a country level perspective Any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed Practical scenarios Four laptop computers were stolen from the HR department An employee has given to a third party the login and password for an account with global access read only right to the client database. Logs evidence use of the account by this third party. As above, but the data was unintelligible for the third party Inadvertently sending an email to 1,800 customers: instead of placing the addresses in the bcc line, the to: line is used Breach? YES YES YES, but Possibly Page 6

Timing dilemma Depending on the breach notification regimes applicable to your organization, different and sometime conflicting timing obligations may apply Illustrations: notification within 24 hours notification within 72 hours notification without undue delay In practice, many affected organisations do not satisfy short timing notification obligations Page 7

Key things to do in case of a breach Involve your in-house and/or external counsel to benefit from privilege Think about your possible contractual obligations (e.g. providers, PCI) Anticipate the following questions: Root cause of breach (e.g. criminal conduct, documents lost?) What information was accessed? Type of access = view vs. edit/download Affected individuals: Number of affected individuals Internal only or also external Potential harm Roll-out your remediation plan Stay discrete Page 8

My 4 tips for you today Trap/bug your data sources Implement a breach policy procedure Meet w/ your broker or insurance people Stay calm! Page 9

Questions gabriel.voisin@twobirds.com Follow me on Twitter: @gvoisin Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. twobirds.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information