Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Similar documents
Follow the trainer s instructions and explanations to complete the planned tasks.

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

The potential legal consequences of a personal data breach

Privacy and Electronic Communications Regulations

COMMISSION REGULATION (EU) No /.. of XXX

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Office 365 Data Processing Agreement with Model Clauses

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

ECSA EuroCloud Star Audit Data Privacy Audit Guide

How To Protect Your Data In European Law

Data Protection and Cloud Computing: an Overview of the Legal Issues

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

Microsoft Online Services - Data Processing Agreement

Dealing with data breaches in Europe and beyond

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

ISO Information Security Management Systems Foundation

Procedure for Managing a Privacy Breach

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

Corporate Policy. Data Protection for Data of Customers & Partners.

Data Processing Agreement for Oracle Cloud Services

Cloud computing and the legal framework

Data protection issues on an EU outsourcing

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

technical factsheet 176

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Article 29 Working Party Issues Opinion on Cloud Computing

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Data Protection Policy.

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

PRIVACY BREACH POLICY

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

EU Priorities in Cybersecurity. Steve Purser Head of Core Operations Department June 2013

Data Protection Breach Management Policy

Practical Overview on responsibilities of Data Protection Officers. Security measures

PRIVACY BREACH MANAGEMENT POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

The HR Skinny: Effectively managing international employee data flows

Cloud Security Standardisation & Certification. Arjan de Jong Policy Advisor Information Security

So the security measures you put in place should seek to ensure that:

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

Data Protection Policy June 2014

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Merthyr Tydfil County Borough Council. Data Protection Policy

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Global investigations: what employers need to know about investigating employees

INERTIA ETHICS MANUAL

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

Appendix 11 - Swiss Data Protection Act

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Overview of the HIPAA Security Rule

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Data and Cyber Laws Up-date 9 July 2015

Managing General Agents (MGAs) Guideline

Data Protection in Ireland

The supplier shall have appropriate policies and procedures in place to ensure compliance with

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions

Legal Aspects of Cloud Computing. Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird)

New Relic EU Data Protection Whitepaper

Big Data for Mutuals. Marc Dautlich 25 November 2013

Transcription:

Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with data security: an EU perspective. Javier Fernández-Samaniego Partner Bird & Bird Page 1

Cloud computing raises a number of specific legal challenges in relation to the right of data protection and data security risks: cyber fraud or crime + loss of control over individual identity data issues of jurisdiction and responsibility data transfers / processing to third countries data breach management Page 2

Page 3 Data security: EU framework

Data security: relevant EU legislation Data Protection Directive 95/46/EC article 17 Amended e-privacy Directive 2002/58/EC article 4 Proposal for a EU General Data Protection Regulation articles 30-31 - 32 Page 4

EU views on Cloud Computing Opinion 5/2012 on Cloud Computing of Art. 29 DP Working Party (July 2012) UK Information Commissioner's Office Guidance on the use of Cloud Computing (September 2012) Page 5

ISO New and improved ISO/IEC 27005 standards Page 6

Relevant EU Agencies EC3 - European Cybercrime Center at EUROPOL Focuses on following areas of cybercrimes: committed to organized groups to generate large criminal profit such as online fraud while causes serious harm to the victims such as online sexual exploitation which affects critical infrastructure and information systems in the EU ENISA - European Network and information Security Agency Hub for exchange information, best practices and knowledge of information security Page 7

The security of processing obligations under Directive 95/46/EC (I) The security obligation (art. 17): the controller must implement appropriate technical and organizational measures (TOMs) to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing of personal data. Organizations need to ensure an appropriate level of security taking into account: State of the art in security Cost of their implementation Level of security appropriate to: Nature of the data to be protected Nature of the risks Page 8

The Security of Processing obligations under Directive 95/46/EC (II) Using data processors art. 17.2 Processor must provide sufficient guarantees in respect of TOMs Processor must ensure compliance with those measures Need of Data Processing Agreements governing relationship between controller and processor Page 9

The Security of Processing obligations under Directive 95/46/EC (III) Implementation TOMs determined by controller Germany Netherlands Sweden Security guidelines issued by DPA UK Belgium TOMS imposed by law Spain Italy Page 10

TOMs International Transfer of Data Standard Contractual Clauses for transfer to third countries processors: Data exporter must provide sufficient guarantees in respect of TOMs of Appendix 2 SCCs Data importer: must implement TOMs of Appendix 2 SCC before processing promptly notify data exporter of security incidents submit data centres / processing facilities for audit Appendix 2: Description of TOM implemented by data importer Page 11

Security of processing under Proposal of EU Regulation Article 30 of the Proposal of EU Regulation: The controller and the processor shall implement appropriate TOMs Page 12

Information Security Incidents & Personal Data Breaches Page 13

Definitions and distinctions Personal Data Breach: Means a breach of Security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communication service in the Community (Amended e-privacy Directive) Information Security Incident: A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security Page 14

Definitions and distinctions A personal data breach can be the result of a security incident, but also a loss of user control. An information security incident does not necessarily entail a personal data breach and vis-versa. Page 15

Page 16 Global Breach Notification Laws

Page 17

Security breach notifications US: security breach notification laws in most States EU: Article 4 of amended e-privacy 2002/58/EC Directive: Requirement for the electronic communication sector Proposal of the EU General data Protection Regulation (Article 31 and 32) Towards a general obligation of reporting data breaches: to the supervisory authority to the individuals affected Page 18

Security breach notifications: EU Perspective To whom and in what circumstances and timeframes a notification required (trigger)? In the case of a personal data breach without delay (and where feasible, not later than 24 hours after having become aware of it*) TO: COMPETENT NATIONAL AUTHORITY The personal data breach is likely to adversely affect the personal data or privacy TO: INDIVIDUAL AFTER NOTIFICATION TO AUTHORITY (EXCEPTIONS) *Article 31 Proposal of DP Regulation Page 19

Security breach notifications: EU Perspective Who is obliged to notify? Amended e-privacy Directive: Providers of publicly available electronic communication services Proposal of DP Regulation Controllers shall notify Processors shall alert and inform the controller immediately after the establishment of a personal data breach. Page 20

Security breach notifications: EU Perspective Working Document 1/2011 on the current EU personal data breach framework and recomendations for future policy developments Page 21

Security breach notifications: EU Perspective April 2012 Recommendations on technical implementation guidelines of Article 4 e-privacy Directive http://www.enisa.europa.eu/ See [presentation of Manuel García Sánchez, Spainsh DPA] Page 22

Security breach notifications: EU Perspective Conclusions: Importance of being proactive and prepared Need for a holistic personal data management procedure Two-phased assessments and twophased notifications Review and improve Page 23

Thank you Javier Fernández-Samaniego Partner +34 91 790 6010 javier.samaniego@twobirds.com @twobirdsit Bird & Bird (Spain) LLP Jorge Juan, 8 1 Madrid 28001 Spain +34 91 7906000 Page 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information