Data Breach Notification: what EU law means for your information security strategy

Similar documents
Data Leak Protection legal framework and managing the challenges of a security breach

NEWSFLASH GDPR N 8 - New Data Protection Obligations

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Introductory guide to data sharing. lewissilkin.com

Breach Notification Form

UWC International Data Protection Policy

DATA PROCESSING AGREEMENT

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Eco Web Hosting Security and Data Processing Agreement

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

DATA PROTECTION LAWS OF THE WORLD. Bahrain

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

DATA PROTECTION LAWS OF THE WORLD. Germany

How to Navigate International Privacy and Data Security Developments Beyond the US and the EU, Namely Canada January 30, 2019

General Data Protection Regulation (GDPR)


Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

DATA PROTECTION POLICY THE HOLST GROUP

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Dealing with Security and Security Breaches

Upcoming PIPEDA Changes What is changing and what to do about it

Subject: Kier Group plc Data Protection Policy

LCU Privacy Breach Response Plan

GDPR: A QUICK OVERVIEW

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Motorola Mobility Binding Corporate Rules (BCRs)

Introduction to the Personal Data (Privacy) Ordinance

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Regulating Cyber: the UK s plans for the NIS Directive

Stopsley Community Primary School. Data Breach Policy

Privacy Policy GENERAL

Data Processing Clauses

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

How the GDPR will impact your software delivery processes

The Role of the Data Protection Officer

Data Processing Agreement for Oracle Cloud Services

Privacy Law Doing Business In Canada

Archive Legislation: archiving in the United Kingdom. The key laws that affect your business

Data Breach Notification Policy

ADMA Briefing Summary March

Introduction to the Personal Data (Privacy) Ordinance

GDPR - Are you ready?

Introduction to the Personal Data (Privacy) Ordinance

DATA BREACH POLICY [Enniskillen Presbyterian Church]

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

All you need to know and do to comply with the EU General Data Protection Regulation

2. Who we collect information (data) from & why we collect it

Creative Funding Solutions Limited Data Protection Policy

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

This information accompanies the online data sharing best practice guidance commissioned by ACE

New Data Protection Laws

Data Processing Agreement

Knowing and Implementing the GDPR Part 3

PS Mailing Services Ltd Data Protection Policy May 2018

DATA PROTECTION BY DESIGN

Element Finance Solutions Ltd Data Protection Policy

Data Protection Policy

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Cayman Islands Data Protection Law Guide Book

German Data Processing Addendum MailChimp

Cybersecurity Considerations for GDPR

You can find a brief summary of this Privacy Policy in the chart below.

Summary Comparison of Current Data Security and Breach Notification Bills

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Customer EU Data Processing Addendum

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

POMONA EUROPE ADVISORS LIMITED

Website and Marketing Privacy Policy

Data Protection Policy

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Data Breach Incident Management Policy

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

EU data security and privacy trends

INNOVENT LEASING LIMITED. Privacy Notice

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Privacy Breach Policy

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

DATA SECURITY - DATA PROTECTION ACT

HIPAA-HITECH: Privacy & Security Updates for 2015

Privacy and Data Protection Policy

Learning Management System - Privacy Policy

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Building a Privacy Management Program

DATA PROTECTION POLICY

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Data Protection Policy

Security Breach Notification Reflections on the U.S. Experience

RVC DATA PROTECTION POLICY

The HIPAA Omnibus Rule

Critical Information Infrastructure Protection Law

1. Introduction and Overview 3

Data Processing Agreement DPA

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Canada's New Anti-spam Law Are you prepared? Tricia Kuhl (Blakes) Dara Lambie (Blakes) Presented to ACC Ontario Chapter May 9, 2012

Transcription:

Data Breach Notification: what EU law means for your information security strategy Olivier Proust December 8, 2011 Hunton & Williams LLP

Key points 1. Introduction 2. Overview of data breach requirements under the e-privacy Directive 3. Data breach laws in selected EU Member States and key differences 4. Best practices 5. Conclusion: what can be expected of future regulation? 2

1. Introduction 3

What is a security breach? 4

Recent examples 5

What are the goals? 6

2. Overview of the e-privacy Directive 7

Personal Data Breach «A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service» 8

Scope Limited to personal data breaches Limited to telecoms/isps Possible extension of data breach requirements in the context of the EU s data protection framework review (Directive 95/46/EC) 9

Personal Data Breach Requirements In the case of a personal data breach, telecoms/isps must, without undue delay, notify: The competent authority Subscribers/individuals - if the breach is likely to adversely affect their personal data or privacy Notice is not required if: Appropriate technological protection measures are implemented Protection measures were applied to data concerned 10

Data breach notification Notification to the individuals: Nature of the personal data breach Contact points where more information can be obtained Recommend measures to mitigate the possible adverse effects of the personal data breach Notification to the competent authority: Consequences of the personal data breach Measures proposed or taken by the provider to address the breach 11

Need for harmonization Need to harmonize breach notification procedures across EU Member States, particularly in terms of: Notification thresholds Content and time of notification Exceptions relating to technological protection measures EC public consultation on data breach notifications (July 2011) Deadline September 9, 2011 May result in additional rules complementing the existing legal framework 12

Risks for non-compliance Financial loss Regulators may audit companies Fines and/or sanctions Reputational damage 13

2. Data breach laws in selected EU Member States 14

FRANCE 15

Ordinance of August 24, 2011 Scope Only applies to electronic communication service providers (e.g., telecom operators, ISPs) Data security breach Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to personal data 16

Notification Requirement In the event of a breach, telecoms and ISPs must, without undue delay, notify: The French Data Protection Authority (CNIL), and Affected individuals - if the breach is likely to adversely affect their personal data Notice is not required in certain circumstances: If the company has implemented appropriate information security measures, and Has demonstrated this implementation to the CNIL In the absence of such measures, the CNIL may impose on the company to notify its subscribers about the breach 17

Conditions for Notifying Breaches The conditions for notifying security breaches are unclear Additional legislation is expected in the near future The CNIL also may issue practical guidance 18

Risks for Non-Compliance Sanctions 5 years imprisonment 300,000 fine Warning Reputational damage 19

GERMANY 20

Current Legal Framework for Data Security Breaches Comprehensive statutory breach notification requirement Different from the e-privacy Directive In force since September 2009, DPA guidance issued in December 2010 Broad scope, applies to all companies subject to: Federal Data Protection Act (FDPA) (private entities and undertakings governed by public law which compete on the market acting as data controllers) Telecommunications Act (telecom providers) Telemedia Act (website providers) 21

Types of Data Covered Sensitive data as defined in the FDPA (e.g., data about racial or ethnic origin, religion or health related data) Data subject to professional or official secrecy (e.g., data held by lawyers, notaries, doctors) Data concerning criminal acts or administrative offenses Data on bank or credit card accounts Customer data or traffic data as defined in the Telecoms Act Customer data or usage data as defined in the Telemedia Act (e.g., data held by electronic information and communication service providers, including registration or usage data that may identify an individual online user) 22

Requirements Legal requirements are triggered if two conditions are met: Unlawful disclosure: Data have been transferred unlawfully, OR Third parties have accessed data otherwise Serious impact for the rights or protected interests of individual (e.g., identity theft, financial damage, social disadvantages) Notification of both the competent Federal or state DPA and the individuals concerned Notification must happen without undue delay, as soon as appropriate measures to secure the data have been undertaken and any law enforcement investigation is no longer effected 23

Content of Notification To the individual concerned, must include: Description of the type of unlawful disclosure Recommendations for measures to limit possible negative consequences To the DPA, must, in addition, include a description of: Possible negative consequences of the unlawful disclosure Description of the measures taken by the data controller In case of disproportionate effort, in particular because of the number of individuals concerned, instead, the general public must be informed by: Advertising of at least half a page In at least two daily newspapers that are published throughout Germany 24

THE NETHERLANDS 25

Bill in Dutch Parliament Bill to implement e-privacy Directive adopted by Lower House Bill would address data security breaches, cookie requirements, net neutrality, etc. On-going debate in the Upper House Implementation date unclear 26

Scope Limited to telecom sector Only applies to electronic communication service providers (e.g., telecom operators, ISPs) Breach notification requirement across all sectors part of the revision of Dutch Data Protection Act that is currently being considered Broad application Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to, personal data 27

Conditions for Notifying Breaches Dutch Bill closely follows text of e-privacy Directive with regard to data breach notification requirements In the event of a breach, telecoms and ISPs must, without undue delay, notify: The Dutch Telecoms Authority (OPTA), and Affected individuals If the breach is likely to adversely affect their personal data Initial assessment by the company, OPTA can overrule Exemptions: If company has implemented appropriate security measures, and Has sufficiently demonstrated this to the OPTA Mandatory data breaches register 28

UNITED KINGDOM 29

DPA Key Requirements No general legal obligation to notify under Data Protection Act 1998 BUT The UK Information Commissioner s Office (ICO) has issued guidance on data breach notification and operates a voluntary notification scheme for serious data breaches Notification expected for serious breaches where: Potential for harm to individuals Large volume of data compromised Compromised data are sensitive 30

Privacy and Electronic Communications (EC Directive) Regulations 2011 (PECR) Amended 2003 e-privacy Regulations to include mandatory breach notification to ICO for public electronic communication service providers (i.e., telcoms and ISPs) Notification must include a description of: Circumstances of breach Consequences Measures taken to address breach Notify subscribers where breach likely to adversely affect personal data or privacy of subscriber, except where demonstrate to ICO that security measures have been implemented that render the data unintelligible on unauthorised access Maintain inventory of breaches 31

Sector-specific requirements Mandatory notification for financial services organizations regulated by the Financial Services Authority (FSA) 32

ICO Enforcement Monetary penalties for serious breaches Up to 500,000 for serious breaches of DPA and PECR Test: serious contravention of data protection principles AND likely to cause substantial damage or distress AND deliberate OR Data Controller knew, or ought to have known, that the breach would occur AND likely cause damage/distress AND failed to take reasonable steps to prevent Note: Applies to all DPA breaches, not just security breaches PECR Fixed penalty of 1,000 on service providers that fail to notify Audit rights Third party information notice 33

4. Best practices 34

Security measures e-privacy Directive says : Access to personal data must be authorized and must have a legal purpose Personal data must be protected against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure A security policy must be implemented Additional and specific security requirements under national law 35

Organizational measures Appoint a data protection officer Internal coordination and communication (e.g., a standard operating procedure for handling data security breaches) Internal policies for employees Privacy-by-design 36

Legal measures Comply with local data protection laws (i.e., registrations, privacy notices, data transfer mechanisms, etc.) Data processor clauses in service provider agreements Maintain an inventory of data security breaches 37

5. Conclusion 38

Towards a general data breach notification requirement? Recital 59 of the e-privacy Directive EU Commission s Communication proposing a Comprehensive approach on personal data protection in the EU, released on November 4, 2010 On-going revision of the EU Data Protection Directive 95/46/EC 39

Contact Olivier Proust Associate, Hunton & Williams +32 (0)2 643 58 33 oproust@hunton.com Visit www.huntonprivacyblog.com 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback