Data Breach Notification: what EU law means for your information security strategy Olivier Proust December 8, 2011 Hunton & Williams LLP
Key points 1. Introduction 2. Overview of data breach requirements under the e-privacy Directive 3. Data breach laws in selected EU Member States and key differences 4. Best practices 5. Conclusion: what can be expected of future regulation? 2
1. Introduction 3
What is a security breach? 4
Recent examples 5
What are the goals? 6
2. Overview of the e-privacy Directive 7
Personal Data Breach «A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service» 8
Scope Limited to personal data breaches Limited to telecoms/isps Possible extension of data breach requirements in the context of the EU s data protection framework review (Directive 95/46/EC) 9
Personal Data Breach Requirements In the case of a personal data breach, telecoms/isps must, without undue delay, notify: The competent authority Subscribers/individuals - if the breach is likely to adversely affect their personal data or privacy Notice is not required if: Appropriate technological protection measures are implemented Protection measures were applied to data concerned 10
Data breach notification Notification to the individuals: Nature of the personal data breach Contact points where more information can be obtained Recommend measures to mitigate the possible adverse effects of the personal data breach Notification to the competent authority: Consequences of the personal data breach Measures proposed or taken by the provider to address the breach 11
Need for harmonization Need to harmonize breach notification procedures across EU Member States, particularly in terms of: Notification thresholds Content and time of notification Exceptions relating to technological protection measures EC public consultation on data breach notifications (July 2011) Deadline September 9, 2011 May result in additional rules complementing the existing legal framework 12
Risks for non-compliance Financial loss Regulators may audit companies Fines and/or sanctions Reputational damage 13
2. Data breach laws in selected EU Member States 14
FRANCE 15
Ordinance of August 24, 2011 Scope Only applies to electronic communication service providers (e.g., telecom operators, ISPs) Data security breach Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to personal data 16
Notification Requirement In the event of a breach, telecoms and ISPs must, without undue delay, notify: The French Data Protection Authority (CNIL), and Affected individuals - if the breach is likely to adversely affect their personal data Notice is not required in certain circumstances: If the company has implemented appropriate information security measures, and Has demonstrated this implementation to the CNIL In the absence of such measures, the CNIL may impose on the company to notify its subscribers about the breach 17
Conditions for Notifying Breaches The conditions for notifying security breaches are unclear Additional legislation is expected in the near future The CNIL also may issue practical guidance 18
Risks for Non-Compliance Sanctions 5 years imprisonment 300,000 fine Warning Reputational damage 19
GERMANY 20
Current Legal Framework for Data Security Breaches Comprehensive statutory breach notification requirement Different from the e-privacy Directive In force since September 2009, DPA guidance issued in December 2010 Broad scope, applies to all companies subject to: Federal Data Protection Act (FDPA) (private entities and undertakings governed by public law which compete on the market acting as data controllers) Telecommunications Act (telecom providers) Telemedia Act (website providers) 21
Types of Data Covered Sensitive data as defined in the FDPA (e.g., data about racial or ethnic origin, religion or health related data) Data subject to professional or official secrecy (e.g., data held by lawyers, notaries, doctors) Data concerning criminal acts or administrative offenses Data on bank or credit card accounts Customer data or traffic data as defined in the Telecoms Act Customer data or usage data as defined in the Telemedia Act (e.g., data held by electronic information and communication service providers, including registration or usage data that may identify an individual online user) 22
Requirements Legal requirements are triggered if two conditions are met: Unlawful disclosure: Data have been transferred unlawfully, OR Third parties have accessed data otherwise Serious impact for the rights or protected interests of individual (e.g., identity theft, financial damage, social disadvantages) Notification of both the competent Federal or state DPA and the individuals concerned Notification must happen without undue delay, as soon as appropriate measures to secure the data have been undertaken and any law enforcement investigation is no longer effected 23
Content of Notification To the individual concerned, must include: Description of the type of unlawful disclosure Recommendations for measures to limit possible negative consequences To the DPA, must, in addition, include a description of: Possible negative consequences of the unlawful disclosure Description of the measures taken by the data controller In case of disproportionate effort, in particular because of the number of individuals concerned, instead, the general public must be informed by: Advertising of at least half a page In at least two daily newspapers that are published throughout Germany 24
THE NETHERLANDS 25
Bill in Dutch Parliament Bill to implement e-privacy Directive adopted by Lower House Bill would address data security breaches, cookie requirements, net neutrality, etc. On-going debate in the Upper House Implementation date unclear 26
Scope Limited to telecom sector Only applies to electronic communication service providers (e.g., telecom operators, ISPs) Breach notification requirement across all sectors part of the revision of Dutch Data Protection Act that is currently being considered Broad application Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to, personal data 27
Conditions for Notifying Breaches Dutch Bill closely follows text of e-privacy Directive with regard to data breach notification requirements In the event of a breach, telecoms and ISPs must, without undue delay, notify: The Dutch Telecoms Authority (OPTA), and Affected individuals If the breach is likely to adversely affect their personal data Initial assessment by the company, OPTA can overrule Exemptions: If company has implemented appropriate security measures, and Has sufficiently demonstrated this to the OPTA Mandatory data breaches register 28
UNITED KINGDOM 29
DPA Key Requirements No general legal obligation to notify under Data Protection Act 1998 BUT The UK Information Commissioner s Office (ICO) has issued guidance on data breach notification and operates a voluntary notification scheme for serious data breaches Notification expected for serious breaches where: Potential for harm to individuals Large volume of data compromised Compromised data are sensitive 30
Privacy and Electronic Communications (EC Directive) Regulations 2011 (PECR) Amended 2003 e-privacy Regulations to include mandatory breach notification to ICO for public electronic communication service providers (i.e., telcoms and ISPs) Notification must include a description of: Circumstances of breach Consequences Measures taken to address breach Notify subscribers where breach likely to adversely affect personal data or privacy of subscriber, except where demonstrate to ICO that security measures have been implemented that render the data unintelligible on unauthorised access Maintain inventory of breaches 31
Sector-specific requirements Mandatory notification for financial services organizations regulated by the Financial Services Authority (FSA) 32
ICO Enforcement Monetary penalties for serious breaches Up to 500,000 for serious breaches of DPA and PECR Test: serious contravention of data protection principles AND likely to cause substantial damage or distress AND deliberate OR Data Controller knew, or ought to have known, that the breach would occur AND likely cause damage/distress AND failed to take reasonable steps to prevent Note: Applies to all DPA breaches, not just security breaches PECR Fixed penalty of 1,000 on service providers that fail to notify Audit rights Third party information notice 33
4. Best practices 34
Security measures e-privacy Directive says : Access to personal data must be authorized and must have a legal purpose Personal data must be protected against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure A security policy must be implemented Additional and specific security requirements under national law 35
Organizational measures Appoint a data protection officer Internal coordination and communication (e.g., a standard operating procedure for handling data security breaches) Internal policies for employees Privacy-by-design 36
Legal measures Comply with local data protection laws (i.e., registrations, privacy notices, data transfer mechanisms, etc.) Data processor clauses in service provider agreements Maintain an inventory of data security breaches 37
5. Conclusion 38
Towards a general data breach notification requirement? Recital 59 of the e-privacy Directive EU Commission s Communication proposing a Comprehensive approach on personal data protection in the EU, released on November 4, 2010 On-going revision of the EU Data Protection Directive 95/46/EC 39
Contact Olivier Proust Associate, Hunton & Williams +32 (0)2 643 58 33 oproust@hunton.com Visit www.huntonprivacyblog.com 40