ISACA Privacy Forum - How what you don't know can hurt you
-
Upload
johan-vandendriessche -
Category
Law
-
view
101 -
download
1
Transcript of ISACA Privacy Forum - How what you don't know can hurt you
Brussels, 12 May 2015 2
Agenda
1. 18:30 Introduction
2. 18:45 How what you don’t know canhurt you
3. 19:30 Break
4. 19:50 How what you don’t know canhurt you
5. 20:45 Close
Brussels, 12 May 2015 3
Agenda
1. Security incidents
2. Voluntary data breach notification
3. Legal initiative in Belgium
4. BYOD
5. Practical conclusion
Brussels, 12 May 2015
Security Incidents
• Security Incidents (data protection
related) have become more publicized
• NMBS, Ministry of Defence, Jobat, Caddy
Home
• Increased awareness from DPAs and
legislator
• Recommendations and advice on security
• Recommendation regarding incident
handling
• Voluntary data breach notification
• Legal initiative pending draft regulation
7
Brussels, 12 May 2015
Enforcement under Belgian law
• Mediation role of the Belgian DPA
• Proposal of undertakings
• Cease and desist proceedings
• Used somethimes (especially between
companies)
• Various criminal sanctions (e.g. fines
up to 600.000 EUR)
• Applied rarely in practice
• No data breach notification
• No administrative fines8
Brussels, 12 May 2015
Enforcement under Draft Regulation
• Liability
• In principle, joint and several liability
• Penalties
• Administrative sanctions
• Fine of max. 1,000,000 EUR or, in case of
an enterprise, 2% of annual global
turnover, whichever is higher
• Much stricter and higher in EP tekst
• Text is not final
9
Brussels, 12 May 2015
Voluntary data breach notification
• Current legal situation
• No binding data breach notification under
data protection law
• Voluntary notification mechanism
• Binding data breach notification under
communications law
• Network integrity
• Personal data
11
Brussels, 12 May 2015
Voluntary data breach notification
• Scope
• Data breaches in relation to personal data
(outside communications sector)
• Data breach: unauthorized processing (cf.
article 16 of the Act)
• Large approach to “data breach”
12
Brussels, 12 May 2015
Voluntary data breach notification
• Deadline
• In principle 48 hours following discovery
of the data breach
• Two-step approach is possible in case
little or no information is available
• First notification: provisional/partial
notification
• Second notification: complete notification
13
Brussels, 12 May 2015
Voluntary data breach notification
• Notification
• Belgian DPA
• Form: secured e-form
• Waiver
• No impact on privacy of data subjects
• Data has been encrypted or otherwise rendered
unreadable
• Data subjects have been informed immediately +
limited group of data subjects + no special
categories of personal data involved
• In case of doubt: contact the DPA
• DPA recommends keeping a detailed
logbook14
Brussels, 12 May 2015
Voluntary data breach notification
• Notification
• Concerned data subjects
• Form
• Identifiable: direct means of communication
• Unidentifiable: media, whilst using effort to identify
and contact the data subjects
• Waiver for notification to data subject:
encrypted data or otherwise rendered
unreadable
• Temporary suspension of notification to data
subjects: impediment to the investigation
• In case of doubt: contact DPA
15
Brussels, 12 May 2015
Voluntary data breach notification
• Data subjects notification content• Identification and contact data
• Information surrounding the incident (nature of
the incident, date, circumstances concerning the
incident, …)
• Impact of the incident on the data subjects
• Remedial action taken
• (Remedial) action that may be taken by the data
subjects
16
Brussels, 12 May 2015
Data Protection Reform?
• 2012: EC proposes comprehensive
reform of the existing data protection
rules
• Draft Regulation (COM) 2012 11 final
• Draft Directive (COM) 2012 10 final
• 2014: EP
• Amended text adopted
• Co-decision (EP/Council) procedure still needs
to be followed
• Passed a resolution asking a.o. for a
suspension of Safe Harbor
18
Brussels, 12 May 2015
Belgian Draft Law
• Draft law (session 54, nr. 0416)
• Reduce administrative burden
• Strengthen data subject’s rights
• Increase effectiveness of enforcement
• Data breach notification
• Obvious topical link with EU data
protection reform
19
Brussels, 12 May 2015
Belgian Draft Law
• Reduce administrative burden
• Appointment of a data protection officer
• Exception for physical persons and private
legal persons permanently employing max. 9
persons for automated processing of personal
data
• DPO: Reliable physical person with the
requisite knowledge
• Waiver of notification duty
• Belgian DPA may request information that was
part of the notification duty
20
Brussels, 12 May 2015
Belgian Draft Law
• Function of the DPO
• Independent function
• No instructions from data controller
• No negative consequences
• Adequate working environment
• Confidentiality obligations
21
Brussels, 12 May 2015
Belgian Draft Law
• Mission of the DPO
• Review data protection compliance
• Risk management
• Prevention and effective remediation of
damage to personal data
• Prevention of illegitimate breaches of the
data subjects’ privacy
• Royal Decree may provide further
details
22
Brussels, 12 May 2015
Belgian Draft Law
• Strengthen data subject’s rights
• Right of access
• Limited right to data portability: in case of
automated processing, the data subject
may request an electronic copy
• Royal Decree may amend authentication
requirements relating to the exercise of
the right of access
• Authority was already granted, no new powers
23
Brussels, 12 May 2015
Belgian Draft Law
• Increase effectiveness of enforcement
through administrative fines
• System already in place in surrounding
countries
• Max. 10.000 EUR (doubled in case of
repeated infringement within a period of 3
years)
• Fast-track proceedings, appeal is possible
(Court of First Instance)
24
Brussels, 12 May 2015
Belgian Draft Law
• Data breach notification and accessory
obligation to keep a register of notifications
• Scope (cumulative conditions)?
• Unauthorized communication or any other
unauthorized access by third parties
• Risk of substantial damage to the data
subjects
• Specific personal data involved
• Special categories of personal data
• Personal data covered by professional secrecy
• Personal data used for authentication
25
Brussels, 12 May 2015
Belgian Draft Law
• What?
• To the data subjects
• The nature of the breach
• Contact details for further information
• Recommended measures to mitigate the
consequences
• To the Belgian DPA
• Description of the consequences of the breach
• Proposed or effectively taken measures to
mitigate and remedy the breach
• Items above
26
Brussels, 12 May 2015
Belgian Draft Law
• When?
• To the Belgian DPA
• immediately
• To the data subjects
• As soon as the countermeasures have been
implemented or immediately when such
countermeasures are not implemented
immediately
• Not required if data controller can demonstrate
effectively having taken adequate security
measures (i.e. encryption), but Belgian DPA
may impose otherwise
27
Brussels, 12 May 2015
Introduction and overview
• ‘Bring your own device’ (BYOD) and ‘Bring your own technology’ (BYOT)
• Legal issues• Privacy and data protection
• Electronic communications
• Labour law issues
• Intellectual property rights / data ownership and recovery
• Cybercrime
• Tax law issues
• Insurance
Brussels, 12 May 2015
Privacy and Data Protection
• What is privacy?
• Privacy at work in the EU?
• Principle of privacy at work has been
confirmed by ECHR and Article 29
Working Party
• Main issue of “work floor privacy” is employee
monitoring (electronic communication and use
of IT devices)
• National laws implement privacy at work
differently
• Adopting a single solution for monitoring is difficult
Brussels, 12 May 2015
Data Protection
• Limitations in relation to the processing of
personal data
• Personal data: “any information in relation to an
identified or identifiable physical person […]”
• Very large legal interpretation to the concept of personal
data
• Not necessarily sensitive information (although stricter
rules apply to special categories of personal data)
• Processing: “any operation or set of operations
which is performed upon personal data […]”
• Purpose: impose strict (civil and criminal)
liability to the entity that is processing the
personal data
Brussels, 12 May 2015
Data Protection
• Processing of personal data is prohibited, unless
allowed by the law
• The data processing must comply with specific
principles
• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
• (Individual and collective) Enforcement measures
• No export of personal data to non-EEA countries,
unless adequate protection is offered
Brussels, 12 May 2015
Data Protection
• General security obligation
• Implement appropriate technical and
organizational measures
• Appropriate level
• Measures are interchangeable
• Unlawful processing
• Assessment
• The state of the art and the cost of
implementation
• Risks represented by the processing and the
nature of the data to be protected
Brussels, 12 May 2015
Data Protection
• Legal ownership of the device is generally
not relevant for data protection purposes
• Controller: determination of purpose and means
• Devices owned by third parties can be used
• Technology used and ownership thereof can
have impact on security obligations
• Security assessment
• Proliferation of devices and data
• Data recovery
• Less security in case of private devices?
• Increased management effort / risk?
• Loss of control?
Brussels, 12 May 2015
Data Protection
• Private device used for professional purposes vs.
corporate device used for private purposes
• Policies are a major instrument in both cases
• Raise awareness (instruct)
• Ensure policy enforceability (enforce)
• Governing privacy expectations
• Combine HR, IT and security
• Contents
• Scope/ eligibility (who, what, when?)
• Rights and obligations of the parties involved
• During contract (AUP & security)
• Upon and after termination (data!) (exit strategy)
Brussels, 12 May 2015
Data Protection
• Data breach related actions
• Encryption (“walled garden approach”)
• Access to device
• Data retrieval
• Data wiping
• Access without consent may qualify as ‘unauthorized
access’
• Some countries impose a data breach notification
• Privacy at work related clauses
• Managing privacy expectations
• Implementing compliant monitoring
Brussels, 12 May 2015
Enforcement?
• UK (a.o. monetary penalties up to £ 500,000)
• ICO fine £ 100,000 (Aberdeen City Council): data
breach by home worker
• Undertaking (Royal Veterinary Council): data loss
(private device containing professional
information)
• US
• Settlement of $ 1,500,000 (Massachusetts Eye and
Ear Associates Inc.): stolen unencrypted laptop
(HIPAA)
Brussels, 12 May 2015
Labour Law and Tax Issues
• Labour law issues
• Adoption of a BYOD policy
• Monitoring of employees
• Communication
• Localization
• Enforcing a BYOD policy (disciplinary actions
and dismissal)
• Working time management
• Labour law rules are different in many
countries
• Involve local HR resources
• Tax regime for cost reimbursements /
benefits in kind
Brussels, 12 May 2015
IP Rights
• IP rights issues
• Ownership of data and information
• License management
• Illegal content
• IP infringements due to mobility
• Applies to other topics as well (e.g. export restrictions)
• Enforcing IP rights in a practical manner
• Employment contract
• MDM/MAM
• Data wiping and data recovery on exit
Brussels, 12 May 2015
Cybercrime
• Cybercrime laws are more or less
harmonized
• Convention on Cybercrime (Council of Europe)
• Access to employee devices and data
• Unauthorized access
• Data interference
• System interference
• Misuse of devices
• MDM, MAM and data wiping/data recovery
• Employee consent
• Policy
Brussels, 12 May 2015
Conclusion
• BYOD policy is a must
• Raise awareness
• Ensure enforceability of rules by supplementing
(employment) contracts with policies
• Covering legal & liability risks
• Key data protection and privacy issues
• Security (technical and organizational)
• Future compliance and data breach notification
duty
• Monitoring employees (privacy at work)
• Adopting a “one size fits all” policy is
extremely difficult
Brussels, 12 May 2015
Practical conclusion
• Strong trend towards enforcement, but not
yet operational in Belgium / EU level
• Action points?
• Review data protection capabilities in your
organisation
• Review current data processing operations
• Review interaction between “Information
Security” – “IT” – Legal Department and/or DPO
• Information security will have a crucial role!
43
Brussels, 12 May 2015
Practical conclusion
• Incident handling
• Create a plan/processes for the handling
of data protection incidents
• Deadlines are short and may become shorter
• Assess advantages/disadvantages of the
voluntary data breach notification
44
Brussels, 12 May 2015 45
Contact details
Johan Vandendriessche
Partner - crosslaw CVBA
Visiting Professor ICT Law - UGent
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be