Archive for the ‘Breach Disclosure’ Category

Cybersecurity in the EU – massive change on its way

avatar Posted on February 8th, 2013 by Stewart Room

Is anyone unsure about the EU agenda for cyber and data security? If you want some insight you could easily check the UK Information Commissioner’s website and you see that in 2012 over 20 data controllers were hit with big fines for security breaches affecting personal data.

Or you could rewind to January 2012, when the EU published the Draft General Data Protection Regulation, which will impose mandatory breach disclosure on every data controller operating in the EU, backed up with potential fines of up to 2% of annual worldwide turnover for those organisations who fail badly.

Or you could go back a little further still, to October 2009, when the EU introduced the mandatory breach disclosure rule for telcos and ISPs, which has been operating since early 2011.

Actually, you don’t need to do any of that. Instead, just focus on the draft EU Cybersecurity Directive, which was published today. Its a short document, easy to get to grips with, and within a few minutes the implications will be obvious to you.

The new Directive makes it compulsory for all “market operators”, including utilities, transport and financial services businesses, as well as public authorities who use “network and information systems” within their businesses to implement technical and organisations measures to manage cyber risks. These organisations will be subject to independent regulation, they will have to disclose security breaches to the regulators, they will have to submit to compulsory regulatory audits and they will be sanctioned if they fail to comply with the law.

The scope and magnitude of this new Directive is huge. Obviously, the regulation of cyber risks in utilities, transport, financial services and public authorities is massive in its own right, but its the wider concept of “market operator” that really needs to be looked at.

A market operator includes a provider of information society services “that enable the provision of other information society services”.

Information society services are colloquially called ecommerce services in the EU, but this is about much more than online shopping, because in the EU an information society service is essentially a service that is provided over the internet, whether or not a fee is charged. In other words, an information society service can be a shopping site, a social network, a search engine, or an “over the top” communications systems (like Skype) and so on, whether or not they are web or app based.

Looking again at the definition of market operator, what really counts is whether the information society service is supporting another information society service. This website, privacylawblog.ffw.com, is an information society service, but it’s not supporting another, so its not caught by the Cybersecurity Directive. What the Directive is looking for is the platform of support – if you are a platform for an ISS, then you are regulated.

If all of this sounds too complicated, don’t worry, the Directive provides some indicative examples. These are: ecommerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores.

This is an incredible list and the magnitude of the Directive becomes obvious when you start adding names to the list:

* ecommerce platform = Amazon and eBay provide market platforms for traders and iTunes has to be captured too

* internet payment gateways = Paypal is the most obvious one, but there loads of others, like Worldpay

* social networks = Facebook, LinkedIn, Twitter and so on

* search engines = Google (are there any others?)

* cloud = basically every tech co in the World!!!

* application stores = I think Apple has one (!), Google too, Amazon again and what about the telcos … isn’t Blackberry launching one now too?

This seems quite incredible at first, but its real. And its obvious really, isn’t it, because it is the Cybersecurity Directive after all! It wouldn’t deserve this name if it didn’t regulate these household names.

There is a lot to like in the Directive, but businesses will have concerns about the nature of regulation and the competence of the regulators. There are also some worrying grey areas in the Directive, such as the delegation of many powers to quangos, which is never good for legal certainty. I would expect many big tech companies to be looking hard at how to engage with the EU on this, because there is much to be shaped-up.

But wrapping this altogether and tying up the various strands, what we see within the EU is radical lawmaking for security. Any organisation that misses this point will come unstuck. That’s why the law is being reformed, specifically to cause behavioural change. Whether you look at security from a data protection angle or a cyber angle, it does not matter; you just have to be more secure.

I’ve posted a diagram below which shows the core legal pillars for data and cybersecurity in the EU, now and coming. What you are seeing here is a coalescence of approach and obligation. The end game is a single legal test – take appropriate technical and organisational measures to secure your networks and data. That’s the European approach.

Posted in Breach Disclosure, Sanctions

Privacy in the global village

avatar Posted on September 4th, 2012 by Eduardo Ustaran

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

 
This article was first published in Data Protection Law & Policy in August 2012.

Posted in Accountability, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Direct marketing, Financial penalties, Privacy professionals, Sanctions

The new EU framework: Uniform, prescriptive and ambitious

avatar Posted on February 3rd, 2012 by Eduardo Ustaran

These are truly exhilarating times for the data protection world.  Viviane Reding’s recent announcement of the Commission’s proposal for a fully harmonised European data protection framework had the connotations of an Olympic opening ceremony – the years of hard work in preparation for this moment, the sense of achievement in the face of challenge and the triumphant belief that something memorable is going to come out of this.  Only the big drums and the flame were missing.  The jury is now out but this is without a doubt the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.

As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive.  This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation.  Recent legislative history suggests that a single EU-wide regulation is likely to be the only way to achieve the desired uniformity across the European Union.  Member States’ struggle to implement the changes to the e-privacy directive in a coherent way remind us daily of the limitations of a directive.  But a single pan-European law is a double edged sword – one set of rules is meant to be beneficial to organisations operating internationally, but those who are used to dealing with the reasonably practical obligations of jurisdictions like the UK or Ireland face a cultural and legal shock.

The proposed regulation is also aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century.  The novelties are varied and creative, but they all have in common one thing: the principles, rights and obligations are far more prescriptive in nature than under the 95 directive.  This is a natural consequence of having to draft a directly applicable regulation, but it is a fundamental change from the way European data protection has operated until now. 

The bulk of the proposed regulation brings with it a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

Above all, the Commission’s proposal is an ambitious one.  Not least because it sets out a very clear basis for its extra-territorial application.  The regulation does away with the cumbersome references to equipment located in the European Union and introduces brand new EU residency grounds.  Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event.  But in addition, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.

This approach will affect Internet businesses from all over the world but the Commission’s ambition goes even further than that.  One of the greatest challenges ahead is not faced by organisations using personal information but by the regulators themselves.  They will need to learn a radical new law which demands constant dialogue and closer cooperation than ever before.  The legislative process is now wide open and 2012 will be a crucial year to influence the outcome of the new law.  We have a real opportunity to contribute to this process, so it is our responsibility to get the right result.

This article was first published in Data Protection Law & Policy in January 2012.

Posted in 95 directive, Applicable law, Breach Disclosure, Privacy by design

Deconstructing the privacy macaron

avatar Posted on December 7th, 2011 by Eduardo Ustaran

Compact.  Self-contained.  Multi-layered.  Hard to penetrate and rich inside with a mix of flavours and tones.  Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law.  But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.

So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?

*   A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.

*   Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.

*   Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.

*   Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.

*   Consent – Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice.

*   Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.

*   Controller’s responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.

*   Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.

*   International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

*   Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

*   Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.

All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today’s and tomorrow’s data protection.  Whether the result will suit everyone’s taste is a different matter.

This article was first published in Data Protection Law & Policy in November 2011.

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Data minimisation, Financial penalties, Privacy by design, Profiling

More indications about the new EU data protection rules

avatar Posted on November 17th, 2011 by Antonis Patrikios

In an interview with the Washington Post, Viviane Reding, the EU Justice Commissioner, gave more indications about what we can expect from the tougher European regime that is in the pipeline.

The key points are:

* “Our reforms are aimed at getting rid of the fragmentation and providing consistency and coherence for the whole of the continent”. This is the clearest sign yet that we can expect a Regulation directly applicable in all Member States, as opposed to a Directive, which is subject to national implementation.

* “Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place”. Not only tougher substantive rules, but also more heavy-handed regulation are likely to be on their way. If so, we can expect more disputes and litigation.

* “We do have a set of rules today that is not always applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules”. The proposals may also include a mechanism to ensure at least some degree of consistency in the application of data protection rules across Member States; a supra-national data protection regulator perhaps?

* “It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union”. As expected, the new instrument will attempt to further empower consumers, particularly by imposing a requirement for explicit consent before their data are used and by introducing a right to have their data deleted at any time.

* “Data breaches is one of the questions that is very high on the agenda [...] We will extend the telecom rules to the Internet”. As expected, the mandatory breach notification obligations currently applying to Telcos and ISPs will be extended to internet services, online traders and private-sector medical records, and possibly to the broader economy.

The interview can be found here: http://www.washingtonpost.com/blogs/post-tech/post/qanda-eu-chief-privacy-regulator-on-new-internet-rules/2011/11/15/gIQAOeZzRN_blog.htm

Posted in 95 directive, Applicable law, Breach Disclosure, Data ownership, Data security, Right to be forgotten

Information Commissioner publishes online data breach notification form

avatar Posted on November 7th, 2011 by Leonie Power

The Information Commissioner’s Office has produced a new form for organisations to report a data breach.

While public electronic communications service providers are required to notify the ICO of personal data security breaches, currently there is no obligation on other businesses to do so. However, according to existing ICO guidance, serious breaches should be brought to the attention of the ICO.

The instructions outlined in the new form indicate that, before completing the form, data controllers should read the earlier guidance: Notification of Data Security Breaches to the Information Commissioner’s Office. This guidance sets out various factors to be taken into account in deciding whether a breach is serious enough to merit reporting it to the ICO and also sets out the types of information that should be provided when making a notification.

It is clear that the form is intended as an aid to compliance rather than circumscribing the information to be provided to the ICO. It states that, in addition to completing the form, the ICO welcomes other relevant information (e.g. incident reports). While the form is available online, once completed, it should be submitted by email to the address specified in the form or sent by post.

The questions contained in the new form largely correspond to the types of information sought by the ICO as per its earlier guidance. However, it is interesting to note that the form also requests information about whether there has been any media coverage of the incident. It is clear from the earlier ICO guidance that, whether or not there has been media coverage, is likely to influence the extent to which the Information Commissioner needs to provide reassurance to the public via appropriate enforcement action.

The ICO has indicated that it will not usually take enforcement action unless a data controller fails to take recommended steps or there are other reasons to doubt compliance or there is a need to provide reassurance to the public. Consequently, where there has been a large amount of publicity in relation to a particular incident, data controllers should brace themselves for some sort of regulatory action.

The new form is available on the ICO website here.

Posted in Breach Disclosure, Data security, Sanctions

The day of the £1000 fine!

avatar Posted on May 10th, 2011 by Stewart Room

UK data security law seemingly took a couple of backwards steps this week, with Parliament and the Information Commissioner showing a preference for the £1000 fine for security breaches.

Today ICO published news that it had fined the founder of now-defunct law firm ACS Law a mere £1000 for a very serious security breach that exposed information on a database of alleged copyright infringers to full scrutiny on the ‘net. This included highly sensitive information. This notorious example of shocking data failure was described by ICO in the following terms:

“The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.”

So, what kept the fine so low, when public authorities have been fined tens-of-thousands-of-£pounds for less serious breaches? Answer: Mr Crossley’s law firm went bust. Had it not done so, ICO would have fined £200,000!

The other £1000 fine development is contained in the new Privacy and Electronic Communications Regulations, which have been amended to reflect the changes introduced in late 2009 by the Citizens Rights Directive.  As well as introducing the new Cookie rules, the new PEC Regs bring in the mandatory breach disclosure regime for the e-comms sector. New Reg 5.C says that if telcos and ISPs fail to comply with their disclosure obligations, ICO can fine them £1000, which is reduced to £800 for early settlement.

£1000 doesn’t seem much of a deterrent, but the law makers will argue that its not the quantum that matters, its the stigma of being fined. Whether that’s true or not remains to be seen, but at the moment some data controllers will be thinking that UK law has gone a little soft.  However, telcos and ISPs should remember that the £1000 breach disclosure fine is additional to the £500,000 data breach fine that was introduced last year. 

Stewart Room

Posted in Breach Disclosure, Data security, Financial penalties, Sanctions