ISACA Privacy Forum - How what you don't know can hurt you

Click to edit Master title stylePrivacy Open Forum

Tuesday, 12th

of May 2015

Brussels, 12 May 2015 2

Agenda

1. 18:30 Introduction

2. 18:45 How what you don’t know canhurt you

3. 19:30 Break

4. 19:50 How what you don’t know canhurt you

5. 20:45 Close


Agenda

1. Security incidents

2. Voluntary data breach notification

3. Legal initiative in Belgium

4. BYOD

5. Practical conclusion


Close

Brussels, 12 May 2015

HOW WHAT YOU DON’T

KNOW CAN HURT YOU

JOHAN VANDENDRIESSCHE

5


SECURITY INCIDENTS

6


Security Incidents

• Security Incidents (data protection

related) have become more publicized

• NMBS, Ministry of Defence, Jobat, Caddy

Home

• Increased awareness from DPAs and

legislator

• Recommendations and advice on security

• Recommendation regarding incident

handling

• Voluntary data breach notification

• Legal initiative pending draft regulation

7


Enforcement under Belgian law

• Mediation role of the Belgian DPA

• Proposal of undertakings

• Cease and desist proceedings

• Used somethimes (especially between

companies)

• Various criminal sanctions (e.g. fines

up to 600.000 EUR)

• Applied rarely in practice

• No data breach notification

• No administrative fines8


Enforcement under Draft Regulation

• Liability

• In principle, joint and several liability

• Penalties

• Administrative sanctions

• Fine of max. 1,000,000 EUR or, in case of

an enterprise, 2% of annual global

turnover, whichever is higher

• Much stricter and higher in EP tekst

• Text is not final

9


VOLUNTARY DATA

BREACH NOTIFICATION

10


Voluntary data breach notification

• Current legal situation

• No binding data breach notification under

data protection law

• Voluntary notification mechanism

• Binding data breach notification under

communications law

• Network integrity

• Personal data

11



• Scope

• Data breaches in relation to personal data

(outside communications sector)

• Data breach: unauthorized processing (cf.

article 16 of the Act)

• Large approach to “data breach”

12



• Deadline

• In principle 48 hours following discovery

of the data breach

• Two-step approach is possible in case

little or no information is available

• First notification: provisional/partial

notification

• Second notification: complete notification

13



• Notification

• Belgian DPA

• Form: secured e-form

• Waiver

• No impact on privacy of data subjects

• Data has been encrypted or otherwise rendered

unreadable

• Data subjects have been informed immediately +

limited group of data subjects + no special

categories of personal data involved

• In case of doubt: contact the DPA

• DPA recommends keeping a detailed

logbook14



• Notification

• Concerned data subjects

• Form

• Identifiable: direct means of communication

• Unidentifiable: media, whilst using effort to identify

and contact the data subjects

• Waiver for notification to data subject:

encrypted data or otherwise rendered

unreadable

• Temporary suspension of notification to data

subjects: impediment to the investigation

• In case of doubt: contact DPA

15



• Data subjects notification content• Identification and contact data

• Information surrounding the incident (nature of

the incident, date, circumstances concerning the

incident, …)

• Impact of the incident on the data subjects

• Remedial action taken

• (Remedial) action that may be taken by the data

subjects

16


LEGAL INITIATIVE IN

BELGIUM

17


Data Protection Reform?

• 2012: EC proposes comprehensive

reform of the existing data protection

rules

• Draft Regulation (COM) 2012 11 final

• Draft Directive (COM) 2012 10 final

• 2014: EP

• Amended text adopted

• Co-decision (EP/Council) procedure still needs

to be followed

• Passed a resolution asking a.o. for a

suspension of Safe Harbor

18


Belgian Draft Law

• Draft law (session 54, nr. 0416)

• Reduce administrative burden

• Strengthen data subject’s rights

• Increase effectiveness of enforcement

• Data breach notification

• Obvious topical link with EU data

protection reform

19


Belgian Draft Law

• Reduce administrative burden

• Appointment of a data protection officer

• Exception for physical persons and private

legal persons permanently employing max. 9

persons for automated processing of personal

data

• DPO: Reliable physical person with the

requisite knowledge

• Waiver of notification duty

• Belgian DPA may request information that was

part of the notification duty

20


Belgian Draft Law

• Function of the DPO

• Independent function

• No instructions from data controller

• No negative consequences

• Adequate working environment

• Confidentiality obligations

21


Belgian Draft Law

• Mission of the DPO

• Review data protection compliance

• Risk management

• Prevention and effective remediation of

damage to personal data

• Prevention of illegitimate breaches of the

data subjects’ privacy

• Royal Decree may provide further

details

22


Belgian Draft Law

• Strengthen data subject’s rights

• Right of access

• Limited right to data portability: in case of

automated processing, the data subject

may request an electronic copy

• Royal Decree may amend authentication

requirements relating to the exercise of

the right of access

• Authority was already granted, no new powers

23


Belgian Draft Law

• Increase effectiveness of enforcement

through administrative fines

• System already in place in surrounding

countries

• Max. 10.000 EUR (doubled in case of

repeated infringement within a period of 3

years)

• Fast-track proceedings, appeal is possible

(Court of First Instance)

24


Belgian Draft Law

• Data breach notification and accessory

obligation to keep a register of notifications

• Scope (cumulative conditions)?

• Unauthorized communication or any other

unauthorized access by third parties

• Risk of substantial damage to the data

subjects

• Specific personal data involved

• Special categories of personal data

• Personal data covered by professional secrecy

• Personal data used for authentication

25


Belgian Draft Law

• What?

• To the data subjects

• The nature of the breach

• Contact details for further information

• Recommended measures to mitigate the

consequences

• To the Belgian DPA

• Description of the consequences of the breach

• Proposed or effectively taken measures to

mitigate and remedy the breach

• Items above

26


Belgian Draft Law

• When?

• To the Belgian DPA

• immediately

• To the data subjects

• As soon as the countermeasures have been

implemented or immediately when such

countermeasures are not implemented

immediately

• Not required if data controller can demonstrate

effectively having taken adequate security

measures (i.e. encryption), but Belgian DPA

may impose otherwise

27


BYOD

28


Introduction and overview

• ‘Bring your own device’ (BYOD) and ‘Bring your own technology’ (BYOT)

• Legal issues• Privacy and data protection

• Electronic communications

• Labour law issues

• Intellectual property rights / data ownership and recovery

• Cybercrime

• Tax law issues

• Insurance


Privacy and Data Protection

• What is privacy?

• Privacy at work in the EU?

• Principle of privacy at work has been

confirmed by ECHR and Article 29

Working Party

• Main issue of “work floor privacy” is employee

monitoring (electronic communication and use

of IT devices)

• National laws implement privacy at work

differently

• Adopting a single solution for monitoring is difficult


Data Protection

• Limitations in relation to the processing of

personal data

• Personal data: “any information in relation to an

identified or identifiable physical person […]”

• Very large legal interpretation to the concept of personal

data

• Not necessarily sensitive information (although stricter

rules apply to special categories of personal data)

• Processing: “any operation or set of operations

which is performed upon personal data […]”

• Purpose: impose strict (civil and criminal)

liability to the entity that is processing the

personal data


Data Protection

• Processing of personal data is prohibited, unless

allowed by the law

• The data processing must comply with specific

principles

• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

• (Individual and collective) Enforcement measures

• No export of personal data to non-EEA countries,

unless adequate protection is offered


Data Protection

• General security obligation

• Implement appropriate technical and

organizational measures

• Appropriate level

• Measures are interchangeable

• Unlawful processing

• Assessment

• The state of the art and the cost of

implementation

• Risks represented by the processing and the

nature of the data to be protected


Data Protection

• Legal ownership of the device is generally

not relevant for data protection purposes

• Controller: determination of purpose and means

• Devices owned by third parties can be used

• Technology used and ownership thereof can

have impact on security obligations

• Security assessment

• Proliferation of devices and data

• Data recovery

• Less security in case of private devices?

• Increased management effort / risk?

• Loss of control?


Data Protection

• Private device used for professional purposes vs.

corporate device used for private purposes

• Policies are a major instrument in both cases

• Raise awareness (instruct)

• Ensure policy enforceability (enforce)

• Governing privacy expectations

• Combine HR, IT and security

• Contents

• Scope/ eligibility (who, what, when?)

• Rights and obligations of the parties involved

• During contract (AUP & security)

• Upon and after termination (data!) (exit strategy)


Data Protection

• Data breach related actions

• Encryption (“walled garden approach”)

• Access to device

• Data retrieval

• Data wiping

• Access without consent may qualify as ‘unauthorized

access’

• Some countries impose a data breach notification

• Privacy at work related clauses

• Managing privacy expectations

• Implementing compliant monitoring


Enforcement?

• UK (a.o. monetary penalties up to £ 500,000)

• ICO fine £ 100,000 (Aberdeen City Council): data

breach by home worker

• Undertaking (Royal Veterinary Council): data loss

(private device containing professional

information)

• US

• Settlement of $ 1,500,000 (Massachusetts Eye and

Ear Associates Inc.): stolen unencrypted laptop

(HIPAA)


Labour Law and Tax Issues

• Labour law issues

• Adoption of a BYOD policy

• Monitoring of employees

• Communication

• Localization

• Enforcing a BYOD policy (disciplinary actions

and dismissal)

• Working time management

• Labour law rules are different in many

countries

• Involve local HR resources

• Tax regime for cost reimbursements /

benefits in kind


IP Rights

• IP rights issues

• Ownership of data and information

• License management

• Illegal content

• IP infringements due to mobility

• Applies to other topics as well (e.g. export restrictions)

• Enforcing IP rights in a practical manner

• Employment contract

• MDM/MAM

• Data wiping and data recovery on exit


Cybercrime

• Cybercrime laws are more or less

harmonized

• Convention on Cybercrime (Council of Europe)

• Access to employee devices and data

• Unauthorized access

• Data interference

• System interference

• Misuse of devices

• MDM, MAM and data wiping/data recovery

• Employee consent

• Policy


Conclusion

• BYOD policy is a must

• Raise awareness

• Ensure enforceability of rules by supplementing

(employment) contracts with policies

• Covering legal & liability risks

• Key data protection and privacy issues

• Security (technical and organizational)

• Future compliance and data breach notification

duty

• Monitoring employees (privacy at work)

• Adopting a “one size fits all” policy is

extremely difficult


PRACTICAL CONCLUSION

42


Practical conclusion

• Strong trend towards enforcement, but not

yet operational in Belgium / EU level

• Action points?

• Review data protection capabilities in your

organisation

• Review current data processing operations

• Review interaction between “Information

Security” – “IT” – Legal Department and/or DPO

• Information security will have a crucial role!

43


Practical conclusion

• Incident handling

• Create a plan/processes for the handling

of data protection incidents

• Deadlines are short and may become shorter

• Assess advantages/disadvantages of the

voluntary data breach notification

44


Contact details

Johan Vandendriessche

Partner - crosslaw CVBA

Visiting Professor ICT Law - UGent

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM