breach notification and incident response
DESCRIPTION
Breach Notification and Incident Response. Andrew Cormack Janet TLP : White. Breach Notification. Current Telecoms Directive (telcos) Privacy breach => privacy regulator and affected parties Integrity/availability breach => telco regulator => ENISA (see report) - PowerPoint PPT PresentationTRANSCRIPT
Breach Notification andIncident Response
Andrew CormackJanet
TLP: White
Breach Notification
•Current Telecoms Directive (telcos)– Privacy breach => privacy regulator and affected parties– Integrity/availability breach => telco regulator => ENISA (see report)
•Draft Data Protection Regulation (all)– Privacy breach => privacy regulator and affected parties (within 24
hours)
•Rumoured Cybersecurity Directive (???)– Integrity/availability breach => ??? regulator => ENISA
•Draft E-Signatures regulation also has notification requirements
•Many incidents will require multiple notifications– With different requirements on timescales/severity/format
Information Sharing
•Current Data Protection Directive– Incident response is a legitimate interest for telcos– Can disclose personal data for own and recipient’s
legitimate interest• E.g. Telling bank their customer has been phished
•Draft Data Protection Regulation– Incident response is a legitimate interest for everyone– Can disclose for own legitimate interest
• Apparently not for recipient’s interest – Including outside EEA
Thoughts...
•Does this indicate trends?– From voluntary to mandatory disclosure?– From mesh to hub-and-spoke model of sharing?
•Could affect priorities after an incident– Legal duty to report rather than contain/fix?
•Must help law build on known good practice– Talk to your legislators/regulators
THANK YOUJanet, Lumen House
Library Avenue, Harwell Oxford
Didcot, Oxfordshire
t: +44 (0) 1235 822200
f: +44 (0) 1235 822399
t: @Janet_LegReg
b: http://webmedia.company.ja.net/edlabblogs/regulatory-
developments/