Breach Notification andIncident Response

Andrew CormackJanet

TLP: White

Breach Notification

•Current Telecoms Directive (telcos)– Privacy breach => privacy regulator and affected parties– Integrity/availability breach => telco regulator => ENISA (see report)

•Draft Data Protection Regulation (all)– Privacy breach => privacy regulator and affected parties (within 24

hours)

•Rumoured Cybersecurity Directive (???)– Integrity/availability breach => ??? regulator => ENISA

•Draft E-Signatures regulation also has notification requirements

•Many incidents will require multiple notifications– With different requirements on timescales/severity/format

Information Sharing

•Current Data Protection Directive– Incident response is a legitimate interest for telcos– Can disclose personal data for own and recipient’s

legitimate interest• E.g. Telling bank their customer has been phished

•Draft Data Protection Regulation– Incident response is a legitimate interest for everyone– Can disclose for own legitimate interest

• Apparently not for recipient’s interest – Including outside EEA

Thoughts...

•Does this indicate trends?– From voluntary to mandatory disclosure?– From mesh to hub-and-spoke model of sharing?

•Could affect priorities after an incident– Legal duty to report rather than contain/fix?

•Must help law build on known good practice– Talk to your legislators/regulators

THANK YOUJanet, Lumen House

Library Avenue, Harwell Oxford

Didcot, Oxfordshire

t: +44 (0) 1235 822200

f: +44 (0) 1235 822399

e: Andrew.Cormack@ja.net

t: @Janet_LegReg

b: http://webmedia.company.ja.net/edlabblogs/regulatory-

developments/