the gdpr - breach notification and global breach response
TRANSCRIPT
Roadmap to the GDPR: Breach Notification and Global Breach Response
December 7, 2016
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2
Today’s Speakers
David KeatingCo-Chair,Privacy & DataSecurity Practice
Moderator
Jim HarveyCo-Chair,Privacy & Data Security Practice
Co-Chair, Cyber Security Preparedness& Response Team
Jan DhontChair,EU Privacy & DataSecurity Practice
Sebastiaan ter WeeSenior Digital & Privacy Counsel & Group Data Protection Officer, Aegon
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3
Agenda
GDPR / NIS Directive Breach Notification
Comparison to US Breach Notification Regime
Breach Notification – The Dutch Experience
Globalizing your Cyber Preparedness Plan
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4
GDPR Breach Notification
GDPR provides for omnibus data breach response regime
No breach requirements in Directive 1995/46
Data breach obligations in some EU countries, e.g. the Netherlands, Germany, Austria
Sectoral breach obligations (e.g., telecoms, payment services)
DPAs encourage data breach notification even if not formally required E.g., https://www.privacycommission.be/fr/la-notification-de-fuites-de-donn%C3%A9es
GDPR harmonizes breach regime
Member states may restrict the obligation to notify to individuals if “necessary and proportionate […] in a democratic society” (Art. 23 GDPR)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5
GDPR| Personal Data Breach
Personal Data Breach: “A breach of security leading to theaccidental or unlawful destruction, loss, alteration,unauthorized disclosure of, or access to, personal datatransmitted, stored or otherwise processed” - Art. 4(12) GDPR.
Breach must concern personal data
What if a “breach of security” does not “lead to” accidental or unlawful destruction, loss alteration, unauthorized disclosure or access ?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6
GDPR | Dual Notification
Notification of Supervisory Authority (Art. 33 GDPR)
Notify if Personal Data Breach “unless[…] unlikely to result in a risk to therights and freedoms of naturalpersons”
Without undue delay, no later than 72hours
Notification of Data Subject (Art. 34 GDPR)
Notify if Personal Data Breach “is likely to result ina high risk to the rights and freedoms of naturalpersons”
Without undue delay
Exemptions:
“Appropriate technical and organizationalmeasures,” in particular that render data“unintelligible or prevent unauthorized access suchas encryption”
Subsequent measures that prevent materializationof high risk
Notification would involve disproportionate effort– use of collective media
RISKHIGH RISK
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 7
GDPR | Risk & High Risk
Risk:
“[…] [P]hysical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage of reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned” (Recital 85)
Low threshold
High risk:
Advice of WP29 expected in context of DPIAs – EDPB tasked to advise (Art. 70 (1)(h) GDPR)
Supervisory Authority may
impose notification to individuals if it considers the breach results in a “high risk”
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 8
GDPR | Notification Modalities
Accountability Requirement: Document breaches in a manner enabling the Supervisory Authority to verify compliance with notification requirement (including facts and remediation taken)
Notification content
Nature of breach/approx. number of individuals/records affected (not required for notification of
individuals)
Relevant contact information DPO or other contact
“Likely consequences” of the breach
Measures taken to address the breach/mitigate possible adverse effects
Recommendations for individuals to mitigate potential adverse effects (Recital 86)
Information may be provided to SA “in phases without undue further delay”
Individuals must be informed “in clear and plain language”; “in writing or by other means
including by electronic means” (Art. 34(2) jo. Art. 12 (1) GDPR)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 9
GDPR | Data Processor Obligations
Regime
Processor is required to notify controller
Without undue delay after becoming aware of a personal data breach (Art. 33 (2))
Data processing agreement must provide cooperation instructions in case of data breach (Art. 28 (3)(f) GDPR)
Practical/Thoughts Not just matter of contractual liability;
fines up to 2 percent of Global TO (!)
Processors should consider breach response plan as much as controllers do
Processors need thoughtful strategy dealing with plurality of controllers
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 10
NIS Directive
Objectives:
High common level of security of networks and information systems within the Union
Continuity of essential services
Minimum harmonization/May 2018 implementation deadline
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 11
NIS Directive | Scope
Operators of Essential Services Digital Service Providers (50+ employees)
Member states to determine providers in following sectors:
Energy, including electricity, oil, gas Transport, including air transport, water
transport, road transport Banking/Financial market infrastructures Health sector, covering health care settings
(including hospitals and private clinics) Drinking water supply and distribution Digital infrastructure
Services essential for the maintenance of critical societal and/or economic activities
Provision depends on network and information services
Incidents would have significant disruptive effect
Online marketplaces Online search engines Cloud computing services
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 12
NIS Directive | Territorial Application
Essential Services Providers:
National law where provider is located
Identified by Member State
Digital Service Providers:
Location of “main establishment”/”head office”
Not established in the EU but providing services within the EU => appoint a representative “in one of those Member States where services are offered” No specific “minimum contact” criteria
Forum-shopping opportunity (?)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 13
NIS Directive | Network & Info Security
“State of the art” information security
Measures to prevent and minimize impact of security incidents in light of continuity of services
“State of the art” information security and stress on system/facility security, incident and continuity management, auditing, compliance with international standards
Measures to prevent and minimize impact of security incidents in light of continuity of services
Operators of Essential Services Digital Service Providers (50+ employees)
No overly prescriptive cybersecurity regime or protocol
Potentially varying cybersecurity standards
ENISA and Member States to draw up advice and guidelines on information security standards taking into account Member States’ national standards.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 14
NIS Directive | Breach Notification
Notification may be required even if personal data is not breached/disclosed
Notify to CSIRT/national competent authority without undue delay of incidents which have a:
significant impact on the continuity of an essential service, or
substantial impact on the provision of a digital service
Impact must be assessed in light of: number of users affected
duration of the incident
geographical area
extent of the disruption of the service and economic
societal impact
“Notification shall not make the notifying party subject to increased liability” (Artt. 14(3) and 15(3))
“Incident” means any event having an actual adverse effect on the security of network and information systems – Art. 4 (7) NIS Directive
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 15
Takeaways
Understand legal frameworks applicable to your industry
Robust information security should be high up on the GDPR work plan
Requires potential system changes
Strong encryption reduces risk exposure (factual and legal)
Invest in breach response/readiness and ensure regular training
Accountability obligations require not only a breach response plan but also documentation of actions taken during a crisis
Processors must timely consider strategy, especially if breach affects multitude of clients
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 16
Notification in the Netherlands
Dutch Breach Notification law, effective date: 1 January 2016
Dutch notification obligation slightly more strict than GDPR
Dutch DPA has provided guidance regarding breach notice process
What triggers notification? (Extremely low threshold)
How does the authority examine / review notifications?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 17
Breach Notification - Aegon
Building the data breach notification governance for NL operations
What governance and controls does Aegon have in place?
Training and awareness
Review team tasks – managing the 72 hour clock
First and second line of defence
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 18
Breach Notification - Aegon / Netherlands
How to notify the Dutch DPA –
https://datalekken.autoriteitpersoonsgegevens.nl/melding/aanmaken?2(Dutch Only)
Notification at Dutch central bank instead of customer?
Question: are such low thresholds effective?
New guidance from Dutch Authority expected in 2017
What are the lessons learned for Aegon?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 19
Globalizing Cyber Breach Preparedness
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 20
Countries with General Breach Notification Laws / Guidance (Pre-GDPR)
Australia (guidance)
Austria
Bahamas
Belgium (guidance)
Canada – Alberta
Canada – British Columbia (guidance)
Canada – Federal
Canada – Manitoba
China
Colombia
Costa Rica
Denmark (guidance)
Dubai
Ghana
Germany
Hong Kong (guidance)
Ireland (guidance)
Japan –
- Meti (guidance)
- FSA (mandatory)
Lesotho
Mauritius (guidance)
Mexico
Netherlands
Norway
Peru
Philippines
Slovakia
South Africa
South Korea
Sweden (guidance)
Taiwan
UAE (Dubai)
United Kingdom (guidance)
Uruguay• Excludes sectoral laws
• Consider “Ledger” requirements
• Consider “complaint enabling statutes”
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 21
Language and Time ZoneIssues
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 22
Globalizing Your Breach Preparedness
Identify Swim Lanes
Who has internal jurisdiction over the issue?
Business / Legal / PR
Do you have a breach czar – is that person effective on a global basis?
"Global Guiding Principles" vs. "Local Country Breach Procedures"
Conduct live fire GLOBAL tabletops Identifies logistical issues
Identifies cultural issues
Physical presence during these exercises changes everything
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 23
Globalizing Your Breach Preparedness
Privilege – not the same across the globe
Data Transfer Issues
Do you have consent to view the data in country?
Do you have a legal mechanism to transfer the data outside the country?
Identify your Global Team
Legal – cyber/breach notification is a novel issue outside of just a few countries
Public relations –
people/culture/media all differ drastically from country to country
Incident response and investigation
Local forensics assets can be critical
Tricky and time consuming to move encrypted devices across borders
Roadmap to the GDPR: Breach Notification and Global Breach Response
December 7, 2016