Cyber and Information Security - Legal Issues in relation to Cyber Incidents

Cyber and Information SecurityLegal Issues in relation to Cyber Incidents

Johan VandendriesschePartner – CrosslawVisiting Professor in ICT Law – University of Ghent

[email protected]

Legal Approach to Cyber Security

Cyber Security Availability and integrity of information systems and information

Exclusivity, confidentiality and protection of information systems and information

Cyber security and/or information security Law? No consolidated set of laws and regulations

• Cybercrime

• Data Protection

• Secrecy of (electronic) communication

• Intellectual Property Rights (copyright, patents, software …)

• General regulations (e.g. SOX, Wassenaar Arrangements)

• Sector-based regulations (e.g. Basel II, MiFiD, HIPAA…)

Brussels - Kortrijk | www.crosslaw.be 2

Legal Approach to Cyber Security

Generic cyber security and/or information security Law? General due diligence and care obligation

• (Indirect) Compliance obligation

• (Indirect) Obligation to ensure information security?

Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, … Contracts and policies often impose security rules in relation to IT

Specific legislation for critical infrastructures EU – sector limitation


Critical Infrastructures: Legal Approach

EC Directive 2008/114/EC – Act of 1 July 2011

Critical infrastructure and European critical infrastructure Asset, system or part thereof

Essential

Societal functions, health, safety, security, economic or social well-being

Significant impact in case of disruption or destruction

Sector limitation at the EU level Energy

Transportation

Larger approach in Belgium (financial sector and electronic communications)



Obligation to implement an operator security plan (OSP) Identification of critical infrastructure assets

Existing and planned security solutions

Methodology Identification of important assets

Conduct of a risk analysis

Identification, selection and prioritization of counter-measures and procedures• Permanent measures

• Graduated measures



Draft Directive Network and Information Security – COM (2013) 48 Obligations for Member States, public authorities and market operators (i.e.

critical infrastructures in the broad sense)

Security obligation in relation to information systems used in operations Appropriate level, taking into account the state of the art

Prevent and minimize impact of incident on core operations

Breach notification obligation in case of significant impact• Notified breaches may be published by the regulator

• Regulator shall publish a yearly report


Data Protection and Information Security

Specific issues in relation to data protection and security (i.e. specific limitations imposed when processing personal data in the context of security measures)

Employee surveillance Camera Surveillance (security cameras) Whistle blowing policies Blacklists Access control / identity control (ID card related issues) Biometrical data (e.g. identification and access restrictions) Screening / background checks (e.g. “certificate of good behaviour”) Archiving

In the future: general data loss and data breach notification obligations Exists already for (telecommunications) sector Exists already in some EU countries, but not all countries (e.g. not in Belgium)


Security Incidents

Security Incidents (data protection related) have become more publicized NMBS, Ministry of Defence, Jobat, …

Increased awareness from DPAs and legislator Recommendations and advice on security

Recommendation regarding incident handling

Voluntary data breach notification

Legal initiative pending GDPR

8

Enforcement under Belgian Data Protection Law

Mediation role of the Belgian DPA Proposal of undertakings

Cease and desist proceedings Used sometimes (especially between companies)

Various criminal sanctions (e.g. fines up to 600.000 EUR) Applied rarely in practice

No mandatory data breach notification (except for communications sector)

No administrative fines

9

Voluntary Data Breach Notification

Current legal situation No binding data breach notification under data protection law

• Voluntary notification mechanism

• Discussions on data breach notification and administrative fines

• Separate draft proposal pending in the Belgian Parliament

Binding data breach notification under communications law• Network integrity

• Personal data



Scope Data breaches in relation to personal data (outside communications sector)

Data breach: unauthorized processing (cf. article 16 of the Act)• Large approach to “data breach”

Deadline In principle 48 hours following discovery of the data breach

Two-step approach is possible in case little or no information is available

First notification: provisional/partial notification

Second notification: complete notification



Notification Belgian DPA

• Waiver• No impact on privacy of data subjects

• Data has been encrypted or otherwise rendered unreadable

• Data subjects have been informed immediately + limited group of data subjects + no special categories of personal data involved

• DPA recommends keeping a detailed logbook

Concerned data subjects• Form

• Identifiable: direct means of communication

• Unidentifiable: media, whilst using effort to identify and contact the data subjects

• Waiver for notification to data subject: encrypted data or otherwise rendered unreadable

• Temporary suspension of notification to data subjects: impediment to the investigation


How to Deal with Incidents and Notification Obligations?

Practical approach to dealing with incidents and notifications from a legal perspective

Three stages Before the incident

During the incident

After the incident

Assessment of legal risk mitigation strategies and legal obligations during each stage



Pre-incident phase Review IT infrastructure

• Assess the nature of your security and notification obligations

• Assess the data processing activities being carried out

Assess current state of compliance• Identify gaps

• Create a planning to address gaps

Create and implement a security and an incident policy (incident team!)

Assess cyber insurance possibilities• Assess cyber risk and insurance needs

• Possibility to obtain accessory services in case of cyber incidents – useful for smaller companies that do not have the capacity to invest in incident teams



Incident phase (legal perspective) Identify the incident

• Apply the incident handling policy in accordance with the (preliminary) identification of the incident

• Verify cyber insurance coverage and invoke the insurance if possible

Identify the consequences of the incident• Assess the legal impact on the company

• Assess possible actions related to cyber crime

• Assess the obligations imposed by law (and under your cyber insurance contract)

Execute the legal obligations

Assess the possibility of extra-legal mitigation action• Communication to mitigate reputational damage



Post-incident phase Document the incident and incident handling

Review incident and identify measures to avoid recurrence

Follow-up consequences (if any) and mitigate if possible• Claims for damages

• (Administrative) fines

• Legal proceedings

Lessons learnt (analyze performance of incident handling)• Feedback to pre-incident stage: improve and/or adapt whenever needed


Thank you for your attention. Questions?


Cyber and Information Security - Legal Issues in relation to Cyber Incidents

Law

Transcript of Cyber and Information Security - Legal Issues in relation to Cyber Incidents