Cyber and Information Security - Legal Issues in relation to Cyber Incidents
-
Upload
johan-vandendriessche -
Category
Law
-
view
421 -
download
2
Transcript of Cyber and Information Security - Legal Issues in relation to Cyber Incidents
Cyber and Information SecurityLegal Issues in relation to Cyber Incidents
Johan VandendriesschePartner – CrosslawVisiting Professor in ICT Law – University of Ghent
Legal Approach to Cyber Security
Cyber Security Availability and integrity of information systems and information
Exclusivity, confidentiality and protection of information systems and information
Cyber security and/or information security Law? No consolidated set of laws and regulations
• Cybercrime
• Data Protection
• Secrecy of (electronic) communication
• Intellectual Property Rights (copyright, patents, software …)
• General regulations (e.g. SOX, Wassenaar Arrangements)
• Sector-based regulations (e.g. Basel II, MiFiD, HIPAA…)
Brussels - Kortrijk | www.crosslaw.be 2
Legal Approach to Cyber Security
Generic cyber security and/or information security Law? General due diligence and care obligation
• (Indirect) Compliance obligation
• (Indirect) Obligation to ensure information security?
Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, … Contracts and policies often impose security rules in relation to IT
Specific legislation for critical infrastructures EU – sector limitation
Brussels - Kortrijk | www.crosslaw.be 3
Critical Infrastructures: Legal Approach
EC Directive 2008/114/EC – Act of 1 July 2011
Critical infrastructure and European critical infrastructure Asset, system or part thereof
Essential
Societal functions, health, safety, security, economic or social well-being
Significant impact in case of disruption or destruction
Sector limitation at the EU level Energy
Transportation
Larger approach in Belgium (financial sector and electronic communications)
Brussels - Kortrijk | www.crosslaw.be 4
Critical Infrastructures: Legal Approach
Obligation to implement an operator security plan (OSP) Identification of critical infrastructure assets
Existing and planned security solutions
Methodology Identification of important assets
Conduct of a risk analysis
Identification, selection and prioritization of counter-measures and procedures• Permanent measures
• Graduated measures
Brussels - Kortrijk | www.crosslaw.be 5
Critical Infrastructures: Legal Approach
Draft Directive Network and Information Security – COM (2013) 48 Obligations for Member States, public authorities and market operators (i.e.
critical infrastructures in the broad sense)
Security obligation in relation to information systems used in operations Appropriate level, taking into account the state of the art
Prevent and minimize impact of incident on core operations
Breach notification obligation in case of significant impact• Notified breaches may be published by the regulator
• Regulator shall publish a yearly report
Brussels - Kortrijk | www.crosslaw.be 6
Data Protection and Information Security
Specific issues in relation to data protection and security (i.e. specific limitations imposed when processing personal data in the context of security measures)
Employee surveillance Camera Surveillance (security cameras) Whistle blowing policies Blacklists Access control / identity control (ID card related issues) Biometrical data (e.g. identification and access restrictions) Screening / background checks (e.g. “certificate of good behaviour”) Archiving
In the future: general data loss and data breach notification obligations Exists already for (telecommunications) sector Exists already in some EU countries, but not all countries (e.g. not in Belgium)
Brussels - Kortrijk | www.crosslaw.be 7
Security Incidents
Security Incidents (data protection related) have become more publicized NMBS, Ministry of Defence, Jobat, …
Increased awareness from DPAs and legislator Recommendations and advice on security
Recommendation regarding incident handling
Voluntary data breach notification
Legal initiative pending GDPR
8
Enforcement under Belgian Data Protection Law
Mediation role of the Belgian DPA Proposal of undertakings
Cease and desist proceedings Used sometimes (especially between companies)
Various criminal sanctions (e.g. fines up to 600.000 EUR) Applied rarely in practice
No mandatory data breach notification (except for communications sector)
No administrative fines
9
Voluntary Data Breach Notification
Current legal situation No binding data breach notification under data protection law
• Voluntary notification mechanism
• Discussions on data breach notification and administrative fines
• Separate draft proposal pending in the Belgian Parliament
Binding data breach notification under communications law• Network integrity
• Personal data
Brussels - Kortrijk | www.crosslaw.be 10
Voluntary Data Breach Notification
Scope Data breaches in relation to personal data (outside communications sector)
Data breach: unauthorized processing (cf. article 16 of the Act)• Large approach to “data breach”
Deadline In principle 48 hours following discovery of the data breach
Two-step approach is possible in case little or no information is available
First notification: provisional/partial notification
Second notification: complete notification
Brussels - Kortrijk | www.crosslaw.be 11
Voluntary Data Breach Notification
Notification Belgian DPA
• Waiver• No impact on privacy of data subjects
• Data has been encrypted or otherwise rendered unreadable
• Data subjects have been informed immediately + limited group of data subjects + no special categories of personal data involved
• DPA recommends keeping a detailed logbook
Concerned data subjects• Form
• Identifiable: direct means of communication
• Unidentifiable: media, whilst using effort to identify and contact the data subjects
• Waiver for notification to data subject: encrypted data or otherwise rendered unreadable
• Temporary suspension of notification to data subjects: impediment to the investigation
Brussels - Kortrijk | www.crosslaw.be 12
How to Deal with Incidents and Notification Obligations?
Practical approach to dealing with incidents and notifications from a legal perspective
Three stages Before the incident
During the incident
After the incident
Assessment of legal risk mitigation strategies and legal obligations during each stage
Brussels - Kortrijk | www.crosslaw.be 13
How to Deal with Incidents and Notification Obligations?
Pre-incident phase Review IT infrastructure
• Assess the nature of your security and notification obligations
• Assess the data processing activities being carried out
Assess current state of compliance• Identify gaps
• Create a planning to address gaps
Create and implement a security and an incident policy (incident team!)
Assess cyber insurance possibilities• Assess cyber risk and insurance needs
• Possibility to obtain accessory services in case of cyber incidents – useful for smaller companies that do not have the capacity to invest in incident teams
Brussels - Kortrijk | www.crosslaw.be 14
How to Deal with Incidents and Notification Obligations?
Incident phase (legal perspective) Identify the incident
• Apply the incident handling policy in accordance with the (preliminary) identification of the incident
• Verify cyber insurance coverage and invoke the insurance if possible
Identify the consequences of the incident• Assess the legal impact on the company
• Assess possible actions related to cyber crime
• Assess the obligations imposed by law (and under your cyber insurance contract)
Execute the legal obligations
Assess the possibility of extra-legal mitigation action• Communication to mitigate reputational damage
Brussels - Kortrijk | www.crosslaw.be 15
How to Deal with Incidents and Notification Obligations?
Post-incident phase Document the incident and incident handling
Review incident and identify measures to avoid recurrence
Follow-up consequences (if any) and mitigate if possible• Claims for damages
• (Administrative) fines
• Legal proceedings
Lessons learnt (analyze performance of incident handling)• Feedback to pre-incident stage: improve and/or adapt whenever needed
Brussels - Kortrijk | www.crosslaw.be 16
Thank you for your attention. Questions?
Brussels - Kortrijk | www.crosslaw.be 17