1

Cyber Security- A legal perspective Anthony Lee

12 March 2014

2

OUTLINE

Cyber security in the news

The key legal considerations

On the horizon

3

IN THE NEWS

Prism, Dishfire and all that

High profile denial of service (DDOS) attacks

Sony Playstation platform hacked

Lulzsec hackers handed jail sentences

Cybercriminals using botnets to round up fridges

Hacker takes control of a Japanese smart toilet

4

THE PACE OF CHANGE

Cloud computing

Smart devices

Internet of Things / Machine to Machine (M2M)

5

THE LINES OF ATTACK

Organised crime

Cyber espionage

Hacktivism (mischievism)

Insider threat

6

THE KEY LEGAL CONSIDERATIONS

The law will always be playing catch up

Criminal laws

Civil laws

Changes in the pipeline

7

CRIMINAL LAWS

Computer Misuse Act 1990

Data Protection Act 1998

Fraud Act 2006

8

CIVIL LAWS

Confidentiality

Human Rights Act 1998

Data Protection Act 1998

Sector specific laws (e.g. financial services, health)

9

THE DATA PROTECTION ACT 1998

The eight data protection principles

Key definitions

Rights of data subjects

Enforcement / sanctions

10

THE DATA PROTECTION ACT CONTINUED….

Data sharing

Data security

Data export

11

THE EIGHT PRINCIPLES

Personal data must:

Be processed fairly and lawfully (and in accordance with the fair processing conditions)

Be processed only for specified purpose(s)

Be adequate, relevant and not excessive

Be accurate and up to date

Be retained only for so long as is necessary

Be processed in accordance with the data subject’s right

Be kept secure

Not transferred outside the EEA unless there is adequate equivalent protection

12

KEY DEFINITIONS

“data”

“personal data”

“sensitive personal data”

“data controller”

“data processor”

“data subject”

“processing”

13

PROCESSING INCLUDES

PROCESSING

Keeping / storing data

Altering / adapting / combining data

Disclosure of data

Organising data

Retrieving dataUsing data

Destroying / erasing data

Blocking data

Obtaining data

14

RIGHTS OF DATA SUBJECTS

Access to personal data

Stop damaging processing

Stop direct marketing

Object to automatic decisions

Correction / deletion

Compensation from the data controller

Request assessment by the ICO

15

ENFORCEMENT / SANCTIONS

Information Commissioner’s Office

Enforcement notices

Fines

Criminal offences

Failure to comply is an offence

Other laws / sanctions

16

DATA SHARING

Data sharing is a form of processing

First principle - process fairly and lawfully

Six conditions

Special conditions for sensitive personal data

Additional laws

17

DATA SECURITY

Seventh principle

Appropriate technical and organisational measures

Against unauthorised or unlawful processing of personal data

Against accidental loss, destruction of, or damage to, personal data

Arrangements with data processors / sub processors

Prevention is better than a cure

18

PREVENTION OF SECURITY BREACH

Robust processes and working practices

Security policy and staff training

Tight controls over access

Tracking unusual activity

Due diligence on suppliers / strong contracts

19

THE CULPRITS

20

WHAT TO DO IT THERE IS A BREACH OF DATA SECURITY

Notification

Data subjects

ICO

Police

Industry body

Customers

Remedial action

21

DATA EXPORT

Eighth principle

Must not transfer outside EEA

Unless adequate level of protection in place

Approved countries

Contract / binding corporate rules

USA safe harbour / Patriot Act

22

CLOUD COMPUTING

23

THE CLOUD

Internet-based IT Services

Contractual arrangements / sub-contractors

Security (Seventh principle)

Location (Eighth principle)

Audit Rights

24

ACPO GUIDELINES ON DIGITAL EVIDENCE

Principle 1 - do not change data which may be used as evidence in court

Principle 2 - only a competent person should access the original data and give evidence

Principle 3 - maintain a clear audit trail of the processes used to analyse digital evidence

Principle 4 - person in charge of the investigation has responsibility for ensuring the law and these principles are adhered to

25

COOKIES

Used by almost all websites

Downloaded onto visitor’s device

Can track habits and preferences

Session cookies / permanent cookies

Third party cookies

Informed consent required

Privacy and Electronic Communications Regulation 2003 (as amended)

26

WHAT IS ON THE HORIZON?

The draft General Data Protection Regulation

Proposal for a Network and Information Security Directive

Snooping laws and increased police powers

27

THE DRAFT DATA PROTECTION REGULATION

Heavier burden of compliance on controllers

Statutory obligations on processors

Data personal if identifiable by any person (not just the controller) e.g. IP addresses

More onerous obligations in relation to data security (e.g. controller's veto over sub-processing)

Obligation to notify security breaches and inform individuals concerned

28

THE DRAFT DATA PROTECTION REGULATION

Where consent is required, it must be explicit

Legitimate interests condition preserved, but greater transparency

Regular data protection audits and privacy assessments

Increased fines - a percentage of global turnover

29

THE PROPOSED CYBER SECURITY DIRECTIVE

Will improve network and information security standards across the EU

Will require notification of potential security risks

Will require notification of actual incidents

Will enable a cooperation network between member states to share information

30

SQUARING UP TO THE CHALLENGE

The law needs updating

Technology will continue to outpace the law

Cyber security is on the map

Privacy by design

31

WRAP UP

Keep it secure

Keep it secure

Keep it secure

32

Thank you

Any questions?

33

Contact details:

Anthony LeePartnerMobile: 07802 283990Email: anthonylee@bdb-law.co.uk