Present and Future Legal Considerations for Constructing a Cyber Security Policy
-
Upload
johan-vandendriessche -
Category
Law
-
view
320 -
download
0
Transcript of Present and Future Legal Considerations for Constructing a Cyber Security Policy
Present and Future Legal Considerations for Constructing a Cyber Security Policy
Johan VandendriesschePartner – CrosslawVisiting Professor in ICT Law – University of Ghent
Critical infrastructures: legal approach
EC Directive 2008/114/EC (local implementation!)
Critical infrastructure and European critical infrastructure Asset, system or part thereof
Essential
Societal functions, health, safety, security, economic or social well-being
Significant impact in case of disruption or destruction
Sector limitation at the EU level Energy
Transportation
Local Member States may have a different approach
Major difference EU level vs US
Brussels - Kortrijk | www.crosslaw.be 2
Critical infrastructures: legal approach
Obligation to implement an operator security plan (OSP) Identification of critical infrastructure assets
Existing and planned security solutions
Methodology Identification of important assets
Conduct of a risk analysis
Identification, selection and prioritization of counter-measures and procedures• Permanent measures
• Graduated measures
Brussels - Kortrijk | www.crosslaw.be 3
Critical Infrastructures: legal approach
Draft Directive Network and Information Security – COM (2013) 48 Obligations for Member States, public authorities and market operators (i.e.
critical infrastructures in the broad sense)
Security obligation in relation to information systems used in operations Appropriate level, taking into account the state of the art
Prevent and minimize impact of incident on core operations
Breach notification obligation in case of significant impact• Notified breaches may be published by the regulator
• Regulator shall publish a yearly report
Brussels - Kortrijk | www.crosslaw.be 4
Legal Approach to Cyber Security
Cyber Security Availability and integrity of information systems and information
Exclusivity, confidentiality and protection of information systems and information
Cyber security and/or information security Law? No consolidated set of laws and regulations
• Cybercrime
• Data Protection
• Secrecy of (electronic) communication
• Intellectual Property Rights (copyright, patents, software …)
• General regulations (e.g. SOX, Wassenaar Arrangements)
• Sector-based regulations (e.g. Basel II, MiFiD, HIPAA…)
Brussels - Kortrijk | www.crosslaw.be 5
Legal Approach to Cyber Security
Generic cyber security and/or information security Law? General due diligence and care obligation
• (Indirect) Compliance obligation
• (Indirect) Obligation to ensure information security?
Impact on critical infrastructures?• Assessment of impact of destruction and/or disruption on clients, third parties and/or
society
• Define threshold for negligence
• Implement measures required to avoid negligence
Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, …
Brussels - Kortrijk | www.crosslaw.be 6
Cybercrime
Harmonized approach in the EU Budapest Convention on Cybercrime 2001 (CET 185)
Directive 2013/40/EU on attacks against information systems
Cybercrime Illegal access to information systems
Illegal system interference
Illegal data interference
Illegal interception
Cybercrime tools
Incitement, aiding and abetting and attempted cybercrime
Brussels - Kortrijk | www.crosslaw.be 7
Data Protection
Principles of Directive 1995/46/EC Processing of personal data is prohibited, unless allowed
The data processing must comply with specific principles• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
• (Individual and collective) Enforcement measures
No export of personal data to non-EEA countries, unless adequate protection is offered
Brussels - Kortrijk | www.crosslaw.be 8
Data Protection
Importance of legal designation as critical infrastructure? Legal data protection framework applies: no exemption for critical
infrastructures Conflict with cyber security obligations of critical infrastructures?
Critical infrastructures Critical infrastructures that serve to process personal data Critical infrastructures that do not serve to process personal data
Legal basis for data processing activities in the context of security Consent based security measures Security measures based on contractual necessity Security measures as legal obligation Security measures under legitimate interest
Brussels - Kortrijk | www.crosslaw.be 9
Data Protection
General obligation to implement security measures in relation to data processing
Technical measures• User access management• IT security (anti-virus, firewall, …)• Fire prevention measures
Organizational measures• Data categorization (confidentiality level)• Employee policies
Protection against any unauthorized processing Adequate level of protection taking into account:
• Available technology and costs; • Nature of concerned personal data and the potential risks
Brussels - Kortrijk | www.crosslaw.be 10
Data Protection
Specific issues in relation to data protection and security (i.e. specific limitations imposed when processing personal data in the context of security measures)
Employee surveillance Camera Surveillance (security cameras) Whistle blowing policies Blacklists Access control / identity control (ID card related issues) Biometrical data (e.g. identification and access restrictions) Screening / background checks (e.g. “certificate of good behaviour”) Archiving
In the future: general data loss and data breach notification obligations Exists already for (telecommunications) sector Exists already in some EU countries, but not all countries (e.g. not in Belgium)
Brussels - Kortrijk | www.crosslaw.be 11
The Future of Data Protection
Data Protection Directive is under review Draft EU regulation (final stage of legislative process)
EU-wide unified application
Additional requirements Privacy officer for large companies / privacy sensitive companies
Privacy by design
Privacy by default
Data breach notifications
Data protection impact assessment
Fines
12Brussels - Kortrijk | www.crosslaw.be
The Future of Data Protection
Data Protection Management
Key principle: accountability
Ensure and be able to demonstrate compliance Adopt policies Implement appropriate measures
• Documentation• Implementing data security requirements• Performing data protection impact assessment• Prior authorization or consultation (where required)• Data protection officer (DPO)
What can you do to prepare? Seek for a DPO? Document existing data processing activities and ensure current compliance
13Brussels - Kortrijk | www.crosslaw.be
The Future of Data Protection
Data breach notification duty Data controller and data processor
Notification to supervisory authorities• Detailed information
• Without undue delay and at the latest within 24 hours after becoming aware of the breach
• If not within 24 hours, reasoned justification for the delay
• Standard format is likely
• Document data breach for verification purposes
Notification to data subjects• Likelihood of adversely impacting a data subject
• Encryption may provide exemption
• May be imposed by supervisory authorities
Tendency to include data breach notification obligations in contracts already
14Brussels - Kortrijk | www.crosslaw.be
The Future of Data Protection
Enforcement Liability
• In principle, joint and several liability
Penalties
Administrative sanctions• Fine of max. 1,000,000 EUR or, in case of an enterprise, 2% of annual global turnover,
whichever is higher• Much stricter and higher in EP text
15Brussels - Kortrijk | www.crosslaw.be
How to deal with incidents and notification obligations?
Practical approach to dealing with incidents and notifications
Three stages Before the incident
During the incident
After the incident
Pre-incident phase Assess the nature of your security and notification obligations
Assess the data processing activities being carried out
Create and implement a security and an incident policy (incident team!)
Brussels - Kortrijk | www.crosslaw.be 16
How to deal with incidents and notification obligations?
Incident phase (legal perspective) Apply the incident handling policy
Qualify the nature of the incident• Assess the legal impact
• Assess the obligations imposed by law
Execute the legal obligations
Post-incident phase Document the incident and incident handling
Review incident and identify measures to avoid recurrence
Follow-up claims (if any)
Lessons learnt (analyze performance of incident handling)
Brussels - Kortrijk | www.crosslaw.be 17
Conclusion
Identify the obligations applicable to your critical infrastructure Security obligations
Breach/Incident notification obligations
Prepare for incidents
Use the legal obligations applicable to critical infrastructures as a tool for justifying data processing activities for security purposes
Prepare for the upcoming GDPR Assess your current situation and ensure that you are compliant with the
current legal framework
“Upgrade” as a next step
Brussels - Kortrijk | www.crosslaw.be 18
Thank you for your attention. Questions?
Brussels - Kortrijk | www.crosslaw.be 19