Present and future legal considerations for constructing a cyber security policy

Present and Future Legal Considerations for Constructing a Cyber Security Policy

Johan VandendriesschePartner – CrosslawVisiting Professor in ICT Law – University of Ghent

Critical infrastructures: legal approach

EC Directive 2008/114/EC (local implementation!)

Critical infrastructure and European critical infrastructure Asset, system or part thereof

Essential

Societal functions, health, safety, security, economic or social well-being

Significant impact in case of disruption or destruction

Sector limitation at the EU level Energy

Transportation

Local Member States may have a different approach

Major difference EU level vs US is being abandoned in newer legislation

Brussels - Kortrijk | www.crosslaw.be 2

Critical infrastructures: legal approach

Obligation to implement an operator security plan (OSP) Identification of critical infrastructure assets

Existing and planned security solutions

Methodology Identification of important assets

Conduct of a risk analysis

Identification, selection and prioritization of counter-measures and procedures• Permanent measures

• Graduated measures


Critical Infrastructures: legal approach

EC Directive 2016/1148/EU – Network and Information Security Obligations for member states: adoption of a national strategy for NIS &

identification of operators of essential services

Obligations for operators of essential services and for digital service providers

Implementation deadline: 9 May 2018

Key concepts Network and information system (NIS)

Operator of an essential service• Service that is essential for the maintenance of critical societal and/or economic activities

• Provision of the services depends on NIS

• Incident would have significant disruptive effects

Digital service provider



Security obligations of operators of essential services in relation to network and information systems

Risk management Appropriate and proportionate technical and organizational measures to

manage risk Appropriate level of security in view of the risks, taking into account the state

of the art

Incident management Appropriate measures to prevent and minimize impact of incident affecting

NIS used for essential services and to ensure continuity Breach notification obligation in case of significant impact

• Provided information is confidential• Public may be informed by the competent authority or CSIRT



Security obligations of digital service providers in relation to network and information systems

Risk management Focus on security, incident handling, business continuity management,

monitoring, auditing and testing and compliance with international standards

Incident management


Legal Approach to Cyber Security

Cyber Security Availability and integrity of information systems and information

Exclusivity, confidentiality and protection of information systems and information

Cyber security and/or information security Law? No consolidated set of laws and regulations

• Cybercrime

• Data Protection

• Secrecy of (electronic) communication

• Intellectual Property Rights (copyright, patents, software …)

• General regulations (e.g. SOX, Wassenaar Arrangements)

• Sector-based regulations (e.g. Basel II, MiFiD, HIPAA…)


Legal Approach to Cyber Security

Generic cyber security and/or information security Law? General due diligence and care obligation

• (Indirect) Compliance obligation

• (Indirect) Obligation to ensure information security?

Impact on critical infrastructures?• Assessment of impact of destruction and/or disruption on clients, third parties and/or

society

• Define threshold for negligence

• Implement measures required to avoid negligence

Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, …


Cybercrime

Harmonized approach in the EU Budapest Convention on Cybercrime 2001 (CET 185)

Directive 2013/40/EU on attacks against information systems

Cybercrime Illegal access to information systems

Illegal system interference

Illegal data interference

Illegal interception

Cybercrime tools

Incitement, aiding and abetting and attempted cybercrime


Data Protection

Principles of Directive 1995/46/EC Processing of personal data is prohibited, unless allowed

The data processing must comply with specific principles• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

• (Individual and collective) Enforcement measures

No export of personal data to non-EEA countries, unless adequate protection is offered


Data Protection

Importance of legal designation as critical infrastructure? Legal data protection framework applies: no exemption for critical

infrastructures (e.g. Directive 2016/1148/EU) Conflict with cyber security obligations of critical infrastructures?

Critical infrastructures Critical infrastructures that serve to process personal data Critical infrastructures that do not serve to process personal data

Legal basis for data processing activities in the context of security Consent based security measures Security measures based on contractual necessity Security measures as legal obligation Security measures under legitimate interest


Data Protection

General obligation to implement security measures in relation to data processing

Technical measures• User access management• IT security (anti-virus, firewall, …)• Fire prevention measures

Organizational measures• Data categorization (confidentiality level)• Employee policies

Protection against any unauthorized processing Adequate level of protection taking into account:

• Available technology and costs; • Nature of concerned personal data and the potential risks


Data Protection

Specific issues in relation to data protection and security (i.e. specific limitations imposed when processing personal data in the context of security measures)

Employee surveillance Camera Surveillance (security cameras) Whistle blowing policies Blacklists Access control / identity control (ID card related issues) Biometrical data (e.g. identification and access restrictions) Screening / background checks (e.g. “certificate of good behaviour”) Archiving

GDPR: personal data breach notification obligations Exists already for telecommunications sector Exists already in some EU countries, but not all countries (e.g. not in Belgium)


The Future of Data Protection

Directive 95/46/EC is being replaced by 25 May 2018 GDPR – Regulation 2016/679/EU

EU-wide unified application completed with some local legislation

Additional requirements Accountability

Data protection officer

Privacy by design

Privacy by default

Documentation duty & data protection impact assessment

Data breach notifications

Fines

14Brussels - Kortrijk | www.crosslaw.be


Data Protection Management

Key principle: accountability

Ensure compliance and be able to demonstrate compliance Adopt policies Implement appropriate measures

• Documentation of all data processing operations• Implementing data security requirements• Performing data protection impact assessment• Prior authorization or consultation (where required)• Data protection officer (DPO)

What can you do to prepare? Document existing data processing activities and ensure current compliance Appoint a DPO?



Data breach notification duty Data controller and data processor

Notification to supervisory authorities• Without undue delay and at the latest within 72 hours after becoming aware of the breach

• If not within 72 hours, reasoned justification for the delay

• Detailed information (data breach, impact and mitigation measures)

• Document data breach for verification purposes

• Exemption: unlikely to result in a risk

Notification to data subjects• Likelihood of high risk

• Encryption may provide exemption

• May be imposed by supervisory authorities

Tendency to include data breach notification obligations in contracts already



Enforcement Liability

• In principle, joint and several liability

• Reversed burden of proof?

Criminal penalties to be implemented by local legislation

Administrative fines• Fine of max. 20,000,000 EUR or, in case of an enterprise, 4% of annual global turnover,

whichever is higher (principles and data subject rights)

• Fine of max. 10,000,000 EUR or, in case of an enterprise, 2% of annual global turnover, whichever is higher (other provisions)

• Exemption for public authorities and bodies: decision by local member states


How to deal with incidents and notification obligations?

Practical approach to dealing with incidents and notifications

Three stages Before the incident

During the incident

After the incident

Pre-incident phase Assess the nature of your security and notification obligations

Assess the data processing activities being carried out

Create and implement a security and an incident policy (incident team!)


How to deal with incidents and notification obligations?

Incident phase (legal perspective) Apply the incident handling policy

Qualify the nature of the incident• Assess the legal impact

• Assess the obligations imposed by law

Execute the legal obligations

Post-incident phase Document the incident and incident handling

Review incident and identify measures to avoid recurrence

Follow-up claims (if any)

Lessons learnt (analyze performance of incident handling)


Conclusion and actions

Identify the obligations applicable to your critical infrastructure Security obligations

Breach/Incident notification obligations

Prepare for incidents by implementing the necessary policies

Use the legal obligations applicable to critical infrastructures as a tool for justifying data processing activities for security purposes

Prepare for the upcoming GDPR (if relevant) Assess your current situation and ensure that you are compliant with the

current legal framework

“Upgrade” as a next step

Document data processing operations well in advance


Questions?


Present and future legal considerations for constructing a cyber security policy

Law

Transcript of Present and future legal considerations for constructing a cyber security policy