Post on 07-Jan-2017
Present and Future Legal Considerations for Constructing a Cyber Security Policy
Johan VandendriesschePartner – CrosslawVisiting Professor in ICT Law – University of Ghent
Critical infrastructures: legal approach
EC Directive 2008/114/EC (local implementation!)
Critical infrastructure and European critical infrastructure Asset, system or part thereof
Essential
Societal functions, health, safety, security, economic or social well-being
Significant impact in case of disruption or destruction
Sector limitation at the EU level Energy
Transportation
Local Member States may have a different approach
Major difference EU level vs US is being abandoned in newer legislation
Brussels - Kortrijk | www.crosslaw.be 2
Critical infrastructures: legal approach
Obligation to implement an operator security plan (OSP) Identification of critical infrastructure assets
Existing and planned security solutions
Methodology Identification of important assets
Conduct of a risk analysis
Identification, selection and prioritization of counter-measures and procedures• Permanent measures
• Graduated measures
Brussels - Kortrijk | www.crosslaw.be 3
Critical Infrastructures: legal approach
EC Directive 2016/1148/EU – Network and Information Security Obligations for member states: adoption of a national strategy for NIS &
identification of operators of essential services
Obligations for operators of essential services and for digital service providers
Implementation deadline: 9 May 2018
Key concepts Network and information system (NIS)
Operator of an essential service• Service that is essential for the maintenance of critical societal and/or economic activities
• Provision of the services depends on NIS
• Incident would have significant disruptive effects
Digital service provider
Brussels - Kortrijk | www.crosslaw.be 4
Critical Infrastructures: legal approach
Security obligations of operators of essential services in relation to network and information systems
Risk management Appropriate and proportionate technical and organizational measures to
manage risk Appropriate level of security in view of the risks, taking into account the state
of the art
Incident management Appropriate measures to prevent and minimize impact of incident affecting
NIS used for essential services and to ensure continuity Breach notification obligation in case of significant impact
• Provided information is confidential• Public may be informed by the competent authority or CSIRT
Brussels - Kortrijk | www.crosslaw.be 5
Critical Infrastructures: legal approach
Security obligations of digital service providers in relation to network and information systems
Risk management Focus on security, incident handling, business continuity management,
monitoring, auditing and testing and compliance with international standards
Incident management
Brussels - Kortrijk | www.crosslaw.be 6
Legal Approach to Cyber Security
Cyber Security Availability and integrity of information systems and information
Exclusivity, confidentiality and protection of information systems and information
Cyber security and/or information security Law? No consolidated set of laws and regulations
• Cybercrime
• Data Protection
• Secrecy of (electronic) communication
• Intellectual Property Rights (copyright, patents, software …)
• General regulations (e.g. SOX, Wassenaar Arrangements)
• Sector-based regulations (e.g. Basel II, MiFiD, HIPAA…)
Brussels - Kortrijk | www.crosslaw.be 7
Legal Approach to Cyber Security
Generic cyber security and/or information security Law? General due diligence and care obligation
• (Indirect) Compliance obligation
• (Indirect) Obligation to ensure information security?
Impact on critical infrastructures?• Assessment of impact of destruction and/or disruption on clients, third parties and/or
society
• Define threshold for negligence
• Implement measures required to avoid negligence
Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, …
Brussels - Kortrijk | www.crosslaw.be 8
Cybercrime
Harmonized approach in the EU Budapest Convention on Cybercrime 2001 (CET 185)
Directive 2013/40/EU on attacks against information systems
Cybercrime Illegal access to information systems
Illegal system interference
Illegal data interference
Illegal interception
Cybercrime tools
Incitement, aiding and abetting and attempted cybercrime
Brussels - Kortrijk | www.crosslaw.be 9
Data Protection
Principles of Directive 1995/46/EC Processing of personal data is prohibited, unless allowed
The data processing must comply with specific principles• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
• (Individual and collective) Enforcement measures
No export of personal data to non-EEA countries, unless adequate protection is offered
Brussels - Kortrijk | www.crosslaw.be 10
Data Protection
Importance of legal designation as critical infrastructure? Legal data protection framework applies: no exemption for critical
infrastructures (e.g. Directive 2016/1148/EU) Conflict with cyber security obligations of critical infrastructures?
Critical infrastructures Critical infrastructures that serve to process personal data Critical infrastructures that do not serve to process personal data
Legal basis for data processing activities in the context of security Consent based security measures Security measures based on contractual necessity Security measures as legal obligation Security measures under legitimate interest
Brussels - Kortrijk | www.crosslaw.be 11
Data Protection
General obligation to implement security measures in relation to data processing
Technical measures• User access management• IT security (anti-virus, firewall, …)• Fire prevention measures
Organizational measures• Data categorization (confidentiality level)• Employee policies
Protection against any unauthorized processing Adequate level of protection taking into account:
• Available technology and costs; • Nature of concerned personal data and the potential risks
Brussels - Kortrijk | www.crosslaw.be 12
Data Protection
Specific issues in relation to data protection and security (i.e. specific limitations imposed when processing personal data in the context of security measures)
Employee surveillance Camera Surveillance (security cameras) Whistle blowing policies Blacklists Access control / identity control (ID card related issues) Biometrical data (e.g. identification and access restrictions) Screening / background checks (e.g. “certificate of good behaviour”) Archiving
GDPR: personal data breach notification obligations Exists already for telecommunications sector Exists already in some EU countries, but not all countries (e.g. not in Belgium)
Brussels - Kortrijk | www.crosslaw.be 13
The Future of Data Protection
Directive 95/46/EC is being replaced by 25 May 2018 GDPR – Regulation 2016/679/EU
EU-wide unified application completed with some local legislation
Additional requirements Accountability
Data protection officer
Privacy by design
Privacy by default
Documentation duty & data protection impact assessment
Data breach notifications
Fines
14Brussels - Kortrijk | www.crosslaw.be
The Future of Data Protection
Data Protection Management
Key principle: accountability
Ensure compliance and be able to demonstrate compliance Adopt policies Implement appropriate measures
• Documentation of all data processing operations• Implementing data security requirements• Performing data protection impact assessment• Prior authorization or consultation (where required)• Data protection officer (DPO)
What can you do to prepare? Document existing data processing activities and ensure current compliance Appoint a DPO?
15Brussels - Kortrijk | www.crosslaw.be
The Future of Data Protection
Data breach notification duty Data controller and data processor
Notification to supervisory authorities• Without undue delay and at the latest within 72 hours after becoming aware of the breach
• If not within 72 hours, reasoned justification for the delay
• Detailed information (data breach, impact and mitigation measures)
• Document data breach for verification purposes
• Exemption: unlikely to result in a risk
Notification to data subjects• Likelihood of high risk
• Encryption may provide exemption
• May be imposed by supervisory authorities
Tendency to include data breach notification obligations in contracts already
16Brussels - Kortrijk | www.crosslaw.be
The Future of Data Protection
Enforcement Liability
• In principle, joint and several liability
• Reversed burden of proof?
Criminal penalties to be implemented by local legislation
Administrative fines• Fine of max. 20,000,000 EUR or, in case of an enterprise, 4% of annual global turnover,
whichever is higher (principles and data subject rights)
• Fine of max. 10,000,000 EUR or, in case of an enterprise, 2% of annual global turnover, whichever is higher (other provisions)
• Exemption for public authorities and bodies: decision by local member states
17Brussels - Kortrijk | www.crosslaw.be
How to deal with incidents and notification obligations?
Practical approach to dealing with incidents and notifications
Three stages Before the incident
During the incident
After the incident
Pre-incident phase Assess the nature of your security and notification obligations
Assess the data processing activities being carried out
Create and implement a security and an incident policy (incident team!)
Brussels - Kortrijk | www.crosslaw.be 18
How to deal with incidents and notification obligations?
Incident phase (legal perspective) Apply the incident handling policy
Qualify the nature of the incident• Assess the legal impact
• Assess the obligations imposed by law
Execute the legal obligations
Post-incident phase Document the incident and incident handling
Review incident and identify measures to avoid recurrence
Follow-up claims (if any)
Lessons learnt (analyze performance of incident handling)
Brussels - Kortrijk | www.crosslaw.be 19
Conclusion and actions
Identify the obligations applicable to your critical infrastructure Security obligations
Breach/Incident notification obligations
Prepare for incidents by implementing the necessary policies
Use the legal obligations applicable to critical infrastructures as a tool for justifying data processing activities for security purposes
Prepare for the upcoming GDPR (if relevant) Assess your current situation and ensure that you are compliant with the
current legal framework
“Upgrade” as a next step
Document data processing operations well in advance
Brussels - Kortrijk | www.crosslaw.be 20