Data Breach Notification: what EU law means for your ... · Data breach notification •...
Transcript of Data Breach Notification: what EU law means for your ... · Data breach notification •...
Data Breach Notification: what EU law means for your information security strategy
Olivier ProustDecember 8, 2011Hunton & Williams LLP
© Hunton & Williams 2
Key points1. Introduction2. Overview of data breach requirements under
the e-Privacy Directive3. Data breach laws in selected EU Member
States and key differences4. Best practices5. Conclusion: what can be expected of future
regulation?
© Hunton & Williams 3
1. Introduction
© Hunton & Williams 4
What is a security breach?
© Hunton & Williams 5
Recent examples
© Hunton & Williams 6
What are the goals?
© Hunton & Williams 7
2. Overview of the e-Privacy Directive
© Hunton & Williams 8
Personal Data Breach
« A breach of security leading to the accidentalor unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwiseprocessed in connection with the provision of a publicly available electronic communications service »
© Hunton & Williams 9
Scope
• Limited to personal data breaches• Limited to telecoms/ISPs
– Possible extension of data breach requirements in the context of the EU’s data protection framework review (Directive 95/46/EC)
© Hunton & Williams 10
Personal Data Breach Requirements• In the case of a personal data breach, telecoms/ISPs
must, without undue delay, notify:– The competent authority– Subscribers/individuals - if the breach is likely to
adversely affect their personal data or privacy• Notice is not required if:
– Appropriate technological protection measures are implemented
– Protection measures were applied to data concerned
© Hunton & Williams 11
Data breach notification• Notification to the individuals:
– Nature of the personal data breach– Contact points where more information can be
obtained– Recommend measures to mitigate the possible
adverse effects of the personal data breach• Notification to the competent authority:
– Consequences of the personal data breach– Measures proposed or taken by the provider to
address the breach
© Hunton & Williams 12
Need for harmonization
• Need to harmonize breach notification procedures across EU Member States, particularly in terms of: – Notification thresholds– Content and time of notification– Exceptions relating to technological protection
measures• EC public consultation on data breach notifications (July
2011)• Deadline September 9, 2011• May result in additional rules complementing the existing
legal framework
© Hunton & Williams 13
Risks for non-compliance
• Financial loss• Regulators may audit companies• Fines and/or sanctions• Reputational damage
© Hunton & Williams 14
2. Data breach laws in selected EU Member States
© Hunton & Williams 15
FRANCE
© Hunton & Williams 16
Ordinance of August 24, 2011
• Scope– Only applies to electronic communication service
providers (e.g., telecom operators, ISPs) • “Data security breach”
– “Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to personal data”
© Hunton & Williams 17
Notification Requirement• In the event of a breach, telecoms and ISPs must, without undue
delay, notify:– The French Data Protection Authority (CNIL), and– Affected individuals - if the breach is likely to adversely affect
their personal data• Notice is not required in certain circumstances:
– If the company has implemented appropriate information security measures, and
– Has demonstrated this implementation to the CNIL• In the absence of such measures, the CNIL may impose on the
company to notify its subscribers about the breach
© Hunton & Williams 18
Conditions for Notifying Breaches• The conditions for notifying security breaches are
unclear• Additional legislation is expected in the near future• The CNIL also may issue practical guidance
© Hunton & Williams 19
Risks for Non-Compliance • Sanctions
– 5 years imprisonment– €300,000 fine– Warning
• Reputational damage
© Hunton & Williams 20
GERMANY
© Hunton & Williams 21
Current Legal Framework for Data Security Breaches
• Comprehensive statutory breach notification requirement• Different from the e-Privacy Directive• In force since September 2009, DPA guidance issued in December
2010• Broad scope, applies to all companies subject to:
– Federal Data Protection Act (FDPA) (private entities and undertakings governed by public law which compete on the market acting as data controllers)
– Telecommunications Act (telecom providers) Telemedia Act (website providers)
© Hunton & Williams 22
Types of Data Covered• Sensitive data as defined in the FDPA (e.g., data about racial or
ethnic origin, religion or health related data)• Data subject to professional or official secrecy (e.g., data held by
lawyers, notaries, doctors)• Data concerning criminal acts or administrative offenses• Data on bank or credit card accounts• Customer data or traffic data as defined in the Telecoms Act• Customer data or usage data as defined in the Telemedia Act (e.g.,
data held by electronic information and communication service providers, including registration or usage data that may identify an individual online user)
© Hunton & Williams 23
Requirements• Legal requirements are triggered if two conditions are met:
– Unlawful disclosure:• Data have been transferred unlawfully, OR• Third parties have accessed data otherwise
– Serious impact for the rights or protected interests of individual (e.g., identity theft, financial damage, social disadvantages)
• Notification of both the competent Federal or state DPA and the individuals concerned
• Notification must happen without “undue delay,” as soon as appropriate measures to secure the data have been undertaken andany law enforcement investigation is no longer effected
© Hunton & Williams 24
Content of Notification• To the individual concerned, must include:
– Description of the type of unlawful disclosure– Recommendations for measures to limit possible negative
consequences• To the DPA, must, in addition, include a description of:
– Possible negative consequences of the unlawful disclosure– Description of the measures taken by the data controller
• In case of disproportionate effort, in particular because of thenumber of individuals concerned, instead, the general public must be informed by:– Advertising of at least half a page– In at least two daily newspapers that are published throughout
Germany
© Hunton & Williams 25
THE NETHERLANDS
© Hunton & Williams 26
Bill in Dutch Parliament• Bill to implement e-Privacy Directive adopted by Lower
House• Bill would address data security breaches, cookie
requirements, net neutrality, etc. • On-going debate in the Upper House • Implementation date unclear
© Hunton & Williams 27
Scope• Limited to telecom sector
– Only applies to electronic communication service providers (e.g., telecom operators, ISPs)
– Breach notification requirement across all sectors part of the revision of Dutch Data Protection Act that is currently being considered
• Broad application – Any security breach that accidentally or unlawfully results in the
destruction, loss, alteration, disclosure of, or unauthorized access to, personal data
© Hunton & Williams 28
Conditions for Notifying Breaches• Dutch Bill closely follows text of e-Privacy Directive with regard to
data breach notification requirements • In the event of a breach, telecoms and ISPs must, without undue
delay, notify:– The Dutch Telecoms Authority (OPTA), and– Affected individuals
• If the breach is likely to adversely affect their personal data• Initial assessment by the company, OPTA can overrule
• Exemptions:– If company has implemented appropriate security measures, and– Has sufficiently demonstrated this to the OPTA
• Mandatory data breaches register
© Hunton & Williams 29
UNITED KINGDOM
© Hunton & Williams 30
DPA Key Requirements• No general legal obligation to notify under Data
Protection Act 1998 BUT• The UK Information Commissioner’s Office (ICO) has
issued guidance on data breach notification and operates a voluntary notification scheme for “serious”data breaches
• Notification expected for “serious” breaches where:– Potential for harm to individuals– Large volume of data compromised– Compromised data are sensitive
© Hunton & Williams 31
Privacy and Electronic Communications (EC Directive) Regulations 2011 (PECR)
• Amended 2003 e-Privacy Regulations to include mandatory breach notification to ICO for public electronic communication service providers (i.e., telcoms and ISPs)
• Notification must include a description of:– Circumstances of breach– Consequences– Measures taken to address breach
• Notify subscribers where breach likely to adversely affect personal data or privacy of subscriber, except where demonstrate to ICO that security measures have been implemented that render the data unintelligible on unauthorised access
• Maintain inventory of breaches
© Hunton & Williams 32
Sector-specific requirements
• Mandatory notification for financial servicesorganizations regulated by the Financial Services Authority (FSA)
© Hunton & Williams 33
ICO Enforcement• Monetary penalties for serious breaches
– Up to £500,000 for “serious” breaches of DPA and PECR– Test: serious contravention of data protection principles
AND likely to cause substantial damage or distress AND deliberate OR Data Controller knew, or ought to have known, that the breach
would occur AND likely cause damage/distress AND failed to take reasonable steps to prevent
• Note: Applies to all DPA breaches, not just security breaches • PECR
– Fixed penalty of £1,000 on service providers that fail to notify– Audit rights – Third party information notice
© Hunton & Williams 34
4. Best practices
© Hunton & Williams 35
Security measures• e-Privacy Directive says :
– Access to personal data must be authorized and must have a legal purpose
– Personal data must be protected against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, accessor disclosure
– A security policy must be implemented• Additional and specific security requirements under
national law
© Hunton & Williams 36
Organizational measures
• Appoint a data protection officer• Internal coordination and communication (e.g., a
standard operating procedure for handling data security breaches)
• Internal policies for employees• Privacy-by-design
© Hunton & Williams 37
Legal measures
• Comply with local data protection laws (i.e., registrations, privacy notices, data transfermechanisms, etc.)
• Data processor clauses in service provider agreements
• Maintain an inventory of data security breaches
© Hunton & Williams 38
5. Conclusion
© Hunton & Williams 39
Towards a general data breachnotification requirement?
• Recital 59 of the e-Privacy Directive • EU Commission’s Communication proposing a
“Comprehensive approach on personal data protection in the EU”, released on November 4, 2010
• On-going revision of the EU Data Protection Directive 95/46/EC
© Hunton & Williams 40
Contact
Visit www.huntonprivacyblog.com
Olivier ProustAssociate, Hunton & Williams
+32 (0)2 643 58 [email protected]