Data Breach Notification: what EU law means for your information security strategy

Olivier ProustDecember 8, 2011Hunton & Williams LLP

© Hunton & Williams 2

Key points1. Introduction2. Overview of data breach requirements under

the e-Privacy Directive3. Data breach laws in selected EU Member

States and key differences4. Best practices5. Conclusion: what can be expected of future

regulation?

© Hunton & Williams 3

1. Introduction

© Hunton & Williams 4

What is a security breach?

© Hunton & Williams 5

Recent examples

© Hunton & Williams 6

What are the goals?

© Hunton & Williams 7

2. Overview of the e-Privacy Directive

© Hunton & Williams 8

Personal Data Breach

« A breach of security leading to the accidentalor unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwiseprocessed in connection with the provision of a publicly available electronic communications service »

© Hunton & Williams 9

Scope

• Limited to personal data breaches• Limited to telecoms/ISPs

– Possible extension of data breach requirements in the context of the EU’s data protection framework review (Directive 95/46/EC)

© Hunton & Williams 10

Personal Data Breach Requirements• In the case of a personal data breach, telecoms/ISPs

must, without undue delay, notify:– The competent authority– Subscribers/individuals - if the breach is likely to

adversely affect their personal data or privacy• Notice is not required if:

– Appropriate technological protection measures are implemented

– Protection measures were applied to data concerned

© Hunton & Williams 11

Data breach notification• Notification to the individuals:

– Nature of the personal data breach– Contact points where more information can be

obtained– Recommend measures to mitigate the possible

adverse effects of the personal data breach• Notification to the competent authority:

– Consequences of the personal data breach– Measures proposed or taken by the provider to

address the breach

© Hunton & Williams 12

Need for harmonization

• Need to harmonize breach notification procedures across EU Member States, particularly in terms of: – Notification thresholds– Content and time of notification– Exceptions relating to technological protection

measures• EC public consultation on data breach notifications (July

2011)• Deadline September 9, 2011• May result in additional rules complementing the existing

legal framework

© Hunton & Williams 13

Risks for non-compliance

• Financial loss• Regulators may audit companies• Fines and/or sanctions• Reputational damage

© Hunton & Williams 14

2. Data breach laws in selected EU Member States

© Hunton & Williams 15

FRANCE

© Hunton & Williams 16

Ordinance of August 24, 2011

• Scope– Only applies to electronic communication service

providers (e.g., telecom operators, ISPs) • “Data security breach”

– “Any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure of, or unauthorized access to personal data”

© Hunton & Williams 17

Notification Requirement• In the event of a breach, telecoms and ISPs must, without undue

delay, notify:– The French Data Protection Authority (CNIL), and– Affected individuals - if the breach is likely to adversely affect

their personal data• Notice is not required in certain circumstances:

– If the company has implemented appropriate information security measures, and

– Has demonstrated this implementation to the CNIL• In the absence of such measures, the CNIL may impose on the

company to notify its subscribers about the breach

© Hunton & Williams 18

Conditions for Notifying Breaches• The conditions for notifying security breaches are

unclear• Additional legislation is expected in the near future• The CNIL also may issue practical guidance

© Hunton & Williams 19

Risks for Non-Compliance • Sanctions

– 5 years imprisonment– €300,000 fine– Warning

• Reputational damage

© Hunton & Williams 20

GERMANY

© Hunton & Williams 21

Current Legal Framework for Data Security Breaches

• Comprehensive statutory breach notification requirement• Different from the e-Privacy Directive• In force since September 2009, DPA guidance issued in December

2010• Broad scope, applies to all companies subject to:

– Federal Data Protection Act (FDPA) (private entities and undertakings governed by public law which compete on the market acting as data controllers)

– Telecommunications Act (telecom providers) Telemedia Act (website providers)

© Hunton & Williams 22

Types of Data Covered• Sensitive data as defined in the FDPA (e.g., data about racial or

ethnic origin, religion or health related data)• Data subject to professional or official secrecy (e.g., data held by

lawyers, notaries, doctors)• Data concerning criminal acts or administrative offenses• Data on bank or credit card accounts• Customer data or traffic data as defined in the Telecoms Act• Customer data or usage data as defined in the Telemedia Act (e.g.,

data held by electronic information and communication service providers, including registration or usage data that may identify an individual online user)

© Hunton & Williams 23

Requirements• Legal requirements are triggered if two conditions are met:

– Unlawful disclosure:• Data have been transferred unlawfully, OR• Third parties have accessed data otherwise

– Serious impact for the rights or protected interests of individual (e.g., identity theft, financial damage, social disadvantages)

• Notification of both the competent Federal or state DPA and the individuals concerned

• Notification must happen without “undue delay,” as soon as appropriate measures to secure the data have been undertaken andany law enforcement investigation is no longer effected

© Hunton & Williams 24

Content of Notification• To the individual concerned, must include:

– Description of the type of unlawful disclosure– Recommendations for measures to limit possible negative

consequences• To the DPA, must, in addition, include a description of:

– Possible negative consequences of the unlawful disclosure– Description of the measures taken by the data controller

• In case of disproportionate effort, in particular because of thenumber of individuals concerned, instead, the general public must be informed by:– Advertising of at least half a page– In at least two daily newspapers that are published throughout

Germany

© Hunton & Williams 25

THE NETHERLANDS

© Hunton & Williams 26

Bill in Dutch Parliament• Bill to implement e-Privacy Directive adopted by Lower

House• Bill would address data security breaches, cookie

requirements, net neutrality, etc. • On-going debate in the Upper House • Implementation date unclear

© Hunton & Williams 27

Scope• Limited to telecom sector

– Only applies to electronic communication service providers (e.g., telecom operators, ISPs)

– Breach notification requirement across all sectors part of the revision of Dutch Data Protection Act that is currently being considered

• Broad application – Any security breach that accidentally or unlawfully results in the

destruction, loss, alteration, disclosure of, or unauthorized access to, personal data

© Hunton & Williams 28

Conditions for Notifying Breaches• Dutch Bill closely follows text of e-Privacy Directive with regard to

data breach notification requirements • In the event of a breach, telecoms and ISPs must, without undue

delay, notify:– The Dutch Telecoms Authority (OPTA), and– Affected individuals

• If the breach is likely to adversely affect their personal data• Initial assessment by the company, OPTA can overrule

• Exemptions:– If company has implemented appropriate security measures, and– Has sufficiently demonstrated this to the OPTA

• Mandatory data breaches register

© Hunton & Williams 29

UNITED KINGDOM

© Hunton & Williams 30

DPA Key Requirements• No general legal obligation to notify under Data

Protection Act 1998 BUT• The UK Information Commissioner’s Office (ICO) has

issued guidance on data breach notification and operates a voluntary notification scheme for “serious”data breaches

• Notification expected for “serious” breaches where:– Potential for harm to individuals– Large volume of data compromised– Compromised data are sensitive

© Hunton & Williams 31

Privacy and Electronic Communications (EC Directive) Regulations 2011 (PECR)

• Amended 2003 e-Privacy Regulations to include mandatory breach notification to ICO for public electronic communication service providers (i.e., telcoms and ISPs)

• Notification must include a description of:– Circumstances of breach– Consequences– Measures taken to address breach

• Notify subscribers where breach likely to adversely affect personal data or privacy of subscriber, except where demonstrate to ICO that security measures have been implemented that render the data unintelligible on unauthorised access

• Maintain inventory of breaches

© Hunton & Williams 32

Sector-specific requirements

• Mandatory notification for financial servicesorganizations regulated by the Financial Services Authority (FSA)

© Hunton & Williams 33

ICO Enforcement• Monetary penalties for serious breaches

– Up to £500,000 for “serious” breaches of DPA and PECR– Test: serious contravention of data protection principles

AND likely to cause substantial damage or distress AND deliberate OR Data Controller knew, or ought to have known, that the breach

would occur AND likely cause damage/distress AND failed to take reasonable steps to prevent

• Note: Applies to all DPA breaches, not just security breaches • PECR

– Fixed penalty of £1,000 on service providers that fail to notify– Audit rights – Third party information notice

© Hunton & Williams 34

4. Best practices

© Hunton & Williams 35

Security measures• e-Privacy Directive says :

– Access to personal data must be authorized and must have a legal purpose

– Personal data must be protected against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, accessor disclosure

– A security policy must be implemented• Additional and specific security requirements under

national law

© Hunton & Williams 36

Organizational measures

• Appoint a data protection officer• Internal coordination and communication (e.g., a

standard operating procedure for handling data security breaches)

• Internal policies for employees• Privacy-by-design

© Hunton & Williams 37

Legal measures

• Comply with local data protection laws (i.e., registrations, privacy notices, data transfermechanisms, etc.)

• Data processor clauses in service provider agreements

• Maintain an inventory of data security breaches

© Hunton & Williams 38

5. Conclusion

© Hunton & Williams 39

Towards a general data breachnotification requirement?

• Recital 59 of the e-Privacy Directive • EU Commission’s Communication proposing a

“Comprehensive approach on personal data protection in the EU”, released on November 4, 2010

• On-going revision of the EU Data Protection Directive 95/46/EC

© Hunton & Williams 40

Contact

Visit www.huntonprivacyblog.com

Olivier ProustAssociate, Hunton & Williams

+32 (0)2 643 58 33oproust@hunton.com