Data Breach Prevention & Response

Transcription

1 Data Breach Prevention & Response IAPP ASIA Privacy Forum 2014 Gabriela Krader, LL.M 1

2 Development of Data Breach Notification in Europe Security Breach: A new concept for an old data protection regime First discussions in context of amendment of EU EPrivacy Directice 2008/2009 (applies to ISPs and Telcos) after several data losses published in the media (e.g. UK) With enactment of new EPrivacy Dir (2009/136/EC) end of 2009, data breach requirements had to be implemented into national data protection laws of EU member states (telecoms/multi media laws) But: parallel implementation of additional data breach obligations (not sector specific) took place on individual country level, e.g. Germany Draft EU DP Framework Regulation contains comprehensive notification obligations (all data) in Art. 31, 32 Gabriela Krader, LL.M 2

3 Data Breach Notification Requirements in Europe Country Source Data Scope Notification to DPA Notification to Individual Austria Act all Belgium Act Rec DPA telco data all other pd France Act telco data Germany Act Telco data/ def. categories of pd Ireland Act Code DPA telco data other pd Italy Act telco data Luxembourg Act telco data Portugal Act telco data Spain Act telco data Sweden Act telco data Switzerland Contractual obligation depending on contract UK Rec DPA major cases? Gabriela Krader, LL.M 3

4 Data Breach Notification Impact What are the consequences? In most cases dual notification process (DPA and individuals) In some cases phased notification process (DPA first, individual later) Violation of notification obligation: possible sanctions depend on general sanctioning powers of DPA (range: from official letter to fines) Submitted notification may not be used against notifying party in criminal proceeding or regulatory offence procedure What are further issues in discussion? Offline data losses also covered? Encryption always a sufficient defense? Unauthorized access within responsible controller company (e.g. data access by wrong department) amounts to data loss? Gabriela Krader, LL.M 4

5 4-Level Incident (Data Loss) Approach How Should Companies Prepare? Prevention of Incident 1 Detection of Incident 2 Evaluation of Incident 3 Notification of Incident 4 Gabriela Krader, LL.M 5

6 What? Prevent/limit possibility of data loss occurrence How? Check protection measures and standards Check/establish appropriate classifications for data in scope Implement encryption standards where possible ( , Harddrive, mobile data devices) Think About Integration of service providers/data processors Cloud services Who? Data Protection Officer, Privacy Expert IT IT Security Procurement/Legal Phase 1 Gabriela Krader, LL.M 6

7 Phase 2 What? Detect and learn about data loss occurrence as early as possible How? Define process and scenarios for internal reporting scheme Establish notification entry points Standardize necessary documentation/ collection of facts Think About Existing and useful entry points for incident reporting Reachability needed (availability outside office hours) Integration of service providers/data processors Who? Data Protection Officer, Privacy Expert IT IT Security Corporate Security Gabriela Krader, LL.M 7

8 What? Evaluate data loss/notification obligation as accurate as possible How? Analyze given case to assess whether Phase 3 relevant data are concerned unauthorized access is possible YES data loss will result in adverse effects for individuals Think About Informal consultation with DPAs Who? Data Protection Officer, Privacy Expert IT & IT Security Managing Director/Management Board Legal Gabriela Krader, LL.M 8

9 What? Notify data loss in sufficient manner and time How? Develop clear and understandable language (depending on recipient) Proceed notification in line with requested order For notice to individuals explore all communication channels Think About Back office for customer requests related to data breach Who? Data Protection Officer, Privacy Expert Legal & Compliance Communications Customer Relationship Management Phase 4 Gabriela Krader, LL.M 9

10 Last but not least: Keep a clear head! Gabriela Krader, LL.M 10