privacy (and other) issues concerning datalogging

Click to edit Master title styleOpen Forum PRIVACY

Thursday, 20th

of February 2014

Leuven, 20 February 2014 2

Agenda

1. 18:30 Welcome

2. 18:45 Datalogging – Privacy Issues

3. 19:30 Break

4. 19:50 Datalogging – Other Issues

5. 20:30 Close


Close

Leuven, 20 February 2014

DATALOGGING– PRIVACY

(AND OTHER) ISSUES

JOHAN VANDENDRIESSCHE

4


Datalogging

• Logfile or log

• Record of events

• Types of logs

• Event logs

• Transaction logs

• Communication logs (IM logs)

• Scope and purpose can be varying

• Quality control (bugfixing)

• Evidence for business transactions

• Marketing (website traffic log)

5


Datalogging

• Legal obligations

• Obligation to keep a specific log

• Pharmacists (pharmaceutical drugs)

• Employee file

• Obligations to store a specific log

• Focus today: various IT logs

• Keeping logs

• (Re-)Using logs

6


High level legal framework

• Act of 8 December 1992

• Processing of personal data

• Act of 13 June 2005

• Electronic communication

• CBA n° 81 concerning workfloor

cameras

• Workfloor privacy

• Cybercrime

7


CREATING AN IT LOG

8


Data Protection

• Limitations in relation to the

processing of personal data

• Very large legal interpretation to the

concept of personal data

• Not necessarily sensitive information

(although stricter rules apply to special

categories of personal data)

• Logs may contain personal data

• Processing: “any operation or set of

operations which is performed upon

personal data […]”

9


Data Protection

• The data processing must comply with

specific principles

• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

10


Data Protection

• Security obligation

• General obligation

• Specific obligations

• Obligations in relation to the use of data

processors

• Belgian Data Protection Commission

has issued a list of security measures

that can be implemented

11


Data Protection

• General obligation to implement

security measures

• Technical measures

• User access management

• IT security (anti-virus, firewall, …)

• Fire prevention measures

• Organizational measures

• Data categorization (confidentiality level)

• Employee policies

12


Data Protection

• General obligation to implement

security measures

• Both types of measures are

interchangeable

• Protection against any unauthorized

processing

• Adequate level of protection taking into

account:

• Available technology and costs;

• Nature of concerned personal data and the

potential risks

13


Data Protection

• Specific security obligations

• Obligation to ensure data quality

• Need-to-know access restriction

• Access must be limited to those persons that

need access

• Access must be limited to the personal data

they need

14


Data Protection

• Specific security obligation

• Information obligation

• Provide employees that process personal data

information on data protection legislation

• information obligation is stricter if more

sensitive data is processed (limited training)

• Ensure that software used for the data

processing limit processing to what is

notified

15


Logging as a security measure

• Logging as a security measure

• Purpose of its own?

• Linked to the purpose it aims to secure?

• Scope of logging

• Nature of data processing

• Data controller must be able to justify

choices

16


Logging for marketing purposes

• Logging = processing for a specific

purpose

• Re-use of existing logs for marketing

purposes

• Compatible purpose?

• Secondary processing for statistical

purposes (big data?)

17


ACCESSING AN IT LOG

18


Accessing an IT log

• Access to an IT log

• Access authority

• Company policies

• Roles & Responsabilities

• Workfloor privacy restrictions

• Communications law restrictions

• Use of an IT log

• Probatory value of an IT log

19


Cybercrime

• Criminal acts posing a threat against

the confidentiality, the integrity and the

availability of IT systems and data

• Hacking

• Computer sabotage

• Computer fraud & computer forgery

• Investigation powers

• Cooperation duty of IT experts

20


Cybercrime

• Hacking

• “the unauthorized intrusion in or

maintenance of access to an IT system”

(article 550bis Criminal Code)

• Internal hacking

• Person with access rights that exceeds such rights

• With a fraudulent purpose or with the purpose to

cause damage

• External hacking

• Person without access rights

• Knowingly

• There is no requirement of breach of

security measures

21


Cybercrime

• Hacking

• Sanctions (also applicable in case of

attempt to hack)

• Internal hacking

• Fines: 26 to 25.000 EUR (x6); and/or

• Prison sentence: 3 months up to 1 year (doubled in

case of intent to fraud)

• External hacking

• Fines: 26 to 25.000 EUR (x6); and/or

• Prison sentence: 6 months up to 2 years

22


Cybercrime

• Hacking

• Criminal sanctions are increased:

• Copying any data on the IT system

• Use of the IT system or use thereof to hack

another IT system

• Damage to the IT system or its data or any

third-party IT system or data

23


Cybercrime

• Computer sabotage• “the direct or indirect insertion,

modification or erasure of information in an IT system or any other change to the normal use of information in an IT system” (article 550ter Criminal Code)• Virus, worm, or any other malicious code

• Unauthorized time-locks or other blocking mechanisms

• Developing, distributing or commercializing malicious code or tools to commit computer sabotage is a criminal offence

24


Cybercrime

• Computer sabotage• Sanction (also applicable in case of

attempted sabotage):• Fine: 26 to 25.000 EUR (x6); and/or

• Prison sentence: 6 months up to 3 years (increased in case of fraudulent intent or intention to cause damage)

• Criminal sanctions are increased in case of:• Causing damage to data in any IT system as a

result of computer sabotage

• Interfering with the proper functioning of any IT system as a result of computer sabotage

• Sanctions are doubled in some cases of cybercrime recidivism

25


Cybercrime

• Computer fraud

• “the insertion, modification or erasure of

information in an IT system or any other

change to the normal use of information in

an IT system in view of obtaining an

illegitimate economic advantage for

oneself or for others” (article 504quater

Criminal Code)

• Economic advantage: any material or

immaterial good (e.g. money, intellectual

property rights, titles to real estate…)

26


Cybercrime

• Computer fraud

• Sanction

• Fine: 26 to 100.000 EUR (x6); and/or


• Attempted computer fraud is punished

with lower criminal sanctions

• Sanctions are doubled in some cases of

cybercrime recidivism

27


Cybercrime

• Computer forgery

• “the insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system in view of changing the legal effect of that information” (article 210bisCriminal Code)

• Sanction• Fine: 26 to 100.000 EUR (x6); and/or


28


Cybercrime

• Computer forgery

• Knowingly using such forged data is also a criminal offence

• Attempted computer forgery is punished with lower criminal sanctions

• Sanctions are doubled in some cases of cybercrime recidivism

29


Electronic communications

• Electronic communication is protected

• Interception of electronic communication

• Art. 314bis of the Criminal Code

• Access to electronic communication

• Art. 124-125 of the Act of 13 June 2005

• Specific rules for telco’s and callcenters

• Specific problem for investigation of e-

mail and IM logfiles

30



• Article 314bis of the Criminal Code• Interception of communication

• Unlikely to apply in case of auditing or consulting logfiles

• Article 124 of the Act of 13 June 2005• General interdiction to:

• Consult any electronic communication

• Identify participants to such electronic communication

• To process in any manner such electronic communication

UNLESS: if consent is obtained from allparticipants

31



• Article 125 of the Act of 13 June 2005• Specific exceptions exist (only business

relevant exceptions are mentioned):• If allowed or imposed by law

• With the sole purpose of ensuring the proper functioning of the network or the proper performance of the communication service

• For offering a service that consists of preventing the receipt of unsolicited electronic communication, provided consent has been obtained for the recipient

• No distinction is made between private and professional communication!

32


Electronic communication

• Article 128 of the Act of 13 June 2005

• Communication logs as evidence

• Legal business transactions

• Evidence of a commercial transaction or other

business communication

• Conditions

• Prior information on registration, purposes and

duration of registration

33



• Monitoring of any form of electronic communication• Use of e-mail

• Use of Internet

• CBA No. 81 allows a limited degree of monitoring• Surveillance is possible for limited purposes

• The prevention of illegal acts, slander and violation of decency

• The protection of the economic, trade and financial interests of the company

• The protection of the security and proper functioning of the company’s IT system

• The compliance with company policies in relation to online technologies

34



• CBA No. 81

• Procedural requirements• Collective information

• Individual information

• Sanctions?• Prior hearing

• Link with work regulations

35


Logs as evidence

• Admissible

• Type of evidence (‘matters of fact’ vs‘legal acts’)

• Lawful• Illegal evidence

• Illegally obtained evidence

• Probatory value (‘credibility’)• Weight carried by the submitted evidence

• Influenced by the reliability• Gathering process of digital evidence

• Inherent reliability (?)

• Derogation by agreement?

36


Logs as evidence

• “Antigoon” case law

• Illegally obtained evidence

• Evidence is no longer automatically

discarded

• Evidence is retained, except:

• Nullity is legally imposed sanction

• Unfair trial

• Impact on reliability

• Small note: “Antigoon” case law is

relatively new and still evolving

37


Logs as evidence

• Problems with electronic evidence• Rules of evidence strongly favour “paper

evidence”

• Courts may be reluctant in the face of new

technologies

• Case law usually dismisses electronic evidence

at the slightest indication of the possibility of

fraud / tampered evidence

38


Logs as evidence

• General rules

• ensure the accountability and integrity of

any electronic evidence at all times

• Implement procedures and policies /

provide evidence that these policies are

regularly verified or audited

39


Log as evidence

• Practical approach in Belgium

• If feasible, define the probatory value of

logs by agreement

• Ensure that the evidence collection is

organized in a manner guaranteeing

evidence integrity

• Ensure that the evidence is stored in a

secure manner

• Court proceedings may include a court

expertise

40


Contact details

Johan Vandendriessche

Partner

crosslaw CVBA

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

mailto:[email protected]

http://www.crosslaw.be/


ISACA BELGIUM

privacy (and other) issues concerning datalogging

Documents