the gdpr - breach notification and global breach response

Roadmap to the GDPR: Breach Notification and Global Breach Response

December 7, 2016

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2

Today’s Speakers

David KeatingCo-Chair,Privacy & DataSecurity Practice

Moderator

Jim HarveyCo-Chair,Privacy & Data Security Practice

Co-Chair, Cyber Security Preparedness& Response Team

Jan DhontChair,EU Privacy & DataSecurity Practice

Sebastiaan ter WeeSenior Digital & Privacy Counsel & Group Data Protection Officer, Aegon


Agenda

GDPR / NIS Directive Breach Notification

Comparison to US Breach Notification Regime

Breach Notification – The Dutch Experience

Globalizing your Cyber Preparedness Plan


GDPR Breach Notification

GDPR provides for omnibus data breach response regime

No breach requirements in Directive 1995/46

Data breach obligations in some EU countries, e.g. the Netherlands, Germany, Austria

Sectoral breach obligations (e.g., telecoms, payment services)

DPAs encourage data breach notification even if not formally required E.g., https://www.privacycommission.be/fr/la-notification-de-fuites-de-donn%C3%A9es

GDPR harmonizes breach regime

Member states may restrict the obligation to notify to individuals if “necessary and proportionate […] in a democratic society” (Art. 23 GDPR)


GDPR| Personal Data Breach

Personal Data Breach: “A breach of security leading to theaccidental or unlawful destruction, loss, alteration,unauthorized disclosure of, or access to, personal datatransmitted, stored or otherwise processed” - Art. 4(12) GDPR.

Breach must concern personal data

What if a “breach of security” does not “lead to” accidental or unlawful destruction, loss alteration, unauthorized disclosure or access ?


GDPR | Dual Notification

Notification of Supervisory Authority (Art. 33 GDPR)

Notify if Personal Data Breach “unless[…] unlikely to result in a risk to therights and freedoms of naturalpersons”

Without undue delay, no later than 72hours

Notification of Data Subject (Art. 34 GDPR)

Notify if Personal Data Breach “is likely to result ina high risk to the rights and freedoms of naturalpersons”

Without undue delay

Exemptions:

“Appropriate technical and organizationalmeasures,” in particular that render data“unintelligible or prevent unauthorized access suchas encryption”

Subsequent measures that prevent materializationof high risk

Notification would involve disproportionate effort– use of collective media

RISKHIGH RISK


GDPR | Risk & High Risk

Risk:

“[…] [P]hysical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage of reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned” (Recital 85)

Low threshold

High risk:

Advice of WP29 expected in context of DPIAs – EDPB tasked to advise (Art. 70 (1)(h) GDPR)

Supervisory Authority may

impose notification to individuals if it considers the breach results in a “high risk”


GDPR | Notification Modalities

Accountability Requirement: Document breaches in a manner enabling the Supervisory Authority to verify compliance with notification requirement (including facts and remediation taken)

Notification content

Nature of breach/approx. number of individuals/records affected (not required for notification of

individuals)

Relevant contact information DPO or other contact

“Likely consequences” of the breach

Measures taken to address the breach/mitigate possible adverse effects

Recommendations for individuals to mitigate potential adverse effects (Recital 86)

Information may be provided to SA “in phases without undue further delay”

Individuals must be informed “in clear and plain language”; “in writing or by other means

including by electronic means” (Art. 34(2) jo. Art. 12 (1) GDPR)


GDPR | Data Processor Obligations

Regime

Processor is required to notify controller

Without undue delay after becoming aware of a personal data breach (Art. 33 (2))

Data processing agreement must provide cooperation instructions in case of data breach (Art. 28 (3)(f) GDPR)

Practical/Thoughts Not just matter of contractual liability;

fines up to 2 percent of Global TO (!)

Processors should consider breach response plan as much as controllers do

Processors need thoughtful strategy dealing with plurality of controllers


NIS Directive

Objectives:

High common level of security of networks and information systems within the Union

Continuity of essential services

Minimum harmonization/May 2018 implementation deadline


NIS Directive | Scope

Operators of Essential Services Digital Service Providers (50+ employees)

Member states to determine providers in following sectors:

Energy, including electricity, oil, gas Transport, including air transport, water

transport, road transport Banking/Financial market infrastructures Health sector, covering health care settings

(including hospitals and private clinics) Drinking water supply and distribution Digital infrastructure

Services essential for the maintenance of critical societal and/or economic activities

Provision depends on network and information services

Incidents would have significant disruptive effect

Online marketplaces Online search engines Cloud computing services


NIS Directive | Territorial Application

Essential Services Providers:

National law where provider is located

Identified by Member State

Digital Service Providers:

Location of “main establishment”/”head office”

Not established in the EU but providing services within the EU => appoint a representative “in one of those Member States where services are offered” No specific “minimum contact” criteria

Forum-shopping opportunity (?)


NIS Directive | Network & Info Security

“State of the art” information security

Measures to prevent and minimize impact of security incidents in light of continuity of services

“State of the art” information security and stress on system/facility security, incident and continuity management, auditing, compliance with international standards

Measures to prevent and minimize impact of security incidents in light of continuity of services

Operators of Essential Services Digital Service Providers (50+ employees)

No overly prescriptive cybersecurity regime or protocol

Potentially varying cybersecurity standards

ENISA and Member States to draw up advice and guidelines on information security standards taking into account Member States’ national standards.


NIS Directive | Breach Notification

Notification may be required even if personal data is not breached/disclosed

Notify to CSIRT/national competent authority without undue delay of incidents which have a:

significant impact on the continuity of an essential service, or

substantial impact on the provision of a digital service

Impact must be assessed in light of: number of users affected

duration of the incident

geographical area

extent of the disruption of the service and economic

societal impact

“Notification shall not make the notifying party subject to increased liability” (Artt. 14(3) and 15(3))

“Incident” means any event having an actual adverse effect on the security of network and information systems – Art. 4 (7) NIS Directive


Takeaways

Understand legal frameworks applicable to your industry

Robust information security should be high up on the GDPR work plan

Requires potential system changes

Strong encryption reduces risk exposure (factual and legal)

Invest in breach response/readiness and ensure regular training

Accountability obligations require not only a breach response plan but also documentation of actions taken during a crisis

Processors must timely consider strategy, especially if breach affects multitude of clients


Notification in the Netherlands

Dutch Breach Notification law, effective date: 1 January 2016

Dutch notification obligation slightly more strict than GDPR

Dutch DPA has provided guidance regarding breach notice process

What triggers notification? (Extremely low threshold)

How does the authority examine / review notifications?


Breach Notification - Aegon

Building the data breach notification governance for NL operations

What governance and controls does Aegon have in place?

Training and awareness

Review team tasks – managing the 72 hour clock

First and second line of defence


Breach Notification - Aegon / Netherlands

How to notify the Dutch DPA –

https://datalekken.autoriteitpersoonsgegevens.nl/melding/aanmaken?2(Dutch Only)

Notification at Dutch central bank instead of customer?

Question: are such low thresholds effective?

New guidance from Dutch Authority expected in 2017

What are the lessons learned for Aegon?


Globalizing Cyber Breach Preparedness


Countries with General Breach Notification Laws / Guidance (Pre-GDPR)

Australia (guidance)

Austria

Bahamas

Belgium (guidance)

Canada – Alberta

Canada – British Columbia (guidance)

Canada – Federal

Canada – Manitoba

China

Colombia

Costa Rica

Denmark (guidance)

Dubai

Ghana

Germany

Hong Kong (guidance)

Ireland (guidance)

Japan –

- Meti (guidance)

- FSA (mandatory)

Lesotho

Mauritius (guidance)

Mexico

Netherlands

Norway

Peru

Philippines

Slovakia

South Africa

South Korea

Sweden (guidance)

Taiwan

UAE (Dubai)

United Kingdom (guidance)

Uruguay• Excludes sectoral laws

• Consider “Ledger” requirements

• Consider “complaint enabling statutes”


Language and Time ZoneIssues


Globalizing Your Breach Preparedness

Identify Swim Lanes

Who has internal jurisdiction over the issue?

Business / Legal / PR

Do you have a breach czar – is that person effective on a global basis?

"Global Guiding Principles" vs. "Local Country Breach Procedures"

Conduct live fire GLOBAL tabletops Identifies logistical issues

Identifies cultural issues

Physical presence during these exercises changes everything


Globalizing Your Breach Preparedness

Privilege – not the same across the globe

Data Transfer Issues

Do you have consent to view the data in country?

Do you have a legal mechanism to transfer the data outside the country?

Identify your Global Team

Legal – cyber/breach notification is a novel issue outside of just a few countries

Public relations –

people/culture/media all differ drastically from country to country

Incident response and investigation

Local forensics assets can be critical

Tricky and time consuming to move encrypted devices across borders

Roadmap to the GDPR: Breach Notification and Global Breach Response

December 7, 2016

the gdpr - breach notification and global breach response

Documents