21 January, 2015
Navigating the Privacy Law
Landscape - US and Europe
Roberta Anderson, Partner, K&L Gates, Pittsburgh
Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin
Etienne Drouard, Partner, K&L Gates, Paris
Andrew Gilchrist, Senior Associate, K&L Gates, London
© Copyright 2013 by K&L Gates LLP. All rights reserved.
Data Breach and Notification – a U.S.
Perspective
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
klgates.com
3
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
klgates.com
4
Source:
Ponemon Institute LLC
Cost of Data Breach Study:
Global Analysis
(May 2014)
klgates.com
5
v
v
Source:
Ponemon Institute LLC
Global Report on the Cost of
Cyber Crime
(October 2014)
v
v
v
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
klgates.com
6
NOTICE REQUIREMENTS
 Different Types of Notice
 Industry-Specific, e.g. HIPAA / HITECH
 47 Different State Notification Laws
 e.g., Pennsylvania
 Business Partners
 e.g., New Jersey
 Comprehensive Federal Law?
 Others, e.g., Regulators, AGs, Consumer Reporting Agencies, Law
Enforcement?
 Media
 Social Media
 SEC Filings
klgates.com
7
NOTICE REQUIREMENTS
v
v
Source:
Ponemon Institute LLC
Cost of Data Breach Study:
Global Analysis
(May 2014)
klgates.com
8
NOTICE REQUIREMENTS
 Industry-Specific, e.g. HIPAA / HITECH, GLB
v
v
klgates.com
9
NOTICE REQUIREMENTS
 47 different state notification laws, e.g., Pennsylvania
klgates.com
10
NOTICE REQUIREMENTS
 Business Partners, e.g., New Jersey
Any business or public entity that compiles or maintains computerized
records that include personal information on behalf of another business
or public entity shall notify that business or public entity, who shall
notify its New Jersey customers, as provided in subsection a. of this
section, of any breach of security of the computerized records
immediately following discovery, if the personal information was, or is
reasonably believed to have been, accessed by an unauthorized person.
klgates.com
11
NOTICE REQUIREMENTS
 Comprehensive Federal Law?
klgates.com
12
NOTICE REQUIREMENTS
klgates.com
13
NOTICE REQUIREMENTS
klgates.com
14
NOTICE REQUIREMENTS
klgates.com
15
SEC CYBERSECURITY GUIDANCE
 “[A]ppropriate disclosures may include”:
 “Discussion of aspects of the registrant’s business or operations
that give rise to material cybersecurity risks and the potential costs
and consequences”;
 “To the extent the registrant outsources functions that have
material cybersecurity risks, description of those functions and how
the registrant addresses those risks”;
 “Description of cyber incidents experienced by the registrant that
are individually, or in the aggregate, material, including a
description of the costs and other consequences”;
 “Risks related to cyber incidents that may remain undetected for an
extended period”; and
 “Description of relevant insurance coverage.”
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,
http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
16
NOTICE REQUIREMENTS
We note your disclosure that an unauthorized party
was able to gain access to your computer network “in
a prior fiscal year.” So that an investor is better able to
understand the materiality of this cybersecurity
incident, please revise your disclosure to identify when
the cyber incident occurred and describe any material
costs or consequences to you as a result of the
incident. Please also further describe your cyber
security insurance policy, including any material limits
on coverage.
- Alion Science and Technology Corp. S-1 filing (March 2014)
klgates.com
17
Personal Data Breaches and Notifications – a
UK perspective
LEGISLATIVE REQUIREMENTS

Directive 95/46/EC transposed into UK law by the Data Protection Act 1998



“Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or damage to,
personal data”. (Part 1(7), Schedule 1 to DPA) – 7th principle.
No prescriptive requirements, unless sector specific regulation.
No “one size fits all” but three principles:
1.
2.
3.

Risk assessment – what is appropriate given type of data? Regard to be had to state
of technology / implementation cost compared to what harm might result from breach.
Reliability of employees
Vet your data processors – written contracts
Guidance from regulator (UK Information Commissioner’s Office):









Encryption? Data storage vs. transmission.
International Standard 27001 / Cyber Essentials Scheme.
Anonymisation?
Data Sharing Code of Practice
Internal policies – IT Internet use / data retention and destruction / data security / training
Processes and security protocols – staff vetting and access control
Disposal (CESG approved?) / decommissioning
Software Updates (remedy vulnerabilities) / SQL Injections (high risk)
Authentication / hashing / salted hashing
WHO DO WE NEED TO NOTIFY?
 What sector are you in?



PECR 2003 - Notifications only compulsory for “publically available
electronic communication services” – same across all of EU – i.e.
telcoms / ISPs. 24 hours after breach detection – UK ICO.
Other regulated sectors – Gambling Commission / FCA / Public
sector.
Everyone else – no legal requirement, but ICO guidance. Should
notify if “serious”. Overriding consideration: potential harm to
individuals. Can mitigate fines vs danger of over-notifying.
 Notify data subjects? Do they need to take steps to protect
themselves?
 Contractual obligation to notify?
 Police / insurers / professional bodies / bank or credit card
companies.
UK ICO ENFORCEMENT





Make assessments (re-active or pro-active)
Serving Information Notices / Special Information Notices
Enforcement Notices
Powers of entry, inspection, seizure of documents / equipment
Fines of up to £500,000 – serious breaches

“contravention deliberate or the data controller knew or ought to
have known that there was a risk that the contravention would
occur, and of a kind likely to cause substantial damage / distress
but failed to take reasonable steps to prevent it”. (s.55(A) DPA).
 Selective enforcement / limited resources
 Individual has a direct right of action and right to compensation
 Criminal offences – failure to comply with an Information /
Enforcement Notice (Directors can also be prosecuted).
ENFORCEMENT TRENDS

Leading video games provider (Jan 2013)












Network platform subject to several DDoS (“distributed denial of service”) attacks
Hacker access customer details and passwords (no cardholder information)
100 million customers thought to be affected.
Data Controller didn’t keep up to date with technical developments.
Didn’t deal with system vulnerabilities even though update available
Didn’t use cryptographic controls for passwords
History of attacks but still used platform to hold vast amounts of personal data
Didn’t react quickly enough
Voluntarily reported (mitigating factor)
£250,000 fine
Internal cost to Data Controller thought to be in region of $171 million.
Booking agent for travel services (Dec 2012)





SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which
were active).
Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not
external facing (but could still be access over internet by individuals with basic technical skills)
No evidence of actual harm / fraud
Voluntarily reported (mitigating factor)
£150,000 fine.
JULY – SEPT 2014
Source: https://ico.org.uk/action-weve-taken/data-breach-trends/
JULY –
SEPT 2014
Source: https://ico.org.uk/actionweve-taken/data-breach-trends/
FUTURE DEVELOPMENTS






Nov 2011 - Cyber Security Strategy produced. Set agenda until 2015/16.
Set up National Cyber Security Programme (NCSP) with £860 million
funding over five years. Falls under supervision of Cabinet Office.
Published progress against objectives in Dec 2014.
September 2012 - BIS issued guidance for companies
CESQ (information security arm of GCHQ) - 80% of known attacks
defeated by basic security practices
CERT-UK set up on 31 March 2014 to take the lead in coordinating the
management of national cyber security incidents and will act as the UK
central contact point for international counterparts in this field – as will be
required under upcoming European Cyber-Security Directive.
5 Jun 2014 - New ISO Standard – based on ISO27000. Certification to
demonstrate that industry-minimum cyber security measures adopted.
From 1 October 2014, the government will require certain suppliers bidding
for certain information handling contracts to be Cyber Essentials certified.
No UK specific legislation on horizon – but watch out for European Data
Protection Regulation and Network and Information Security Directive.
Personal Data Breaches and Notifications – a
German perspective
LEGISLATIVE REQUIREMENTS
 Directive 95/46/EC transposed into German law by the Federal
Data Protection Act (BDSG)

 Sect. 9 / Annex 1 to sec. 9 BDSG requires data
processors/controllers to implement adequate technical and
organisational measures for data security, in particular:
1. Access control:

Preventing unauthorised persons gaining access to data processing systems; preventing data
processing systems from being used without authorisation; ensuring that authorised persons can
only access data they are authorised to access.
2. Disclosure control:

Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring
transparency which bodies data will be transferred to.
3. Input control:

Ensuring possibility to trace alteration or deletion of data.
4. Job control:

Ensuring in case of commissioned data processing compliance with the controllers instructions
5. Availability control:

Ensuring personal data is protected against accidental destruction or loss
WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION
AUTHORITY (DPA) AND INFORM DATA SUBJECT?
 General notification obligation to DPA and Data Subject, applicable
to all private bodies and certain public bodies (Sect. 42a BDSG):
Unlawful disclosure of special
categories of personal data
(e.g. ethnic heritage, religious
beliefs, data referring to
criminal offences or subject to
professional secrecy)
Threatening serious harm to
the rights or legitimate
interests of data subjects
 Information to DPA:
 Without undue delay
 Nature of the disclosure and possible harmful consequences
 Information to Data Subject:
 Without undue delay, as soon as data is secured and criminal investigation is
not endangered
 Nature of the disclosure; recommendations to minimise possible harm
klgates.com
ENFORCEMENT BY THE DPAS IN
GERMANY
German DPAs may (Sect. 38 BDSG):
 Monitor the implementation of the BDSG and other
provisions on data protection matters including


Right to request information by processors and
Right to enter the property and premises for inspections
 Notify data subjects in case of violation and report to
prosecution authorities
 Order measures to remedy violations (e.g. prohibiting data
processing)
 Raise fines up to EUR 300,000 in case of intended or
negligent violation of certain provisions of the BDSG or other
regulations on data protection (Sect. 43 BDSG)
ENFORCEMENT TRENDS
 There still is no common code of practice among DPAs,
which leads to varying practices in different German
states (“Länder”).
 In the past, German DPAs were not very strict in enforcing
data protection laws by raising fines.
 Example 1: Google StreetView (2008-2010):



Google provides panorama pictures for ‘Street View’
While taking these pictures, surrounding WiFi data were scanned
accidentally
Competent DPA (Hamburg) raised fine of EUR 145,000
 Example 2: AOL Server Breakdown (2014):




Server Breakdown caused a leak of 500,000 user access
data sets
Stolen data was used for spam-mail wave
Provider did not notify breach to DPA but informed users
Presumably no action by competent DPA
NUMBERS AND TABLES
 No absolute numbers on breaches and notifications; all
DPAs are obliged to publish data protection reports, but
they vary and can hardly be compared
 Statement of Federal Commissioner for Data Protection:
 March 2011 – October 2013: 501 notifications in total
 TelCom Sector:
 2012: 27 notifications
 2013: 66 notifications
FUTURE DEVELOPMENTS
 Federal Commissioner for Data Protection
endorses stricter enforcement of data protection,
especially in the telecommunications sector
 Legislative framework:
 Draft version of a German Regulation for IT-Security
 Draft EU Regulation
Personal Data Breaches and Notifications
The French perspective
LEGISLATIVE REQUIREMENTS


Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of
1978
Directive 2009/136/EC “ePrivacy” implementing data breach requirements in August 2010
 “Breach of personal data” - The French definition and scope
 Any breach of security leading accidentally or unlawfully to the
destruction, loss, alteration, disclosure or unauthorised access to
personal data processed in the context of providing electronic
communication services to the public.
 Data breach notifications are only required from telco
operators and internet access providers
 For any breach of personal data processed “by electronic
communication service providers operating electronic
communication networks with open public access.”
LEGISLATIVE REQUIREMENTS
 Two categories of notifications
1. To the French DPA
 Within 24 hours of the effective knowledge, through an
electronic procedure, whatever is the potential impact of the
breach of personal data
 Notify at least the existence of the breach
 Within 72 hours of the effective knowledge, through an
electronic procedure, describing the breach in details:





Categories of data breached,
Origin, specificities and duration of the breach,
Security measures and patches implemented,
Potential impact on the privacy of the “affected parties”,
Spontaneous information of the “affected parties”.
LEGISLATIVE REQUIREMENTS
 Two categories of notifications
2. To the “affected parties”
 If said breach is likely to breach personal data security or the
privacy of a subscriber or any other individual.
 Unless the French DPA has found that appropriate
protection measures have been implemented by the service
provider to ensure that the personal data are made
undecipherable to any unauthorised individuals and have
been applied to the data affected by said breach.
 Failing this, the French DPA may serve the service provider
with a formal notice to inform the “affected parties” as well,
after investigating the severity of the breach.
LEGISLATIVE REQUIREMENTS
 Recording of all breaches
 Each provider of electronic communication services
must keep and make available to the French DPA
upon request, an updated record of all breaches of
personal data, listing the conditions, effects and
measures taken as remedies.
ANALYSIS PERFORMED BY THE FRENCH
DPA
The DPA has up to two months to:
 Consider the potential impacts of the breach on data
security and privacy protection;
 Estimate whether security measures implemented
before the breach were appropriate;
 Evaluate whether information measures taken
towards the "affected parties" were sufficient.
ENFORCEMENT
The DPA may:
 Require the company (Telcos and ISPs) to inform
“affected parties” or the general public.
 Apply any administrative fine up to €150,000
 After an adversarial public or closed procedure where the
company may be assisted by its counsel.
 Publish a description of the breach:
 on its website, or
 on any appropriate medium at the company’s expense.
 Publish whole or part of the ruling against the company
 on its website, or
 on any appropriate medium at the company’s expense.
ENFORCEMENT
As of now:




7 condemnations in 2013
29 condemnations in 2014
Fines between €20,000 and €100,000 (max.)
The French DPA has almost systematically been publishing
its rulings regarding data breaches
During 2015:
 A draft bill will be discussed starting June 2015:
 extending data breach notification requirements to any data
controller or processor, in any sector (public or private)
 providing for penalties up to:
 €1,000,000, or
 2% of the global annual turnover,
whichever the highest.
New Draft EU Data Protection Regulation –
Mandatory Data Breach Notification
INTRODUCTION
Draft EU Data Protection Regulation COM(2012)0011 – C7-0025/2012
– 2012/0011(COD); draft version published by Commission in 2012, adopted by European
Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC
What are the goals ?
Protection of individuals with regard to the processing of personal data
Free movement of personal data
Protection of the fundamental rights and freedoms of natural persons
Details: transfer of personal data to third countries or international organisations;
mandatory data protection officer; role of independent supervisory authorities; cooperation and consistency; remedies, liability and sanctions
THE "DATA BREACH" REGULATION
2013/611
“Electronic communications service providers” must
report any personal data breach to the relevant national
data protection authorities and, as the case may be, to the
data subjects themselves.
 The notification requirement targets Internet service providers
and telco operators. Email service providers are not impacted…
yet.
 The draft Privacy Regulation will extend data breach notification
to any controller (expected in 2016)
 Non-compliance with the notification requirement is subject to
criminal sanctions
MANDATORY NOTIFICATION OBLIGATION DETAILS
Art. 31: Notification
Art. 32: Communication
Who has to notify?
All data processors and
commissioned data processors
Who has to communicate?
All data processors
To whom?
Data processors to the competent
DPA
Commissioned data processors to
data processor
To whom?
Data subject
Reason?
Personal data breach
Reason?
Personal data breach is likely to
adversely affect the protection of
personal data or privacy
klgates.com
44
MANDATORY NOTIFICATION OBLIGATION DETAILS
Art. 32: Communication
Art. 31: Notification
When has to be notified?
Without undue delay and where
feasable not later than 24 hours after
having become aware of the breach
When has to be communicated?
After notification to DPA without
undue delay
What has to be communicated?
Nature of the breach and measures
to mitigate the possible adverse
effects
What has to be notified?
Nature and consequences of the
breach, contact information,
measures to mitigate possible
adverse effects
klgates.com
45
ENFORCEMENT
 Competent supervisory authority may sanction
administrative offences
 Amount of fine shall depend on the technical and
organisational measures implemented and on the
collaboration with the supervisory authority
 Fine can be fixed up to EUR 100,000,000 or 5 % of
annual worldwide turnover, whichever is higher
klgates.com
Next Cyber Risk webinar
Insuring against Cyber Risks:
What are the options, and how can you
maximize coverage?
25 February 2015
16:30 GMT, 11:30 EST, 08:30 PST
klgates.com
47