Commentary
News
Legislation and Guidance
Data Protection and Whistleblowing (Germany). . . . . . . . . . . . . . . . . . . . . .
3
Whistleblowing in the Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
Access to Personal Data Under the U.K. Freedom of Information Act 2000 –
A Round-Up of Decisions of the Information Commissioner and the
Information Tribunal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
Security & Surveillance
E-merging Commerce E-Alert: What Will You Do When You Get the
Dreaded Call, “We’ve had a Data Security Breach!”. . . . . . . . . . . . . . . . .
13
Security & Surveillance
Identity Theft – Pushing Back
the tide . . . . . . . . . . . . . . 15
U.K. Government Calls for
Review of Data Protection
Directive on Data Security
Matters . . . . . . . . . . . . . . 16
The U.K.’s Failure to
Implement an Electronic
Passport Application
System (EPA 2) . . . . . . . . 16
Personal Data
Personal Data
U.K. Government Super Database – Sleepwalking into a Surveillance
Society. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Belgian Privacy Commission
Reviews Digital TV
Services . . . . . . . . . . . . .
APEC Cross-Border Privacy Rules and Trustmarks: A Step Toward Integrated
Electronic Commerce in the Asia-Pacific . . . . . . . . . . . . . . . . . . . . . . . . .
20
Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
News
Legislation & Guidance
Copyright and Confidentiality in Business Correspondence: . . . . . . . . . . . . .
10
Spam and the English Courts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Dutch Telecoms Regulator Fights Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
Not All Data Thieves Face Two-Year Prison Threat . . . . . . . . . . . . . . . . . . . .
11
Whistleblowing update (France) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1
24
World Data Protection Report
Publishing Director: Deborah Hicks
Editor: Jeremy Kuper
Production Manager: Nitesh Vaghadia
Editorial Director: Joel Kolko
Submissions by Authors: The editors of World Data Protection Report invite readers to submit for publication articles that address
issues arising out of the regulation of data protection, either on a national or transnational level. Articles with an appeal to an international audience are most welcomed. Prospective authors should contact Nichola J.L. Billington, World Data Protection Report, BNA
International Inc, 29th Floor, Millbank Tower, 21-24 Millbank, London SW1P 4QP, U.K. Tel. (+44) (0)20 7559 4807; fax (+44) (0)20
7559 4880; or e-mail: nicholab@bna.com. If submitting an article by mail please include an electronic copy of the article in a
recognised software.
World Data Protection Report is
published monthly by BNA International
Inc., a subsidiary of The Bureau of
National Affairs, Inc., Washington, D.C.,
U.S.A. Administrative headquarters: 29th
Floor, Millbank Tower, 21-24 Millbank,
London SW1P 4QP, England. Tel. (+44)
(0)20 7559 4801; Fax (+44) (0)20 7559
4840; e-mail marketing@bnai.com. In the
U.S. call toll-free on: 1-800-727-3116.
Subscription price: U.K. and rest of world
£695; Eurozone €1,125; U.S. and Canada
U.S.$1,195. Additional copies of this
publication are available to existing
subscribers at half price when they are
sent in the same envelope as a standard
subscription.
Reproduction or distribution of this
publication by any means, including
mechanical or electronic, without the
express permission of The Bureau of
National Affairs, Inc. is prohibited except
as follows: 1) Subscribers may reproduce,
for local internal distribution only, the
highlights, topical summary and table of
contents pages unless those pages are
sold separately; 2) Subscribers who have
registered with the Copyright Clearance
Center and who pay the $1.00 per page
per copy fee may reproduce portions of
this publication, but not entire issues.
The Copyright Clearance Center is
located at 222 Rosewood Drive.,
Danvers, Massachusetts (USA) 01923;
tel. (508) 750-8400. Permission to
reproduce BNA International Inc.
material may be requested by calling +44
(0)20 7559 4821; fax +44 (0)20 7559 4848
or e-mail: customerservice@bnai.com
Dear readers,
For the March issue of World Data Protection Report, I have included a
number of articles looking at whistleblowing in various EU jurisdictions. The
issue opens with an in-depth analysis of the situation in Germany, by our
regular contributor Dr Michael Schmidl of Baker McKenzie’s Munich office.
Phillip Rees and Dominic Hodgkinson consider the complex issues
surrounding a proposed ‘super database’, which the U.K. government is
seeking to introduce. While Ibrahim Hasan looks at the complex
inter-relationship between the U.K.’s Data Protection Act 1998, and the
Freedom of Information Act 2000.
U.S. attorney Holly Towle considers the consequences of ‘data security
breaches’ in the United States, while Belgian avocat Wim Nauwelaerts
considers the fascinating issues relating to personal data and digital
television. And much, much more…
I am sure that you will agree we have covered a lot in this issue.
Best wishes
Jeremy Kuper
Editor
Website: www.bnai.com
ISSN 1473-3579
We wish to thank the following for their contribution to this issue:
Dr Michael Schmidl, Baker McKenzie LLP, Munich; Gerrit-Jan Zwenne, Bird & Bird, the Hague; Myrtille Lapuelle, Eversheds LLP, Paris;
Ibrahim Hasan, Act Now, Dewsbury; Holly Towle, Scott David and Henry L. Judy of K& L Gates LLP, Seattle & Washington D.C. ; Phillip
Rees & Dominic Hodgkinson, Pillsbury Winthrop Shaw Pittman LLP, London; Yukiko Ko, Alston & Bird LLP, Washington D.C.; Natasha
Aziz, Berwin Leighton Paisner LLP, London; Clare Frater, Simon Gamlin & Elaine Fletcher, Eversheds, London; Out-Law.com & Pinsent
Masons; Wim Nauwelaerts, Hogan & Hartson LLP, Brussels; Victoria Hordern, Field Fisher WaterHouse LLP, London.
2
2
Security & Surveillance
Security & Surveillance
E-MERGING COMMERCE E-ALERT:
What Will You Do When You Get the Dreaded
Call, “We’ve had a Data Security Breach!”
By Holly K. Towle, J.D, with assistance from Scott David
(Seattle) and Henry L. Judy (Washington D.C.)who all
work for K&L Gates LLP. The authors may be contacted at
holly.towle@klgates.com, scott.david@klgates.com,
henry.judy@klgates.com or on; tel (+001) 206-623-7580
(Seattle)
drafted and implemented flexibly so as to accommodate
a variety of circumstances. Your incident probably won’t
be the result of an exotic “hack” into an online system
even if that is the focus of your plan. More typically, it will
be something else, such as a lost or stolen laptop, an
errant employee, a well-meaning but mistaken employee,
a network security lapse, a courier company’s loss of a
back-up tape, or a physical break-in and theft of
computers from your offices or an employee’s car trunk.
You just received a call as legal counsel: your company located in
the United States has had a data security breach and personal
information on your customers, employees, job applicants,
customers of your customers or others may have been accessed
without authorisation or may otherwise be exposed. The
Information Technology (IT) department is busy taking steps to
prevent further exposure and determine causes and any losses.
5. Engage Knowledgeable Counsel. Obtain the services of
outside counsel knowledgeable about data privacy and
security. Over 35 states have data security breach notice
laws and they’re all different. The United States federal
government also has rules from various regulators and
they’re different as well. For example, the above
suggestion to preserve evidence is not really just a
suggestion – if your company is covered by guidance
from certain federal regulators, preserving evidence is one
of the components of the security breach response plan
that the company is supposed to have in place right now.1
What do you need to ask or do to get through that first phone
call? This article provides a “cheat sheet” to help you through it.
Basically, you need to gather enough information to allow you to
(1) get started on determining what law applies and whether and
when it will require the company to provide notice of the breach;
and (2) set the incident response off in the right direction so that
later legal problems do not arise or are minimised. There are lots
of other things you will need to do and determine, but the focus
here is only on that first phone call that will come when you least
want it.
Ideally, your specialised counsel will be part of a law firm
that deals with privacy and data security laws generally
(not just data security triage) and that has a broad
enough practice to help with subsequent issues. Working
through a data security incident can reveal new or latent
legal or operational issues (e.g., employment policies,
web site terms of use, privacy and security policies,
customer agreements, and service contracts all might
need to be revised) or create new issues that will need to
be addressed after the incident is long gone. If the breach
is significant enough, you may ultimately need securities
law attorneys (e.g., to advise re securities filings for public
companies), insurance lawyers (e.g., to advise whether
you have claims under various insurance policies);
litigators (to handle the lawsuits that can follow the
security incident); and commercial law attorneys who are
familiar with payment systems if the breach involves
those systems.
Immediate Steps
1. Preserve Evidence. The first thing is to insist that, as the
IT staff is taking steps to prevent loss, it is also preserving
the evidence needed to determine and prove what
happened. The company may need or want to engage
an outside data security firm with forensic expertise.
2. Activate Response Plan. Make sure that the company’s
security breach response plan is activated (assuming the
company has one). Frequently, when an organisation first
learns of a security breach, there is a great deal of
confusion about the basic facts and the appropriate
immediate responses. A well-crafted plan can provide a
clear process for the company even though it is given
that no plan can anticipate all circumstances. Following
the plan can not only be operationally sound, but also
protective legally. Some companies have provided their
plans to regulatory authorities or made public disclosures
based on the substance of the plan. This is no time for
the company unwittingly to vary from its plan.
6. Structure Your Advisors. Consider having any external
firms such as a data security firm engaged by your law
firm in case the investigation may be part of the
confidentiality privilege pertaining to the information
moving back and forth with your attorneys.
7. Identify If Payment Systems Are Involved. Find out
whether the possibly compromised data relates to
payment system information. If so, immediately locate
and review relevant processing contracts to see what
they say about data breaches. Those contracts can raise
issues that are beyond the scope of the first phone call –
the warning is that the contracts exist and need to be
3. Assemble the Team. Typically, the plan will call for the
activation of a core team (e.g., assistance from executive,
IT, Legal, human resources and public relations). The best
responses usually involve a coordinated team effort.
4. Implement the Plan Flexibly. It is impossible to predict or
prevent all security incidents, so your plan should be
13
13
Security & Surveillance
short statutory deadline for notice may turn out to be
incorrect once the dust settles, so leave room for that
possibility in any notice given.
located because many have express provisions and
deadlines regarding data security breaches.
8. Document Activities. Start documenting the activities of
the response team right away as appropriate under
evidentiary and legal privilege rules.
4. What types of data were taken, accessed or exposed?
Relevant to whether the event is covered under a
payment system contract or a breach notification or other
statute— each regime has its own definition of covered
information and the range is wide and non-uniform. This
question is also relevant to the statutory coverage
question (e.g., personal information held by the U.S.
Veteran’s Administration now has its own definition of
“personal information” and its own notice rule).3
Immediate Questions
A large part of the activity of the response team will be gathering
basic information about the incident in order to determine what is
appropriate from a variety of perspectives – business, legal, IT,
customer relations, investor relations and so on. Below is a list of
initial questions to ask in that first phone call. These questions are
designed to elicit information that is relevant primarily from a legal
standpoint under data breach notice laws in the United States.
However, the information may also be important from other
standpoints. When you get the “we’ve had a security breach”
call, at least ask these questions and also pin this article to your
bulletin board or put it in your nightstand (for those inevitable
middle-of-the-night calls). You’ll be glad that you did when call
comes in.
5. How many individuals are potentially affected and who
are they (e.g., employees? customers?) Relevant to
“materiality” for purposes of some statutes and also to
formulating how best to deal with the incident (e.g., if a
large number of individuals will be calling the company,
would an online facility or 1-800 number better handle
the volume)?
6. What are the state(s) and countries of residence of the
data subjects? Relevant to determining what law applies.
Some of the notice laws purport to pertain to data the
company has on a resident of the jurisdiction with the
statute, even if the breach doesn’t occur there and even if
the company has no presence there. This may create
issues under international laws and, domestically, under
the U.S. Dormant Commerce Clause.
For those tempted not to pick up a telephone in the middle of the
night, consider that at least in the United States, there are
numerous state and federal laws or private contracts requiring
notice of certain data security breach events. Failure to comply
can be costly in terms of fines, possible state and federal
enforcement actions, private lawsuits, payment system liabilities
and increased fees or audits, damage to reputation, loss of stock
value, customer dissatisfaction and so on.
7. Where does the company do business? Relevant to
statutory coverage question and the Dormant Commerce
Clause issue (some of the state statutes do condition
coverage on doing business in that state).
Also, it is not a short cut simply to give notice of the security
incident. It is not appropriate, and will violate some guidance, if
you assume that giving notice is always “good” for the data
subject and, thus, that the company should launch the notice
rocket immediately. Some companies have experienced an
increase in attacks when word of notice indicated a vulnerability,
and notice recipients can be contacted by scam artists posing as
regulators, company representatives or others purporting to need
information in order to “help” the recipient “fix” the incident.2
Some regulators recognise this and urge or require a measured
approach. On the other hand, notice should not be withheld
simply because the company fears a loss of reputation. The point
is that there are new laws in this area and they need to be
examined in light of the particular incident to determine whether
and how they apply. So pick up the phone and ask at least these
questions:
8. Is the company in a regulated industry (e.g., financial,
healthcare, telecom), a federal agency, a contractor for a
federal agency, or a service provider to a regulated
entity? Special laws might apply instead of or in addition
to state data breach notice laws.
9. Are there non-statutory requirements (e.g., payment
system contracts)? There may be notice or other
requirements even if no statute applies.
10. Is the company publicly traded? Securities law reporting
issues may need to be considered.
11. Was the data encrypted, redacted or otherwise
rendered unreadable? Some statutes exclude some of
such data from notice requirements.
1. When did the incident occur? Relevant to timing of
required notices and determination of applicable laws,
including laws with delayed effective dates.
12. Has the incident been reported to any law enforcement
officials? What is the status of the investigation? Most
state statutes permit coordination with an investigation.
2. In what capacity was your company holding the data
(e.g., was it holding it for another business and if so, what
does that other business’ privacy policy say about
security breaches)? Statutory obligations shift depending
on whether your company owns or licenses the data, or
is processing or otherwise holding it for a third party
owner. Any contract with another business needs to be
reviewed.
13. Has the incident been reported to anyone else (e.g.,
regulator or a payment processor)? Some statutes
require notice to a regulator or other authority, and some
contracts require notices to private entities (e.g., payment
system contracts), all under varying conditions as
specified in the relevant requirement. Some of these
notices must be given in as little as one hour among
federal agencies. Sometimes reports must also be filed
(e.g., “Suspicious Activity Report” for certain regulated
financial institutions).
3. How did the incident occur (lost or stolen computer,
network breach, unauthorised access, etc.)? Relevant to
(a) statutory coverage, (b) what types of other
agreements might be relevant such as third party service
agreements, employment agreements, etc., and (c)
whether others might be liable to your company. Note:
what you can learn about the incident by the end of a
14. Does the company have an external privacy or
information security policy (e.g., for customers)? Do the
attorneys have a current copy? Most of the state statutes
14
14
Security & Surveillance
allow an information security policy—usually part of a
privacy policy—to provide for how notice will be given.
15. Does your company have an internal privacy or information
security policy (e.g., for employees)? Internal employment
polices might trigger termination or discipline procedures.
In a perfect world perfect security would exist and all of this
could be avoided. But it does not exist, no matter what
precautions are taken, so keep this list handy.
1
Once you get answers, your attorneys can begin to determine
what laws apply. You will need to supply copies of relevant
contracts and there will be lots of additional questions.
However, answers to the above will at least allow your
attorneys to get the ball rolling.
If the company is required or may appropriately decide to
provide a notice, another important consideration will be the
notice itself. At least one study indicates that the tenor and
thoughtfulness of the notice are important components of the
recipient’s satisfaction with the company sending the notice.
2
3
See e.g., Interagency Guidance on Response Programs for
Unauthorised Access to Customer Information and Customer, 70
Fed. Reg. at 15736, 15752 (3/29/05)(under the guidance, a
component of a response program is: “Taking appropriate steps to
contain and control the incident to prevent further unauthorised
access to or use of customer information, for example, by
monitoring, freezing, or closing affected accounts, while preserving
records and other evidence.13”
See e.g., Raymond Nimmer and Holly K. Towle, The Law of
Electronic Commercial Transactions (2003-2006, A.S. Pratt &
Sons), at Chap.16.083(a)(sample phishing email from scam artist
seeking information based on data security breach event).
See Title IX of The Veterans Benefits, Health Care, and Information
Technology Act of 2006
15