The potential legal consequences of a personal data breach · The potential legal consequences of a...

The potential legal consequences of a personal data breach 15 April 2015

The potential legal consequences of a personal databreachTue Goldschmieding, Partner| 16 April 2015

15 April 2015The potential legal consequences of a personal data breach

Contents

1. Definitions

2. Data Security Breach Management

3. What an organisation should do in the event of a data breach checklist

4. Practical implications of a breach for the business

5. Preparing for the future


Definitions


Definitions

Personal data is defined by Directive 95/46/EC in Article 2(a) as any information relating to anidentified or identifiable natural person (‘data subject’). An identifiable person is one who can beidentified, directly or indirectly, in particular by reference to an identification number or to one ormore factors specific to his physical, physiological, mental, economic, cultural or social identity.

Personal data breach is defined by Directive 2002/58/EC in Article 2(i) as a breach of securityleading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, oraccess to, personal data transmitted, stored or otherwise processed in connection with the provisionof a publicly available electronic communications service in the Community.

Definitions


A personal data breach covers more than just the simple misappropriation of data and mayinclude:

Definitions

Theft

• Loss or theft of dataor equipment ormedia

!Loss of data

• Equipment failure• Acts of God (for

example, fire orflood),

!Attacks

• Deliberate attack on systems• Malicious acts such as

hacking, viruses or deception(which relates to the unlawfulobtaining of personal data,more frequently referred toas "blagging").

!

Logical breach

!• People gaining

inappropriate access• Human error


Liability for a data security


Data controllers are liable for data security

- A data controller is responsible for ensuring appropriate technical and organizational measuresto protect personal data against accidental or unlawful destruction or accidental loss, alteration,unauthorized disclosure or access.

- This liability remains with the data controller regardless of whether:

- the data controller engages a third party data processor (e.g. an IT service provider).

- the data controller uses common software or systems (e.g. commonly available cloudservices) for processing personal data.

- new security threats arises.



Data controllers are liable for data security


Appropriate technical and organizationalmeasures to protect personal data against

accidental or unlawful destruction or accidentalloss, alteration, unauthorized disclosure or access.

Executive Order no. 528of 15 June 2000 onsecurity measure for theprotection of personaldata processed within thepublic sector (analogous)

•Authorisationandccaccess control

• In-going and out-goingdata

• External lines ofcommunication

• Logging

General recognisedpractices within the ITindustry

Requirements establishedthrough the cases,practice and guidelinespublished by the DanishData Protection Agencyand other nationalagencies.

Working papers andopinions published by theArticle 29 Group

European Network andInformation SecurityAgency


Data Security Breach Management

An organisation should have both a strong internal data protection policy as well as a data breachresponse plan (see checklist) in place to respond to a data breach swiftly and effectively.

The data protection policy aims to lower the possibility for a personal data breach. However, eventhe most sophisticated data protection policy is not invulnerable. Therefore a data breach responseplan should be produced and followed. To manage a breach of security, an organisation should:

• adopt a recovery plan, including damage limitation;

• carry out an assessment of any ongoing risks associated with the breach;

• consider whether a breach of security should be notified, who should be notified and whatinformation should be given, including specific advice to individuals on the steps they can take toprotect themselves, and

• evaluate the cause of a breach and the effectiveness of its response to it.



Checklist: What an organisation should do in theevent of a data breach


Checklist

Checklist: What an organisation should do in the event of a data breach

• Stop ormitigate thebreach

• Assemble SecurityBreach Team, contactthe data privacyofficer or contactlegal counsel,whichever isapplicable

1 2

• Investigate Facts

4

• Determine theidentity of the datacontroller(s)

• Consider who needsto be notified

6

• Check the contract

7

• Disciplinary action

8

• Audit of securityappropriateness andneed to makeimprovements

3 5


1. Assemble Security Breach Team, contact the data privacy officer orcontact legal counsel, whichever is applicable

Data controllers should put in place a Security Breach Team to deal with personal data security breach incidents.

The team should have a clear plan to follow and be trained in advance to deal with personal data breaches quicklyand effectively, limiting the damage of the breach as much as possible.

The membership of the Security Breach Team will depend on the organisation but should include at least onesenior officer, and individuals from areas such as Human Resources, Personal Representation, IT, security (IT andphysical) and legal and compliance officers with appropriate seniority should also sit within the SB Team.

All members need to be clear about who is taking ultimate responsibility.



2. Investigate Facts

The data security breach should be investigated to determine:

• The nature and cause of the breach.

• The extent of the damage or harm that results or could result from the breach.


3. Stop or mitigate the breachTake action to stop the data security breach from continuing or recurring and mitigate the harmthat may continue to result from the breach.

4. Determine the identity of the data controller(s)

The data controller is the party that determines the purpose for, and manner in which personal datais processed. This may not always be obvious and there may be more than one data controller.


5. Consider who needs to be notified

• The competent national authority (The Danish Data Protection Agency): Directive2002/58/EC (and the proposed European data protection regulation) require personal databreaches to be notified by providers of electronic communication services to the competentnational authority. The details of the information to provide are available in Annex I ofRegulation 611/2013.

• Other Data Controllers: if there are other data controllers of the personal data in question,you may want to notify them.

• Data Processors: it is not a mandatory requirement to notify the data processor. However, ifit is uncertain who is responsible for the personal data breach or the data controller suspects orknows the data processor is responsible (e.g. the Nets case), they should be notified.

• Insurers: notification of potential claims may be an insurance policy requirement.




• Data Subjects:

• Where the personal data breach is likely to adversely affect the personal data or privacy of adata subject, the data controller should notify the data subject of the breach without unduedelay.

• Data controllers should consider whether the data subject will benefit from knowing aboutthe data security breach, involving their personal data, for example, by being able to changepasswords or bank accounts to help prevent potential fraudulent use of the data.




• Data Subjects (cont’d):

• There is an exemption on the notification requirement to data subjects if the data has beenrendered unintelligible – if the data controller can demonstrate to the competent authoritythat it has implemented appropriate technological protection measures to render the dataunintelligible to any person who is not authorised to access it, then notification of personaldata breach to the data subject shall not be required.

• For example, a confidentiality breach on personal data that were encrypted with a stateof the art algorithm is still a personal data breach, and has to be notified to the authorityBUT if the confidentiality of the key is intact, the data are in principle unintelligible toany person who is not authorised, thus the breach is unlikely to adversely affect the datasubject and therefore doesn’t need to be notified to the data subject



6. Check the Contract

Establish who is contractually responsible for the data breach i.e. either the data controller or thedata processor, and check the contract between the data controller and data processor to see what itprescribes. For example:

• Does the breach give rise to a right to claim damages? If so, is the value of the claim limited bythe contractual limit of liability? Many contracts carve out claims for loss of data and damage toreputation from the limitation and exclusions of liability provisions.

• Does confidentiality obligations restrict the data controller from publically referring to the dataprocessor’s responsibility for the data breach?

• Does the breach give rise to a right to terminate the contract? In many contracts the breach ofdata security clauses will give rise to an express right to terminate.

Following the resolution of the breach, the data controller should also review the contract to seewhether the provisions were sufficient to deal with such a personal data breach.



7. Disciplinary action

Data controllers will need to review the actions of employees who cause data security breaches anddecide whether disciplinary action is appropriate.


8. Audit of security appropriateness and need to make improvements

An investigation should take place and include a review of whether appropriate security policies andprocedures were in place and if so, whether they were followed.

Where security is found not to be appropriate for the purpose of the data protection, consider whataction needs to be taken to raise data protection and security compliance standards to thoserequired. If the Commissioner from the competent national authority becomes involved in a datasecurity breach, he is likely to request this information.


Practical implications of a breach for the business


Implications for the organisation

The results for the organisation will also vary with the type of breach. Any of the following mayapply:

• National regulators are commonly granted fairly wide powers of investigation andinspection as well as powers of intervention, for example, the right to order a data controller tocease infringing behaviour or impose fines.

• The data subject also has a right to claim compensation from a data controller wheredamage has been suffered as a result of unlawful processing of personal data (Article 23(1), DataProtection Directive).

• Some countries have also adopted criminal sanctions, including custodial sanctions, forparticularly severe breaches of the data protection principles.

• Aside from legal sanctions, non-compliance can result in damaging adverse publicity.



Improving data protection

• Data policy: are employees trained to understand the data protection policy of theorganisation? Data security measures will be ineffective if the firm do not design and maintainsuitable data policy. For example:

• Training for employees: employees and anyone else who interacts with the data, such asconsultants, should receive adequate data protection and data security training. Forexample, this should involve training in what they need to do to keep personal data secureand whom they are permitted to disclose personal data to.

• Access rights: the data controller should ensure that only those people who require access tothe data are the ones who are allowed to access the data and that the data is only processedto the extent strictly required.

• Encryption: personal data can be stored and transmitted using one of a variety of differentcommercial encryption techniques. This ensures that if there is a confidentiality breach,such as a data leak, then the data is rendered useless.




• Data policy (cont’d):

• Privacy by design: this is a consideration of the privacy requirements before thedevelopment of any new system or process and maintaining privacy as a fundamental partof the system throughout the life cycle of the system or process.

• Data retention policy: data should be stored appropriately using approved and auditedsystems. Furthermore, data should be kept no longer than is necessary for the purposes forwhich it was collected and periodically destroyed.

• Privacy Impact Assessment (PIA): this is a process which helps organisations to identifyand reduce the privacy risks of a project and comply with data protection obligations. Itenables an organisation to systematically and thoroughly analyse the data protection issuesfrom the beginning of a project.




• Effectiveness of the response: were there any problems with the recovery plan? The datacontroller needs to objectively assess the success of the recovery plan to see if and how it can beimproved.

• Review the contract between the data controller and the data processor: are the datasecurity obligations in the contract appropriate for the purposes of dealing with such a personaldata breach?



Preparing for the future


New Data Protection Regulation

The Commission have proposed a reform of data protection in the form of a General DataProtection Regulation. Although this has been significantly delayed, the following is a list of issuesrelating to personal data breaches that look likely to occur, to a greater or lesser extent:

• Fines and enforcement: fines of up to 5% of global annual turnover proposed

• Territorial reach: controllers and processors that process personal data in the context of theactivities of an establishment in the EU will be subject to the Regulation. This will vastly extendthe reach of EU data protection legislation.

• Security: processors as well as controllers should be directly liable for implementing“appropriate” technical and organisational security measures, having regard to the state of theart and the cost.

• Breach notification: data breaches should be notified to the regulator within a very shortamount of time (the Commission has proposed within 24 hours, while the European Parliamenthas proposed notification “without undue delay” and within a target of 72 hours)



Draft General Data Protection Regulation

Processor liability: where previously obligations under EU data protection have applied to datacontrollers only, processors for the first time will be subject to a number of obligations andrestrictions, and exposed to fines and other regulatory action. Negotiating and future proofingcontracts between controllers and processors will be very important in the near future.

Privacy by design: obligations ensuring that privacy and data protection will be integrated intothe design of Information and Communication Technologies.

Privacy impact assessment: this would make privacy impact assessments mandatory whenorganisations are thinking of engaging in personal data processing.


Date post:	27-Apr-2018
Category:	Documents
Upload:	duongthu
View:	224 times
Download:	5 times

The potential legal consequences of a personal data breach · The potential legal consequences of a...

Documents