Present and Future Legal Considerations for Constructing a Cyber Security Policy

Present and Future Legal Considerations for Constructing a Cyber Security Policy

Johan VandendriesschePartner – CrosslawVisiting Professor in ICT Law – University of Ghent

Critical infrastructures: legal approach

EC Directive 2008/114/EC (local implementation!)

Critical infrastructure and European critical infrastructure Asset, system or part thereof

Essential

Societal functions, health, safety, security, economic or social well-being

Significant impact in case of disruption or destruction

Sector limitation at the EU level Energy

Transportation

Local Member States may have a different approach

Major difference EU level vs US

Brussels - Kortrijk | www.crosslaw.be 2

Critical infrastructures: legal approach

Obligation to implement an operator security plan (OSP) Identification of critical infrastructure assets

Existing and planned security solutions

Methodology Identification of important assets

Conduct of a risk analysis

Identification, selection and prioritization of counter-measures and procedures• Permanent measures

• Graduated measures


Critical Infrastructures: legal approach

Draft Directive Network and Information Security – COM (2013) 48 Obligations for Member States, public authorities and market operators (i.e.

critical infrastructures in the broad sense)

Security obligation in relation to information systems used in operations Appropriate level, taking into account the state of the art

Prevent and minimize impact of incident on core operations

Breach notification obligation in case of significant impact• Notified breaches may be published by the regulator

• Regulator shall publish a yearly report


Legal Approach to Cyber Security

Cyber Security Availability and integrity of information systems and information

Exclusivity, confidentiality and protection of information systems and information

Cyber security and/or information security Law? No consolidated set of laws and regulations

• Cybercrime

• Data Protection

• Secrecy of (electronic) communication

• Intellectual Property Rights (copyright, patents, software …)

• General regulations (e.g. SOX, Wassenaar Arrangements)

• Sector-based regulations (e.g. Basel II, MiFiD, HIPAA…)


Legal Approach to Cyber Security

Generic cyber security and/or information security Law? General due diligence and care obligation

• (Indirect) Compliance obligation

• (Indirect) Obligation to ensure information security?

Impact on critical infrastructures?• Assessment of impact of destruction and/or disruption on clients, third parties and/or

society

• Define threshold for negligence

• Implement measures required to avoid negligence

Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, …


Cybercrime

Harmonized approach in the EU Budapest Convention on Cybercrime 2001 (CET 185)

Directive 2013/40/EU on attacks against information systems

Cybercrime Illegal access to information systems

Illegal system interference

Illegal data interference

Illegal interception

Cybercrime tools

Incitement, aiding and abetting and attempted cybercrime


Data Protection

Principles of Directive 1995/46/EC Processing of personal data is prohibited, unless allowed

The data processing must comply with specific principles• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

• (Individual and collective) Enforcement measures

No export of personal data to non-EEA countries, unless adequate protection is offered


Data Protection

Importance of legal designation as critical infrastructure? Legal data protection framework applies: no exemption for critical

infrastructures Conflict with cyber security obligations of critical infrastructures?

Critical infrastructures Critical infrastructures that serve to process personal data Critical infrastructures that do not serve to process personal data

Legal basis for data processing activities in the context of security Consent based security measures Security measures based on contractual necessity Security measures as legal obligation Security measures under legitimate interest


Data Protection

General obligation to implement security measures in relation to data processing

Technical measures• User access management• IT security (anti-virus, firewall, …)• Fire prevention measures

Organizational measures• Data categorization (confidentiality level)• Employee policies

Protection against any unauthorized processing Adequate level of protection taking into account:

• Available technology and costs; • Nature of concerned personal data and the potential risks


Data Protection

Specific issues in relation to data protection and security (i.e. specific limitations imposed when processing personal data in the context of security measures)

Employee surveillance Camera Surveillance (security cameras) Whistle blowing policies Blacklists Access control / identity control (ID card related issues) Biometrical data (e.g. identification and access restrictions) Screening / background checks (e.g. “certificate of good behaviour”) Archiving

In the future: general data loss and data breach notification obligations Exists already for (telecommunications) sector Exists already in some EU countries, but not all countries (e.g. not in Belgium)


The Future of Data Protection

Data Protection Directive is under review Draft EU regulation (final stage of legislative process)

EU-wide unified application

Additional requirements Privacy officer for large companies / privacy sensitive companies

Privacy by design

Privacy by default

Data breach notifications

Data protection impact assessment

Fines

12Brussels - Kortrijk | www.crosslaw.be


Data Protection Management

Key principle: accountability

Ensure and be able to demonstrate compliance Adopt policies Implement appropriate measures

• Documentation• Implementing data security requirements• Performing data protection impact assessment• Prior authorization or consultation (where required)• Data protection officer (DPO)

What can you do to prepare? Seek for a DPO? Document existing data processing activities and ensure current compliance



Data breach notification duty Data controller and data processor

Notification to supervisory authorities• Detailed information

• Without undue delay and at the latest within 24 hours after becoming aware of the breach

• If not within 24 hours, reasoned justification for the delay

• Standard format is likely

• Document data breach for verification purposes

Notification to data subjects• Likelihood of adversely impacting a data subject

• Encryption may provide exemption

• May be imposed by supervisory authorities

Tendency to include data breach notification obligations in contracts already



Enforcement Liability

• In principle, joint and several liability

Penalties

Administrative sanctions• Fine of max. 1,000,000 EUR or, in case of an enterprise, 2% of annual global turnover,

whichever is higher• Much stricter and higher in EP text


How to deal with incidents and notification obligations?

Practical approach to dealing with incidents and notifications

Three stages Before the incident

During the incident

After the incident

Pre-incident phase Assess the nature of your security and notification obligations

Assess the data processing activities being carried out

Create and implement a security and an incident policy (incident team!)


How to deal with incidents and notification obligations?

Incident phase (legal perspective) Apply the incident handling policy

Qualify the nature of the incident• Assess the legal impact

• Assess the obligations imposed by law

Execute the legal obligations

Post-incident phase Document the incident and incident handling

Review incident and identify measures to avoid recurrence

Follow-up claims (if any)

Lessons learnt (analyze performance of incident handling)


Conclusion

Identify the obligations applicable to your critical infrastructure Security obligations

Breach/Incident notification obligations

Prepare for incidents

Use the legal obligations applicable to critical infrastructures as a tool for justifying data processing activities for security purposes

Prepare for the upcoming GDPR Assess your current situation and ensure that you are compliant with the

current legal framework

“Upgrade” as a next step


Thank you for your attention. Questions?
