Open Forum PRIVACY Thursday, 20 th of February 2014
Click to edit Master title styleOpen Forum PRIVACY
Thursday, 20th
of February 2014
Leuven, 20 February 2014 2
Agenda
1. 18:30 Welcome
2. 18:45 Datalogging – Privacy Issues
3. 19:30 Break
4. 19:50 Datalogging – Other Issues
5. 20:30 Close
Leuven, 20 February 2014 3
Close
Leuven, 20 February 2014
DATALOGGING– PRIVACY
(AND OTHER) ISSUES
JOHAN VANDENDRIESSCHE
4
Leuven, 20 February 2014
Datalogging
• Logfile or log
• Record of events
• Types of logs
• Event logs
• Transaction logs
• Communication logs (IM logs)
• Scope and purpose can be varying
• Quality control (bugfixing)
• Evidence for business transactions
• Marketing (website traffic log)
5
Leuven, 20 February 2014
Datalogging
• Legal obligations
• Obligation to keep a specific log
• Pharmacists (pharmaceutical drugs)
• Employee file
• Obligations to store a specific log
• Focus today: various IT logs
• Keeping logs
• (Re-)Using logs
6
Leuven, 20 February 2014
High level legal framework
• Act of 8 December 1992
• Processing of personal data
• Act of 13 June 2005
• Electronic communication
• CBA n° 81 concerning workfloor
cameras
• Workfloor privacy
• Cybercrime
7
Leuven, 20 February 2014
CREATING AN IT LOG
8
Leuven, 20 February 2014
Data Protection
• Limitations in relation to the
processing of personal data
• Very large legal interpretation to the
concept of personal data
• Not necessarily sensitive information
(although stricter rules apply to special
categories of personal data)
• Logs may contain personal data
• Processing: “any operation or set of
operations which is performed upon
personal data […]”
9
Leuven, 20 February 2014
Data Protection
• The data processing must comply with
specific principles
• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
10
Leuven, 20 February 2014
Data Protection
• Security obligation
• General obligation
• Specific obligations
• Obligations in relation to the use of data
processors
• Belgian Data Protection Commission
has issued a list of security measures
that can be implemented
11
Leuven, 20 February 2014
Data Protection
• General obligation to implement
security measures
• Technical measures
• User access management
• IT security (anti-virus, firewall, …)
• Fire prevention measures
• Organizational measures
• Data categorization (confidentiality level)
• Employee policies
12
Leuven, 20 February 2014
Data Protection
• General obligation to implement
security measures
• Both types of measures are
interchangeable
• Protection against any unauthorized
processing
• Adequate level of protection taking into
account:
• Available technology and costs;
• Nature of concerned personal data and the
potential risks
13
Leuven, 20 February 2014
Data Protection
• Specific security obligations
• Obligation to ensure data quality
• Need-to-know access restriction
• Access must be limited to those persons that
need access
• Access must be limited to the personal data
they need
14
Leuven, 20 February 2014
Data Protection
• Specific security obligation
• Information obligation
• Provide employees that process personal data
information on data protection legislation
• information obligation is stricter if more
sensitive data is processed (limited training)
• Ensure that software used for the data
processing limit processing to what is
notified
15
Leuven, 20 February 2014
Logging as a security measure
• Logging as a security measure
• Purpose of its own?
• Linked to the purpose it aims to secure?
• Scope of logging
• Nature of data processing
• Data controller must be able to justify
choices
16
Leuven, 20 February 2014
Logging for marketing purposes
• Logging = processing for a specific
purpose
• Re-use of existing logs for marketing
purposes
• Compatible purpose?
• Secondary processing for statistical
purposes (big data?)
17
Leuven, 20 February 2014
ACCESSING AN IT LOG
18
Leuven, 20 February 2014
Accessing an IT log
• Access to an IT log
• Access authority
• Company policies
• Roles & Responsabilities
• Workfloor privacy restrictions
• Communications law restrictions
• Use of an IT log
• Probatory value of an IT log
19
Leuven, 20 February 2014
Cybercrime
• Criminal acts posing a threat against
the confidentiality, the integrity and the
availability of IT systems and data
• Hacking
• Computer sabotage
• Computer fraud & computer forgery
• Investigation powers
• Cooperation duty of IT experts
20
Leuven, 20 February 2014
Cybercrime
• Hacking
• “the unauthorized intrusion in or
maintenance of access to an IT system”
(article 550bis Criminal Code)
• Internal hacking
• Person with access rights that exceeds such rights
• With a fraudulent purpose or with the purpose to
cause damage
• External hacking
• Person without access rights
• Knowingly
• There is no requirement of breach of
security measures
21
Leuven, 20 February 2014
Cybercrime
• Hacking
• Sanctions (also applicable in case of
attempt to hack)
• Internal hacking
• Fines: 26 to 25.000 EUR (x6); and/or
• Prison sentence: 3 months up to 1 year (doubled in
case of intent to fraud)
• External hacking
• Fines: 26 to 25.000 EUR (x6); and/or
• Prison sentence: 6 months up to 2 years
22
Leuven, 20 February 2014
Cybercrime
• Hacking
• Criminal sanctions are increased:
• Copying any data on the IT system
• Use of the IT system or use thereof to hack
another IT system
• Damage to the IT system or its data or any
third-party IT system or data
23
Leuven, 20 February 2014
Cybercrime
• Computer sabotage• “the direct or indirect insertion,
modification or erasure of information in an IT system or any other change to the normal use of information in an IT system” (article 550ter Criminal Code)• Virus, worm, or any other malicious code
• Unauthorized time-locks or other blocking mechanisms
• Developing, distributing or commercializing malicious code or tools to commit computer sabotage is a criminal offence
24
Leuven, 20 February 2014
Cybercrime
• Computer sabotage• Sanction (also applicable in case of
attempted sabotage):• Fine: 26 to 25.000 EUR (x6); and/or
• Prison sentence: 6 months up to 3 years (increased in case of fraudulent intent or intention to cause damage)
• Criminal sanctions are increased in case of:• Causing damage to data in any IT system as a
result of computer sabotage
• Interfering with the proper functioning of any IT system as a result of computer sabotage
• Sanctions are doubled in some cases of cybercrime recidivism
25
Leuven, 20 February 2014
Cybercrime
• Computer fraud
• “the insertion, modification or erasure of
information in an IT system or any other
change to the normal use of information in
an IT system in view of obtaining an
illegitimate economic advantage for
oneself or for others” (article 504quater
Criminal Code)
• Economic advantage: any material or
immaterial good (e.g. money, intellectual
property rights, titles to real estate…)
26
Leuven, 20 February 2014
Cybercrime
• Computer fraud
• Sanction
• Fine: 26 to 100.000 EUR (x6); and/or
• Prison sentence: 6 months up to 5 years
• Attempted computer fraud is punished
with lower criminal sanctions
• Sanctions are doubled in some cases of
cybercrime recidivism
27
Leuven, 20 February 2014
Cybercrime
• Computer forgery
• “the insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system in view of changing the legal effect of that information” (article 210bisCriminal Code)
• Sanction• Fine: 26 to 100.000 EUR (x6); and/or
• Prison sentence: 6 months up to 5 years
28
Leuven, 20 February 2014
Cybercrime
• Computer forgery
• Knowingly using such forged data is also a criminal offence
• Attempted computer forgery is punished with lower criminal sanctions
• Sanctions are doubled in some cases of cybercrime recidivism
29
Leuven, 20 February 2014
Electronic communications
• Electronic communication is protected
• Interception of electronic communication
• Art. 314bis of the Criminal Code
• Access to electronic communication
• Art. 124-125 of the Act of 13 June 2005
• Specific rules for telco’s and callcenters
• Specific problem for investigation of e-
mail and IM logfiles
30
Leuven, 20 February 2014
Electronic communications
• Article 314bis of the Criminal Code• Interception of communication
• Unlikely to apply in case of auditing or consulting logfiles
• Article 124 of the Act of 13 June 2005• General interdiction to:
• Consult any electronic communication
• Identify participants to such electronic communication
• To process in any manner such electronic communication
UNLESS: if consent is obtained from allparticipants
31
Leuven, 20 February 2014
Electronic communications
• Article 125 of the Act of 13 June 2005• Specific exceptions exist (only business
relevant exceptions are mentioned):• If allowed or imposed by law
• With the sole purpose of ensuring the proper functioning of the network or the proper performance of the communication service
• For offering a service that consists of preventing the receipt of unsolicited electronic communication, provided consent has been obtained for the recipient
• No distinction is made between private and professional communication!
32
Leuven, 20 February 2014
Electronic communication
• Article 128 of the Act of 13 June 2005
• Communication logs as evidence
• Legal business transactions
• Evidence of a commercial transaction or other
business communication
• Conditions
• Prior information on registration, purposes and
duration of registration
33
Leuven, 20 February 2014
Electronic communication
• Monitoring of any form of electronic communication• Use of e-mail
• Use of Internet
• CBA No. 81 allows a limited degree of monitoring• Surveillance is possible for limited purposes
• The prevention of illegal acts, slander and violation of decency
• The protection of the economic, trade and financial interests of the company
• The protection of the security and proper functioning of the company’s IT system
• The compliance with company policies in relation to online technologies
34
Leuven, 20 February 2014
Electronic communication
• CBA No. 81
• Procedural requirements• Collective information
• Individual information
• Sanctions?• Prior hearing
• Link with work regulations
35
Leuven, 20 February 2014
Logs as evidence
• Admissible
• Type of evidence (‘matters of fact’ vs‘legal acts’)
• Lawful• Illegal evidence
• Illegally obtained evidence
• Probatory value (‘credibility’)• Weight carried by the submitted evidence
• Influenced by the reliability• Gathering process of digital evidence
• Inherent reliability (?)
• Derogation by agreement?
36
Leuven, 20 February 2014
Logs as evidence
• “Antigoon” case law
• Illegally obtained evidence
• Evidence is no longer automatically
discarded
• Evidence is retained, except:
• Nullity is legally imposed sanction
• Unfair trial
• Impact on reliability
• Small note: “Antigoon” case law is
relatively new and still evolving
37
Leuven, 20 February 2014
Logs as evidence
• Problems with electronic evidence• Rules of evidence strongly favour “paper
evidence”
• Courts may be reluctant in the face of new
technologies
• Case law usually dismisses electronic evidence
at the slightest indication of the possibility of
fraud / tampered evidence
38
Leuven, 20 February 2014
Logs as evidence
• General rules
• ensure the accountability and integrity of
any electronic evidence at all times
• Implement procedures and policies /
provide evidence that these policies are
regularly verified or audited
39
Leuven, 20 February 2014
Log as evidence
• Practical approach in Belgium
• If feasible, define the probatory value of
logs by agreement
• Ensure that the evidence collection is
organized in a manner guaranteeing
evidence integrity
• Ensure that the evidence is stored in a
secure manner
• Court proceedings may include a court
expertise
40
Leuven, 20 February 2014 41
Contact details
Johan Vandendriessche
Partner
crosslaw CVBA
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Leuven, 20 February 2014 42
ISACA BELGIUM