Archive for the ‘Breach Disclosure’ Category

Europe’s first ever EU-wide cyber-security rules “agreed”

Posted on December 9th, 2015 by

On 7 December 2015 a European Parliament press release reported that EU MEPs had closed a deal with the European Council on the first ever EU rules on cyber-security. Though we’re yet to see the full text, we now know that the final text of the Network and Information Security Directive (“NIS Directive“) has been agreed. We’re just over two years away from implementation of NIS Directive (and potentially the General Data Protection Regulation) – a cyber and data revolution that will test many a legal team.

Why do we need it?

The NIS Directive aims to bolster the security of Europe’s critical infrastructure. When NIS incidents occur, they can have a huge impact by compromising services or by interrupting the day-to-day operations of business. It is recognised that with increasing cross-border technological co-dependencies, a NIS incident in one country can may have impact across the whole EU and undermine both market and consumer confidence.

By introducing more consistent risk management measures and systematic reporting of incidents the NIS Directive aims to help sectors dependent on IT systems to be more reliable and stable. The European Commission’s proposed the NIS Directive back in February 2013, is part of a wider EU cybersecurity strategy aimed at creating a secure and trustworthy digital environment. The stated aims at that time were to ensure that key institutions such as banks, energy companies and other entities involved in critical infrastructure maintain secure information systems.

The rhetoric is clear; the NIS Directive aims to impose a minimum level of security for digital technologies, networks and services across all Member States. It also proposes to make it compulsory for certain businesses and organisations to report significant cyber incidents.

At its inception, Neelie Kroes, then EC Vice-President for the Digital Agenda, emphasised: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It’s time to take coordinated action – the cost of not acting is much higher than the cost of acting.”

The threat of a cyber-attack is more immediate now than ever

Though increasingly common, the risks and damage posed by cyber-threats has been a reality for some time. The NIS Directive will impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).

Key question – which market operators actually fall within its scope?

Ever since 2013, there has been extensive lobbying and debate about which of market operators would be caught within its terms and the scope of the “market operators” definition has been a bone of contention throughout negotiations. Even following this week’s press release we’re still not clear about where this debate has fallen out. At inception, the proposed Directive had in its sights operators including “search engines, cloud providers, social networks, public administrations, online payment platforms like PayPal, and major eCommerce websites, such as Amazon“.

Recent word from Brussels indicates that market operators will take on a broad definition and be categorised as either “digital service providers” or “operators providing essential services” in the final law, thereby catching the likes of e-commerce platforms and cloud service providers. Despite reaching an agreement, the December 7th press release does not clarify all the ambiguity but it does confirm the sectors and services already known to be in scope:

MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.”

Critical infrastructure is in – but are “digital service providers” caught?

Among others, the UK Government had long argued that “digital services” should not be required to report cyber-threat issues to the NCA. The press release confirms that Member States will have to identify concrete “operators of essential services” from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety. Signs of a test emerging?

A leaked memo from the Presidency to the Council (dated 8 December 2015) and published on indicates little more:

On substance, the co-legislators agreed to provide for uniform rules on certain aspects in the area of digital service providers. In particular, Member State should not impose stricter security and notification requirements on those providers and the European Commission will have the power to further specify certain elements in implementing acts. Moreover, both institutions agreed to link jurisdiction of operators of essential services to an establishment on the Member States’ territory and also reached an agreement on the role of the cooperation group and on the remaining horizontal issues.” (My emphasis)

So we’re actually no closer to understanding which “digital service platforms” the NIS Directive will extend to and therefore which “digital service providers” will incur the mandatory obligation to report security incidents to a national competent authority (“NCA”). We only learn that: “In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.” The “and clouds” mention had the Team here in Silicon Valley laughing as it’s unclear quite what is meant by this and in reality the vast majority of businesses have a cloud-based element to their services these days.

So while the EU is consulting around the definition of “online platforms” and “cloud” under the Digital Single Market initiative, it seems that here it has made up its mind. To be fair the press release quotes the European Parliament’s rapporteur Andreas Schwab (EPP, DE) saying:

“……. this directive marks the beginning of platform regulation. Whilst the Commission’s consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services“.

Equally, the ink hasn’t yet dried on the drafts and it’s wrong to speculate too much until the future rules are agreed once and for all. We’ll update you soon on exactly what this “concrete definition” is and it’s impact once we know more.

What next

We’re not quite there yet. This provisionally-agreed text still needs to be formally approved by Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives. The leaked memo establishes the Presidency’s aim is to present the agreed text for approval by the Permanent Representatives Committee (Coreper) on 18 December 2015. This will be followed by the legal-linguistic revision by quality advisors of both institutions early next year. To conclude the procedure, formal adoption by both the Council and the Parliament is required.

As a directive, EU Member States would then have 21 months to publish national regulations implementing the NIS Directive’s principles and a further six months to bring those new rules into force (during which time it seems Member States will be expected to carry out the identification of operators of essential services).  We we anticipate key elements of this directive will stipulate maximum harmonisation so, in certain areas, Member States will be restricted from implementing rules that go further than the NIS Directive’s terms.

Further comment will be possible as and when the final text is released (or leaked) as a public document. As we all monitor and the press for the all-too-common leak your Fieldfisher team will update you.

In the meantime – what’s the practical consequence?

This is an entirely new obligation for businesses that fall within the NIS Directive’s ambit. Those businesses that are caught will need to take a serious look at their preparedness for preventing, managing and responding to a cyber-security breach. This will necessitate system-wide security reviews and the creation of cyber breach management policies, incident response teams and awareness-raising programs. This is of course the reaction the EU is looking for.

The agreement of the NIS Directive represents one step in ongoing changes to wider ongoing regulatory reform around digital platform regulation and data privacy rules. 2016 will herald a wealth of legal development – including the General Data Privacy Regulation (reforming the EU’s privacy laws)?

Mark Webber – Partner, Silicon Valley California


US and European moves to foster pro-active cybersecurity threat collaboration

Posted on March 12th, 2015 by

In this blog we report a little further on the proposals to share cybersecurity threat information within the United States. We also draw analogies with a similar initiative under the EU Cybersecurity Directive aimed at boosting security protections for critical infrastructure and enhancing information sharing around incidents that may impact that infrastructure within the EU.

Both of these mechanisms reflect a fully-formed ambition to see greater cybersecurity across the private sector. Whilst the approaches taken vary, both the EU and US wish to drive similar outcomes. Actors in the market are being asked to “up” their game. Cyber-crimes and cyber-threats are impacting companies financially, operationally and, at times, are having a detrimental impact on individuals and their privacy.

Sharing of cyber-threat information in the US

Last month we reported on Obama’s privacy proposals which included plans to enhance cybersecurity protection. These plans included requests to increase the budget available for detection and prevention mechanisms as well as for cybersecurity funding for the Pentagon. They also outlined plans for the creation of a single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks.

On February 12th 2015, President Obama signed a new Executive Order to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.  In a Whitehouse Statement they emphasised that “[r]apid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone”.  The rhetoric is that, in sharing information about “risks”, all actors in the United States will be better protected and prepared to react.

This Executive Order therefore encourages a basis for more private sector and more private sector and government cybersecurity collaboration.  The Executive Order:

  • Encourages the development of Information Sharing Organizations: with the development of information sharing and analysis organizations (ISAOs) to serve as focal points for sharing;
  • Proposes the development of a common set of voluntary standards for information sharing organizations: with Department of Homeland Security being asked to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOs;
  • Clarifies the Department of Homeland Security’s authority to enter into agreements with information sharing organizations: the Executive Order also increases collaboration between ISAOs and the federal government by streamlining the mechanism for the National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs. It goes on to propose streamlining private sector companies’ ability to access classified cybersecurity threat information.

All in, Obama’s plan is to streamline private sector companies’ ability to access cybersecurity threat information. These plans were generally well-received as a step towards collective responsibility and security. Though some have voiced concern that there is scant mention of liability protection for businesses that share information threats with an ISAO. Commentators have pointed out that it is this fear of liability which is a major barrier to effective threat sharing.

Past US initiatives around improving cybersecurity infrastructure

This latest Executive Order promoting private sector information sharing came one year after the launch of another US-centric development. In February 2014, the National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity pursuant to another Executive Order of President Obama’s issued back in February 2013.

This Cybersecurity Framework contains a list of recommended practices for those with “critical infrastructures”.   The Cybersecurity Framework’s executive summary explains that “[t]he national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.”

Obama’s 2013 Executive Order had called for the “development of a voluntary risk-based Cybersecurity Framework” being a set of industry standards and best practices to help organisations manage cybersecurity risks.  The resulting technology neutral Cybersecurity Framework was the result of interaction between the private sector and Government institutions. For now the use of the Cybersecurity Framework is voluntary and it relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. “Building from those standards, guidelines, and practices, the [Cybersecurity] Framework provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate among internal and external stakeholders about cybersecurity risk.”

The Cybersecurity Framework was designed to complement, and not to replace, an organisation’s existing risk management process and cybersecurity program. There is recognition that it cannot be a one-size-fits-all solution and different organisations will have their own unique risks which may require additional considerations.

The Cybersecurity Framework states that it could be used a model for organisations outside of the United States. Yet even in the US there are open questions about how many are actually adopting and following it.

Similarities between US and European cybersecurity proposals

We have to draw analogies between the US initiatives in relation to cybersecurity and the more recent information sharing proposals with the draft EU Cybersecurity Directive which the team reported on in more detail in a recent blog. Both initiatives intend to drive behavioural change. But, as you may expect, the EU wants to introduce formal rules and consequences while the US remains focussed on building good cyber-citizens through awareness and information sharing.

The proposed Cybersecurity Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the European Union. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”). The NCA being analogous to the ISAO information sharing body concept being developed in the US.  In contrast to the US Framework the EU’s own cybersecurity initiatives are now delayed (with a likely date for mere agreement of the rules of summer 2015 and implementation not likely until 2018) and somewhat diluted compared to the original announced plans.

Both the US and EU cybersecurity initiatives aim to ensure that governments and private sector bodies involved in the provision of certain critical infrastructure take appropriate steps to deal with cybersecurity threats. Both encourage these actors to share information about cyber threats. Both facilitate a pro-active approach to cyber-risk. Whist the US approach is more about self-regulation within defined frameworks the EU is going further and mandating compliance – that’s a seismic shift.

In the EU we await to see the final extent of the “critical infrastructure providers” definition and whether or not “key internet enablers” will be caught within the rules or whether the more recent and narrower definition will prevail. Interplay with data breach notification rules within the upcoming General Data Protection Regulation is also of interest.


Undoubtedly cyber-risk can hit a corporate’s bottom-line. Keeping up with the pace of change and multitude of risks can be a real challenge for even the most agile of businesses. Taking adequate steps in this area is a continuous and often fast-moving process. Only time will tell us whether the information sharing and interactions that these US and EU proposals are predicated on are going to be frequent enough and fast enough to make any real difference. Cyber-readiness remains at the fore because the first to be hit still wants to preserve an adequate line of defence. The end game remains take appropriate technical and organisational measures to secure your networks and data.

Of course cyber-space does not respect or recognise borders. How national states co-operate and share cybersecurity threat information beyond the borders of the EU is a whole other story. What is certain is that as the cyber-threat response steps up, undoubtedly so too will the hackers and cyber-criminals. The EU’s challenge is to foster a uniform approach for more effective cybersecurity across all 28 Member States. The US also wants to improve its ability to identify and respond to cyber incidents. The US and EU understand that economic prosperity and national security depend on a collective responsibility to secure.

For those acting within the EU and beyond in the future, they will have to adjust to operating (and where required complying) in an effective way across each of the emerging cybersecurity systems.

Mark Webber, Partner Palo Alto,


Progress update on the draft EU Cybersecurity Directive

Posted on February 27th, 2015 by

In a blog earlier this year we commented on the status of the European Union (“EU”) Cybersecurity Strategy. Given that the Strategy’s flagship piece of legislation, the draft EU Cybersecurity Directive, was not adopted within the proposed institutional timeline of December 2014 and the growing concerns held by EU citizens about cybercrime, it seems that an update on EU legislative cybersecurity developments is somewhat overdue.


As more of our lives are lived in a connected, digital world, the need for enhanced cybersecurity is evident. The cost of recent high-profile data breaches in the US involving Sony Pictures, JPMorgan Chase and Home Depot ran into hundreds of millions of dollars. A terrorist attack on critical infrastructure such as telecommunications or power supplies would be devastating. Some EU Member States have taken measures to improve cybersecurity but there is wide variation in the 28 country bloc and little sharing of expertise.

These factors gave rise to the European Commission’s (the “Commission”) publication in February 2013 of a proposed Directive 2013/0027 concerning measures to ensure a high common level of network and information security across the Union (the “proposed Directive”). The proposed Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).

Where do things stand in the EU institutions on the proposed Directive?

On 13 March 2014 the European Parliament (the “Parliament”) adopted its report on the proposed Directive. It made a number of amendments to the Commission’s original text including:

  • the removal of “public administrations” and “internet enablers” (e.g. e-commerce platforms or application stores) from the scope of key compliance obligations;
  • the exclusion of software developers and hardware manufacturers;
  • the inclusion of a number of parameters to be considered by market operators to determine the significance of incidents and thus whether they must be reported to the NCA;
  • the enabling of Member States to designate more than one NCA;
  • the expansion of the concept of “damage” to include non-intentional force majeure damage;
  • the expansion of the list of critical infrastructure to include, for example, freight auxiliary services; and
  • the reduction of the burden on market operators including that they would be given the right to be heard or anonymised before any public disclosure and sanctions would only apply if they intentionally failed to comply or were grossly negligent.

In May-October 2014 the Council of the European Union (the “Council”) debated the proposed Directive at a series of meetings. It was broadly in favour of the Parliament’s amendments but disagreed over some high-level principles. Specifically, in the interests of speed and efficiency, the Council preferred to use existing bodies and arrangements rather than setting up a new cooperation mechanism between Member States.

In keeping with the Council’s general approach to draft EU legislation intended to harmonise practices between Member States, the institution also advocated the adoption of future-proofed flexible principles as opposed to concrete prescriptive requirements. Further, it contended that Member States should retain discretion over what information to share, if any, in the case of an incident, rather than imposing mandatory requirements.

In October-November 2014 the Commission, Parliament and Council commenced trilogue negotiations on an agreed joint text. The institutions were unable to come to an agreement during the negotiations due to the following sticking points:

  1. Scope. Member States are seeking the ability to assess (to agreed criteria) whether specific market operators come within the scope, whereas the Parliament wants all market operators within defined sectors to be captured.
  2. Internet enablers. The Parliament wants all internet enablers apart from internet exchanges to be excluded, whereas some Member States on the Council (France and Germany particularly) want to include cloud providers, social networks and search engines.
  3. There was also disagreement on the extent of strategic and operational cooperation and the criteria for incident notification.

What is the timetable for adoption of the proposed Directive?

There is political desire on behalf of the Commission to see the proposed Directive adopted as soon as possible. The Council has also stated that “the timely adoption of … the Cybersecurity Directive is essential for the completion of the Digital Single Market by 2015“.

Responsibility for enacting the reform now lies with the Latvian Presidency of the Council. On 30 January 2015, Latvian Transport Minister Anrijs Matiss stated that further trilogue negotiations would be held in March 2015, with the aim of adopting the proposed Directive by July 2015.

Once adopted, Member States will have 18 months to enact national implementing legislation so we could expect to see the proposed Directive come into force by early 2017.

How does the proposed Directive interact with other EU data privacy reforms?

In our previous blog we highlighted the difficulties facing market operators of complying with the proposed Directive in view of the potentially conflicting notification requirements in the existing e-Privacy Directive and the proposed General Data Protection Regulation (the “proposed GDPR”).

Although the text of the proposed Directive does anticipate the proposed GDPR, obliging market operators to protect personal data and implement security policies “in line with applicable data protection rules“, there has still been no EU guidance issued on how these overlapping or conflicting notification requirements would operate in practice.

Furthermore, any debate over which market operators fall within the scope of the breach notification requirements of the proposed Directive would seem to become superfluous once the proposed GDPR, with mandatory breach notifications for all data controllers, comes into force.


Rather unsurprisingly, the Commission’s broad reform has been somewhat diluted in Parliament and Council. This is a logical result of Member States seeking to impose their own standards, protect their own industries or harbouring doubts regarding the potential to harmonise practices where cybersecurity/infrastructure measures diverge markedly in sophistication and scope.

Nonetheless, the proposed Directive does still impose serious compliance obligations on market operators in relation to cybersecurity incident handling and notification.

At the risk of sounding somewhat hackneyed, for organisations, cyber data breaches are no longer a question of “if” but “when” for private and public sector bodies. Indeed, there is an increasing awareness that a high level of security in one link is no use if this is not replicated across the chain. Whether the proposed Directive meets its aim of reducing weak links across the EU remains to be seen.

Beware: Europe’s take on the notification of personal data breaches to individuals

Posted on April 10th, 2014 by

Article 29 Working Party (“WP 29“) has recently issued an Opinion on Personal Data Breach Notification (the “Opinion“). The Opinion focuses on the interpretation of the criteria under which individuals should be notified about the breaches that affect their personal data.

Before we analyse the take aways from the Opinion, let’s take a step back: are controllers actually required to notify personal data breaches?

In Europe, controllers have, for a while now, been either legally required or otherwise advised to consider notifying personal data breaches to data protection regulators and/or subscribers or individuals.

Today, the only EU-wide personal data breach notification requirement derives from Directive 2002/58/EC, as amended by Directive 2009/136/EC, (the “e-Privacy Directive“) and  applies to providers of publicly available electronic communications services. In some EU member states (for example, in Germany), this requirement has been extended to controllers in other sectors or to all  controllers. Similarly, some data protection regulators have issued guidance whereby controllers are advised to report data breaches under certain circumstances.

Last summer, the European Commission adopted Regulation 611/2013 (the “Regulation“), (see our blog regarding the Regulation here), which  sets out the technical implementing measures concerning the circumstances, format and procedure for data breach notification required under Article 4 of the e-Privacy Directive.

In a nutshell, providers  must notify individuals of breaches that are likely to adversely affect their personal data or privacy without undue delay and taking account of: (i) the nature and content of the personal data concerned; (ii) the likely consequences of the personal data breach for the individual concerned (e.g. identify theft, fraud, distress, etc); and (iii) the circumstances of the personal data breach. Providers are exempt to notify individuals (not regulators) if they have demonstrated to the satisfaction of the data protection regulator that they have implemented appropriate technological protection measures to render that data unintelligible to any person who is not authorised to access it.

The Opinion provides guidance on how controllers may interpret this notification requirement by analysing 7 practical scenarios of breaches that will meet the ‘adverse effect’ test. For each of them, the  WP 29 identifies the potential consequences and adverse effects of the breach and the security safeguards which might have reduced the risk of the breach occurring in the first place or, indeed, might have exempted the controller from notifying the breach to individuals all together.

From the Opinion, it is worth highlighting:

The test. The ‘adverse effect’ test is interpreted broadly to include ‘secondary effects’. The  WP 29 clearly states that all the potential consequences and potential adverse effects are to be taken into account. This interpretation may be seen a step too far as not all ‘potential’ consequences are ‘likely’ to happen and will probably lead to a conservative interpretation of the notification requirement across Europe.

Security is key. Controllers should put in place security measures that are appropriate to the risk presented by the processing with emphasis on the implementation of those controls rendering data unintelligible. Compliance with data security requirements should result in the mitigation of the risks of personal data breaches and even, potentially, in the application of the exception to notify individuals about the breach. Examples of security measures that are identified to be likely to reduce the risk of a breach occurring are: encryption (with strong key); hashing (with strong key), back-ups, physical and logical access controls and regular monitoring of vulnerabilities.

Procedure. Controllers should have procedures in place to manage personal data breaches. This will involve a detailed analysis of the breach and its potential consequences. In the Opinion, the  data breaches fall under three categories, namely, availability, integrity or confidentiality breaches. The application of this model may help controllers analyse the breach too.

How many individuals? The number of individuals affected by the breach should not have a bearing on the decision of whether or not to notify them.

Who must notify? It is explicitly stated in the Opinion that breach notification constitutes good practice for all controllers, even for those who are currently not required to notify by law.

There is a growing consensus in Europe that it is only a matter of time before an EU-wide personal data breach notification requirement that applies to all controllers (regardless of the sector they are in) is in place. Indeed, this will be the case if/when the proposed General Data Protection Regulation is approved. Under it, controllers would be subject to strict notification requirements both to data protection regulators and individuals. This Opinion provides some insight into  how the  European regulators may interpret these requirements under the General Data Protection Regulation.

Therefore, controllers will be well-advised to prepare for what is coming their way (see previous blog here). Focus should be on the application of security measures (in order to prevent a breach and the adverse effects to individuals once a breach has occurred) and on putting procedures in place to effectively manage breaches. Start today, burying the head in the sand is just no longer an option.

If I’m not mistaken, that’s a breach….

Posted on November 4th, 2013 by

Last year the UK Information Commissioner (ICO) issued 25 fines (22 of which were for data security breaches).  This year ICO has issued 16 fines so far.  We’ll have to see what happens in the next two months but my guess is we’ll be seeing a fair few more fines in the run up to Christmas.

In a recent blog post on ICO’s website, we are told that the local government sector has received fines totalling more than £2million since the ICO’s fining power begun in 2010.  That’s a staggering amount of money which ultimately is paid out of the public purse (presumably to the detriment of the public services it was there to support). 

We are also told in the blog that “all these breaches” could have been prevented if the Data Protection Act had been correctly complied with.  I’m not sure I entirely agree with that statement; can total compliance really eliminate all risk of incidents occurring?

While it is true that organisations should implement rigorous data protection and information governance frameworks to help safeguard the data they handle (think “technical and organisational measures” required by the DPA), surely no amount of policies, guidance or training is going to prevent an accidental slip-up from occurring.  The unfortunate reality is that we humble human beings do make the occasional mistake.  We all know – or can imagine – how easy it is to misdial a number or click on ‘send’ and inadvertently send something to the wrong person.   Indeed, our 2012 ICO Enforcement Tracker (please get in touch for a copy) revealed that of all the fines issued by ICO last year the overwhelming majority were for breaches involving misdirected communications.

So practically speaking, what is the answer? 

Well, the best solution is surely to assess and manage the risks in the hope that you can ensure no harm or damage is suffered in the event an incident occurs.  The best thing you and your organisations can do is (i) sit up and pay a bit of attention to the types of data you handle; (ii) get fully up to speed with what your legal obligations are in relation to it; and (iii) implement a robust system to demonstrate not only that you are doing everything possible to avoid a breach occurring in the first place, but also so that you can be confident you have a proper action plan in place to manage an incident if and when it arises. 

It also goes without saying that we can learn an awful lot from the mistakes that others have already made; we know that the “hot spots” for regulatory action include things like misdirected communications, lack of policies and training, and the failure to encrypt portable media that contains personal information.  Organisations should exploit that knowledge and use it to build better and more effective breach management strategies.

European Commission Adopts Technical Implementing Measures for Data Breaches

Posted on September 3rd, 2013 by

On June 24th, 2013, the European Commission adopted a new Regulation No 611/2013 (the “Regulation”) on the measures applicable to the notification of personal data breaches under the Directive 2002/58/EC (the “ePrivacy Directive”). This Regulation came into force on August 25th, 2013.

Since the revision of the ePrivacy Directive in 2009, providers of electronic communications services to the public (mainly telecom providers and ISPs) must notify the competent national authority in Member States when a personal data breach occurs. The Regulation harmonizes the technical measures that apply to data breaches across EU Member States.

Timeline for notifying data breaches

Under article 4-3 of the ePrivacy Directive, service providers are required to notify the regulator “without undue delay”. The Regulation introduces a new obligation for service providers to notify the competent national authority no more than 24 hours after the detection of a data breach, where feasible.

The Regulation specifies that a data breach is considered to be detected when the service provider has sufficient awareness that a security incident leading to personal data being compromised has taken place. At this point it is necessary for the service provider to make a meaningful notification to the competent national authority. This provision illustrates the need for organizations to adopt an internal action plan allowing them to assess and to respond to data breaches effectively.

Where the company handling the data has no direct relationship with the end user (for example where the service provider uses another provider to perform part of the service, e.g. in relation to billing or management functions), the company is not required to issue notifications, but still has a duty to alert and notify its customer (i.e., the electronic communications service provider) when it becomes aware of a data breach. In this respect, providers of electronic communications services must ensure that this obligation exists in their service provider agreements.

Content of the notification to the regulator

The Regulation specifies under Annex 1 the information that must be mentioned in the notification to the national authority, including: the name of the service provider, the name and contact details of the data protection officer (or another contact person within the organization) and the details of the personal data breach (date and time of incident, circumstances surrounding the breach, nature and content of the data concerned).

Two-step notification process

Where the service provider is unable to gather all the required information within 24 hours because the data breach is still being investigated, the Regulation authorizes the company to make an initial notification within 24 hours of the breach being detected, followed by a second notification as soon as possible and no later than three days following the initial notification. This second notification should complete and, if needed, update the initial notification. If the service provider is unable to provide all the information within the subsequent three day period, it must submit a reasoned justification to the national authority for the late provision of the remaining information.

Electronic procedure for notifying data breaches

The Regulation is particularly innovative in that it obliges the competent national authorities to provide a secure electronic means for the notification of personal data breaches. The Regulation mentions that this procedure should be available in a common format (such as XML) and should contain the information set out in Annex 1 in all the relevant languages. The purpose is to enable all service providers in the EU to follow a similar notification procedure, irrespective of their location or where the breach occurs. This provision is likely to pave the way towards a general data breach notification procedure for all data controllers once the proposed EU Data Protection Regulation comes into force.

Notification to individuals and subscribers

The Regulation clarifies the circumstances under which a data breach is likely to adversely affect the personal data or privacy of subscribers or individuals, for example, where the data concerns financial data (e.g., credit card data or bank account details), sensitive data, or certain data specifically relating to the provision of telephony or Internet services (e.g., emails, location data, Internet log files, web browsing history, and itemised call lists).

In principle, the service provider must notify the subscribers and other individuals concerned “without undue delay”. However, in exceptional circumstances the provider may delay this notification, with the national authority’s permission, where the notification may put the investigation of the data breach (e.g., a criminal investigation) at risk.

If the service provider does not possess the contact details of all the individuals who are adversely affected by the data breach, it may mitigate this by making a notification through advertisements in major national or regional media (such as newspapers) until it is able to identify all the individuals affected and send them an individual notification.

Cross-border data breaches

If a data breach affects the personal data of individuals located in several EU member states, the Regulation imposes on the competent national authorities a duty to inform one another and to cooperate. One can only regret, however, that the European Commission did not go one step further by enabling a “lead” authority to act as the single point of contact for organizations that are facing a cross-border data breach. The European legislator perhaps missed a chance here to streamline the notification procedure and to remove some of the administrative burden on companies.

Direct applicability in Member States

The Regulation is legally binding and is directly applicable in all Member States, which means that in the case of a conflict between the Regulation and a national law, the Regulation must prevail.

Finally, it should be noted that the Regulation was drafted to be consistent with the proposed Data Protection Regulation so as to avoid conflicting legal provisions in the future. It is also expected that technical adjustments will be made to the ePrivacy Directive once the Data Protection Regulation comes into force.

Click here for an overview of upcoming legislation on data breaches in Europe.

Data security breach notification: it’s coming your way!

Posted on July 2nd, 2013 by

Data breach notification laws have existed in the US for several years. California was the first state to introduce a data breach notification law in 2002, followed soon after by forty-five other US states. In 2012, the US Senate introduced a Data Security and Breach Notification Act which, if enacted, would establish a national data security and beach notification standard for the protection of consumer’s electronic personal information across the US.

In Europe, data breach notification has only drawn attention at a political and legislative level following recent press coverage of data breach scandals. Nevertheless, the numerous debates, initiatives and legislative proposals that have appeared in recent months are evidence of Europe’s growing interest in this topic, and recognition of the need to regulate. As an example, the EU Commission’s Directorate General for Communications Network, Content and Technology (DG CONNECT) recently proposed to “explore the extension of security breach notification provisions, as part of the modernisation of the EU personal data protection regulatory framework” in its Digital Agenda for Europe (action 34).

From a legislative perspective, things have been moving forward rather steadily for several years. In 2009, the European legislator adopted a pan-European data breach notification requirement for the first time, under the amended ePrivacy directive 2002/58/EC (“ePrivacy directive”). True, the directive only applies to “providers of publicly available electronic communications services” (mainly telecom operators and ISPs), but in a limited number of EU Member States the ePrivacy directive was implemented with a much broader scope (e.g., Germany). In June 2013, the European Commission released a new regulation explaining the technical implementing measures for data breach notification by telecom operators and ISPs.

Following this first legislative step, the European Commission has recently made two further legislative proposals. The first, which has drawn the most attention, was the European Commission’s proposal of a new regulation to replace the current Data Protection Directive 95/46/EC. If adopted, this Regulation would introduce a general obligation for all data controllers, across business sectors, to notify the regulator in case of a breach without undue delay, and not later than 24 hours after having become aware of it. Companies would also have to report data breaches that could adversely affect individuals without undue delay. This Regulation would apply not only to organizations that are established on the territory of the EU, but also to those that are not established within the EU, but target EU citizens either by offering them goods and services, or by monitoring their behaviour.

Needless to say, in Brussels, stakeholders and lobbyists have been actively campaigning against the proposed data breach provisions for months on the grounds that they are unfriendly to business, cumbersome and impractical. Following the debates at the European Parliament and the Council of Ministers on the proposed Regulation, a less prescriptive, more business-friendly version of the data breach provisions may end up being adopted. Currently, discussions are ongoing in an attempt to limit the scope of the data breach requirements to breaches that are “likely to severely affect the rights and freedoms of individuals”. The deadline for reporting breaches could also be extended to 72 hours. At this point, it is impossible to predict with certainty what will be the final wording of those provisions. However, there does seem to be a consensus among the EU institutions and member states that, one way or another, a data breach notification requirement must be introduced in the Regulation.

Secondly, the European Commission has proposed a directive that aims to impose new measures to ensure a high common level of network and information security across the EU. The Directive concerns public administrations and market operators, namely “providers of information society services” (i.e., e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores) and “operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health.” The Directive would require them to report significant cyber incidents (e.g., an electricity outage, the unavailability of an online booking engine, or the compromise of air traffic control due to an outage or a cyber attack) to a national competent authority.

So what does this tell companies?

First, that data security in general and data breach notification in particular are drawing more and more attention, and thus cannot be ignored. As was the case a few years ago in the US, data breach notification is bound to become one of the hottest legal issues in Europe in the coming years. The legal framework for data breach notification may still be a work-in-progress, but nevertheless it is becoming a reality in Europe. Second, companies should not wait until data breach laws come into force in Europe to start implementing an action plan for handling data breaches. While data breach notification may not yet be a legal requirement for all companies in Europe, the reputational damage caused by a single data breach should motivate companies to implement robust data breach handling procedures. Finally, data breach notification can be viewed as a competitive advantage that enables companies to be more forthcoming and transparent vis-à-vis clients and customers who entrust them with their personal data.

For more information on data security breach notification rules in France, view my article in English: “Complying with Data Breach Requirements in France” (first published in BNA’s World Data Protection Report); and in French: “La notification des violations de données à caractère personnel: analyse et décryptage” (first published in Lamy Droit de l’Immatériel) .

What will happen if there is no new EU privacy law next year

Posted on June 20th, 2013 by

The European Parliament has just announced another delay affecting the vote on its version of the EU Data Protection Regulation. That means that we will now not know where the Parliament truly stands on this issue until September or October at the earliest. Although this was sort of expected, optimistic people like me were still hoping that the LIBE Committee would get enough consensus to issue a draft this side of the Summer, but clearly the political will is not quite there. This is obviously disappointing for a number of reasons, so in case the MEPs need a bit of motivation to get their act together, here are a few things that are likely to happen if the new Regulation is not adopted before next year’s deadline:

* Inconsistent legal regimes throughout the EU – The current differences in both the letter of the law and the way it is interpreted are confusing at best and one of the biggest weakness to achieve the right level of compliance.

* Non application of EU law to global Internet players – Thanks to its 90’s references to the ‘use of equipment’, the Directive’s framework is arguably not applicable to Internet businesses based outside the EU even if they collect data from millions EU residents. Is that a good idea?

* Death by paperwork – One of the most positive outcomes of the proposed Regulation will be the replacement of the paper-based compliance approach of the Directive with a more practical focus. Do we really want to carry on spending compliance resources filling in forms?

* Uncertainty about the meaning of personal data – Constantly evolving technology and the increasing value of data generated by our interaction with that technology have shaken the current concept of personal data. We badly need a 21st century definition of personal data and its different levels of complexity.

* Massive security exposures – The data security obligations under the existing Directive are rather modest compared to the well publicised wish list of regulators and, frankly, even some of those legal frameworks regarded as ‘inadequate’ by comparison to European data protection are considerably ahead of Europe in areas like data breach notification.

* Toothless regulators – Most EU data protection authorities still have very weak enforcement powers. Without going overboard, the Regulation is their chance to make their supervisory role truly effective.

The need to modernise EU data protection law is real and, above all, overdue. A bit of compromise has to be better that not doing anything at all.

Cybersecurity in the EU – massive change on its way

Posted on February 8th, 2013 by

Is anyone unsure about the EU agenda for cyber and data security? If you want some insight you could easily check the UK Information Commissioner’s website and you see that in 2012 over 20 data controllers were hit with big fines for security breaches affecting personal data.

Or you could rewind to January 2012, when the EU published the Draft General Data Protection Regulation, which will impose mandatory breach disclosure on every data controller operating in the EU, backed up with potential fines of up to 2% of annual worldwide turnover for those organisations who fail badly.

Or you could go back a little further still, to October 2009, when the EU introduced the mandatory breach disclosure rule for telcos and ISPs, which has been operating since early 2011.

Actually, you don’t need to do any of that. Instead, just focus on the draft EU Cybersecurity Directive, which was published today. Its a short document, easy to get to grips with, and within a few minutes the implications will be obvious to you.

The new Directive makes it compulsory for all “market operators”, including utilities, transport and financial services businesses, as well as public authorities who use “network and information systems” within their businesses to implement technical and organisations measures to manage cyber risks. These organisations will be subject to independent regulation, they will have to disclose security breaches to the regulators, they will have to submit to compulsory regulatory audits and they will be sanctioned if they fail to comply with the law.

The scope and magnitude of this new Directive is huge. Obviously, the regulation of cyber risks in utilities, transport, financial services and public authorities is massive in its own right, but its the wider concept of “market operator” that really needs to be looked at.

A market operator includes a provider of information society services “that enable the provision of other information society services”.

Information society services are colloquially called ecommerce services in the EU, but this is about much more than online shopping, because in the EU an information society service is essentially a service that is provided over the internet, whether or not a fee is charged. In other words, an information society service can be a shopping site, a social network, a search engine, or an “over the top” communications systems (like Skype) and so on, whether or not they are web or app based.

Looking again at the definition of market operator, what really counts is whether the information society service is supporting another information society service. This website,, is an information society service, but it’s not supporting another, so its not caught by the Cybersecurity Directive. What the Directive is looking for is the platform of support – if you are a platform for an ISS, then you are regulated.

If all of this sounds too complicated, don’t worry, the Directive provides some indicative examples. These are: ecommerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores.

This is an incredible list and the magnitude of the Directive becomes obvious when you start adding names to the list:

* ecommerce platform = Amazon and eBay provide market platforms for traders and iTunes has to be captured too

* internet payment gateways = Paypal is the most obvious one, but there loads of others, like Worldpay

* social networks = Facebook, LinkedIn, Twitter and so on

* search engines = Google (are there any others?)

* cloud = basically every tech co in the World!!!

* application stores = I think Apple has one (!), Google too, Amazon again and what about the telcos … isn’t Blackberry launching one now too?

This seems quite incredible at first, but its real. And its obvious really, isn’t it, because it is the Cybersecurity Directive after all! It wouldn’t deserve this name if it didn’t regulate these household names.

There is a lot to like in the Directive, but businesses will have concerns about the nature of regulation and the competence of the regulators. There are also some worrying grey areas in the Directive, such as the delegation of many powers to quangos, which is never good for legal certainty. I would expect many big tech companies to be looking hard at how to engage with the EU on this, because there is much to be shaped-up.

But wrapping this altogether and tying up the various strands, what we see within the EU is radical lawmaking for security. Any organisation that misses this point will come unstuck. That’s why the law is being reformed, specifically to cause behavioural change. Whether you look at security from a data protection angle or a cyber angle, it does not matter; you just have to be more secure.

I’ve posted a diagram below which shows the core legal pillars for data and cybersecurity in the EU, now and coming. What you are seeing here is a coalescence of approach and obligation. The end game is a single legal test – take appropriate technical and organisational measures to secure your networks and data. That’s the European approach.

Privacy in the global village

Posted on September 4th, 2012 by

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

This article was first published in Data Protection Law & Policy in August 2012.