Incident Reporting: a lawyer’s perspective OECD Expert Workshop on Improving the Measurement of Security Incidents and Risk Management Swiss Re Centre for Global Dialogue Hans Allnutt Partner hallnutt@dacbeachcroft.com (+44) 20 7894 6925 @legallnutt Zurich, 13 May 2017 1
What contribution can disclosure obligations make? What contribution can disclosure obligations make? 1 Do voluntary disclosure obligations work? 2 Why are/aren’t security incidents disclosed? 3 4 The limitations of the GDPR and other laws 2
What contribution can disclosure obligations make? “What you've reported to us” in Q3 2016 (published February 2017) https://ico.org.uk/action-weve-taken/data-security-incident-trends/ 3
What contribution can disclosure obligations make? 4
Do voluntary disclosure obligations work? Current ICO guidance “Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of [her] Office.” Data Security Incidents October-December 2016 250 200 150 100 50 0 5
Why are/aren’t security incidents voluntarily disclosed? To disclose…. …or not to disclose • We didn’t even know about the incident. • We know about the incident but we don’t know how it happened, it would cost a lot to find out (time and money), and we might still not know how it happened. • We know about the incident but it does not affect any third party (natural or • There is a reasonable chance that they corporate person) or of interest to a will find out any way, or they already regulator. know. • There is no legal obligation to tell anyone about it. • If we get found out, our exposure will be • The costs of disclosing the incident worse than if we had not disclosed. outweighs the risks faced if someone finds out later. • We can’t afford the reputational impact. • The security breach will disclose something much more serious. • What have we got to lose by not telling anyone? Who will find out? 6
The limitations of the GDPR and other laws Personal Data shall be processed in a manner that ensures No “availability” or appropriate security of the personal data, including protection “resilience” of systems. Art 5.1(f) against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate Defined by effect on data. technical or organisational measures ('integrity and confidentiality'). Implement appropriate technical and organisational measures to Confidentiality, integrity, ensure a level of security appropriate to the risk, including inter availability, and resilience. Art 32.1 alia as appropriate…. (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing Express reference to systems and services systems and services. Notification of Personal data breaches” No reference to Art 33 availability or resilience. “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised Cyber incidents such as Art 34 disclosure of, or access to, personal data transmitted, stored or ransomware and DDOS otherwise processed arguably not disclosable . Wider requirements of Art Art 83.4 Art 32 breach: 10,000,000 EUR / 2% Worldwide Turnover 32.1 (availability, resilience) attract lower Art 83.5 sanction but may never be Art 5 breach: 20,000,000 EUR / 4% Worldwide Turnover notified in any event. 7
What contribution can disclosure obligations make? Conclusions Disclosure obligations can provide actionable data. Voluntary and incentivised disclosure helps, but may produce an incomplete or biased picture. If public policy is that data is to be effectively collected on cyber incidents and data breaches, then a legal imperative is required supported by sanctions. Take care to understand the legal basis for disclosure which may define the effect, rather than the cause. 8
Recommend
More recommend