Incident Reporting: a lawyers perspective OECD Expert Workshop on - - PowerPoint PPT Presentation
Incident Reporting: a lawyers perspective OECD Expert Workshop on Improving the Measurement of Security Incidents and Risk Management Swiss Re Centre for Global Dialogue Hans Allnutt Partner hallnutt@dacbeachcroft.com (+44) 20 7894 6925
Partner hallnutt@dacbeachcroft.com (+44) 20 7894 6925 @legallnutt
Zurich, 13 May 2017 1
2
“What you've reported to us” in Q3 2016 (published February 2017)
https://ico.org.uk/action-weve-taken/data-security-incident-trends/
3
4
“Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of [her] Office.”
50 100 150 200 250
Data Security Incidents October-December 2016 5
know how it happened, it would cost a lot to find out (time and money), and we might still not know how it happened.
not affect any third party (natural or corporate person) or of interest to a regulator.
about it.
finds out later.
something much more serious.
anyone? Who will find out?
will find out any way, or they already know.
worse than if we had not disclosed. 6
Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). No “availability” or “resilience” of systems. Defined by effect on data.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate…. (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services Confidentiality, integrity, availability, and resilience.
Notification of Personal data breaches” “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
No reference to availability or resilience.
Art 32 breach: 10,000,000 EUR / 2% Worldwide Turnover Wider requirements of Art 32.1 (availability, resilience) attract lower sanction but may never be notified in any event.
Art 5 breach: 20,000,000 EUR / 4% Worldwide Turnover
Express reference to systems and services. Cyber incidents such as ransomware and DDOS arguably not disclosable .
7
8