EU Data Protection Regulation

EU Data Protection Regulation – why we
have it and what to do about it?
ISACA Malta – 13th May 2016
Sarb Sembhi CISM
Chief Technology Officer & Acting Chief Information Security Officer
Disclaimer
• The views expressed in this presentation are those of the presenter and not
ISACA Malta or Noord Group
• Nothing in this presentation is intended to be advice, it is presented as
views of the presenter
• Please verify any actions you decide you wish to consider further – I am not
a legal expert
• Things are still not final until challenged in the courts … but we’re getting
closer
• I am not anti-US or Anti US businesses, but am against abuses of legislation
which result in unfair competition against local businesses (especially if
those business are in the EU)
Objectives
• Convey that although Data Protection seems complex (and it is) but
when you understand the different stakeholders’ positions, it
becomes clearer (except that there are too many stakeholders)
• Don’t get caught up in the details right now, there are too many of
them – several have yet to be tested
• Although lawyers can help you with the legal bits, you will need to
understand and determine the practical and technical
implementation aspects yourselves
• Don’t worry, there will be plenty of more detailed information
sessions once supervisory authorities start to interpret the Regulation
Agenda
• Why it is all personal?
• Where we were with Data Protection before now?
• What changed and led to the draft EU GDPR?
• What is in the final EU GDPR?
• What about the Privacy Shield?
• What do we do about moving towards compliance?
4
Why it is all personal?
• National stakeholders
• Local differences
• Technology
• Business interests
• Value of data (or lack of it)
• People only likely to relate or react when its personal (sometimes not
even then) or remain unaware
5
This is the sort of data that we expect to get
stolen
•
•
•
Equifax, one of the big-three US credit bureaus, has
been targeted by fraudsters that search for W-2 data
and use it for claiming fraudulent tax returns
But the company hasn’t been breached. Instead, in
an approach similar to the one recently used to steal
W-2 data from the ADP customer portal, the crooks
misused the fact that not many users change default
login credentials they have been assigned, and
managed to access random accounts and harvest the
data in them
The real victims are the employees, current and
former, of US grocery giant Kroger, Stanford
University, Northwestern University, and probably
other businesses and institutions, whose data has
been stolen and misused.
And we expect this too
• Fast-food chain Wendy’s disclosed it was a victim of a
point-of-sale system attack that installed malware on PoS
computers affecting 300 franchise restaurants. The
disclosure was part the company’s first quarter 2016 SEC
filings on Wednesday and is the most complete account
to date of a 2015 data breach
• … starting in the fall of 2015, malware was installed
through the use of compromised third-party vendor
credentials and targeted a PoS system used in a minority
of its stores. According to Wendy’s, the breach impacted
about 5 percent of the company’s 5,500 North American
restaurants
But what about this?
• Identity thieves stole tax and salary data from payroll
giant ADP by registering accounts in the names of
employees at more than a dozen customer firms
• ADP says the incidents occurred because the victim
companies all mistakenly published sensitive ADP
account information online that made those firms
easy targets for tax fraudsters
• ADP emphasized that the fraudsters needed to have
the victim’s personal data — including name, date of
birth and Social Security number — to successfully
create an account in someone’s name
Big breach self-disclosed in the UK
• Kiddicare, a specialist child and baby retailer in the
UK, has suffered a data breach and warned close to
800,000 customers that their personal data was
exposed by hackers
• … the stolen data, which included names, email
addresses, phone numbers and shipping addresses,
was taken from a test site that has now been deleted.
Payment details were not accessed by hackers as the
company does not store such information on its
systems
• The company became aware of the data breach after
customers reported suspicious text messages that
were not sent by Kiddicare and reported itself to the
UK's Information Commissioner
How is this different / similar to having an
affair?
• A data breach at a sex forum has resulted in the exposure
of 107,000 accounts
• More than a third (37 per cent) of those affected by the
Rosebutt Board were already included in the Have I Been
Pwned? Site
• Info exposed includes usernames, email addresses, IP
addresses, and weakly hashed passwords
• … many of whom have been placed at risk of public
humiliation or blackmail as a result of their sexual
proclivities
This is just plain rude
• Jailed hacker claims that he repeatedly breached the
personal email server of US presidential candidate
Hillary Clinton in early 2013 when she was Secretary
of State
• Other past victims of Guccifer include Colin Powell
and a member of the Bush family. Lazar was
extradited in early April to a Virginia jail from a
Romanian prison where he was serving a seven-year
sentence for cyber-crimes.
So, what personal data is out there? 1
• Telephone Call time, date, duration, originating / destination number,
possibly content of call (VOIP, wiretapping)
• Unencrypted emails (Gmail, Hotmail, Yahoo, etc.)
• Perhaps even encrypted emails
• Calendar and contact data
• Other unencrypted traffic
• Including: access to all social media sites, uploading utilities, etc.
• Data collected by mobile device applications
12
So, what personal data is out there? 2
• Data collected by mobile operating systems
• Data stored by backup sites
• Data collected by voip services
• Data collected by mobile payment services
• Search request data
• VPN log data
• This is regardless of business cloud services
13
Plus more, with much more to come
•
•
•
•
•
•
•
•
•
Data collected by Google Glass like products
Data collected by smart tv’s (which watch you viewing TV)
Data collected by smart meters & smart grid
Data collection by driverless cars
Data collected by Internet of Things devices around the home
Data collected on wearable & health devices
Mobile Payments (like all the new pay systems)
Advanced Big Data analysis and data mining tools
Criminal use of above tools to create new business models based on data
stolen from above sources
14
Yes, it is really personal
• 27 EU members each with different cultures and histories around
privacy, ID cards, etc.
• Several EU leaders only interested in the NSA revelations once they
knew that they calls and data had likely been intercepted
• Customers and employees may only understand the issues when it
happens to them
• When there is compensation involved its personal
15
Where we were with Data Protection before 2012?
• Directive 95/46 EU
• Data Protection Act 1998
• 8 principles – 7th principle “Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing
of personal data and against accidental loss or destruction of, or
damage to, personal data” relates most obviously to cyber security
• Safe Harbour Agreement 2000
16
What changed and led to the draft EU GDPR?
• Variations in interpretation of the Directive, not only in the
legislations themselves, but also in interpretations of wordings
• Burden to pan-European businesses in complying to each location’s
interpretation
• Greater amount of personal EU citizen data being held outside of EU
• Great amount of personal data being collected by non-EU data
controllers
• Experiences of abuses of fair use, purposes, adequacy, accuracy,
retention, recognition of rights, security and transfers
• More case law, less advisories from Supervisory Authorities
17
What else has changed?
• Ease of portability and transportability of data
• Regular (weekly) large scale data breaches
• Issues around control and ownership of personal data
• Recognition of the needs of Y generation to start again
• Economic climate – triple dip recession?
• Unfair competition
• Businesses that collect personal data and can leverage technology, as
well as the tax system appear to be the most profitable and challenge
existing business models
18
Finally …
• A recognition by many that the 1995 Directive is no longer able to be
fit for purpose due to the vast changes in everything
• Draft EU GDPR went public in February 2012
• Causes a great debate that it is too over the top
• Then Snowden effect in June 2013 onwards
• Then the respective amendments by each of the two sides
19
But, don’t forget the Snowden effect!
• Disclosures of mass US government surveillance
• Many large US data controllers considered to be complicit in
providing data to intelligence services about EU citizens
• World leaders identified as having been targets of US surveillance
activities
20
What happened after Snowden? 1
• The privacy lobbies have been requesting:
o clearer extensive rights from the outset and when things go wrong;
o greater obligations for data processors
• data processors have been requesting :
o less onerous obligations;
o greater fuzziness in the language;
o greater ease of managing relationship with a SA
• Supervisory Authorities have been requesting :
o
o
o
some of the above;
ease of managing issues in other member states for subjects;
powers to fine larger sums in relation to world wide turnover;
21
What happened after Snowden? 2
• Intelligence agencies have requested:
o
ability to collect data for nation security purposes – this has overtaken privacy concerns in
some cases, and created better understanding of citizen and non-citizen surveillance
• After around 4,000 amendments, where a high percentage were funded by US
corporate interests – more money spent on lobbying this single legislation than
all others put together, ever!
• Pause for thoughts: Do our privacy and Data Protection laws come from the US
internet giants? Do Europeans only get what the US corps give us?
• Several tripartite (European Commission, European Parliament and European
Council) discussions and agreements have taken place to produce the final
version which is likely to be out by year end
• It is likely that businesses will have around 18-24 months to implement
compliance measures
22
To cut a very long story slightly shorter
• … Well shorter than 4000 amendments anyway
• And then it came … there was light at the end of the tunnel …
The full text – all 261 pages
Brussels, 6 April 2016
(OR. en)
5419/16
DATAPROTECT 2
JAI 38
MI 25
DIGIT 21
DAPIX 9
FREMP 4
CODEC 52
EU level 1
• Regulation not a Directive
• One single European law
• Every company supervised by lead single Supervisory Authority to provide
1 shop stop approach
• Broader territorial scope – will apply to:
• controllers and processors established in EU that process personal data; and
• controllers and processors not based in EU who target individuals who are in the EU.
• No longer a requirement to register to process data (in every country)
• Data cannot be transferred to any country not providing the same
adequate level of protection
EU level 2
• Expanded definitions / new concepts:
• Personal Data – GDPR clarifies location data, genetic data, online identifiers and technology identifiers are
personal data
• Pseudonymous Data – defined as data that does not allow identification of individuals without additional
information and is kept separate
• Anonymised Data – not within scope of GDPR
• Profiling – automated processing of personal data used to evaluate an individual’s “personal aspects”
• Parental consent is required for the processing of personal data of children under the age of 16
• Consent must either be:
• unambiguous consent for processing personal data; or
• explicit consent for processing sensitive personal data.
• GDPR maintains existing rights , expands them and introduces new rights:
• right to erasure (and right to be forgotten);
• right to restrict the processing of personal data; and
• right to the portability of data.
Country level
• Inform Supervisory Authority when a Controller becomes aware there
has been a breach unless the breach has a low risk to individual rights
• Inform Data Subjects to allow them to take necessary precautions
• Right to lodge a complaint with a Supervisory Authority
• Judicial Remedy against Data Controllers or Processors
• Judicial Remedy against Supervisory Authorities
• Class Actions
• Individuals’ Right to Compensation
Company level 1
• A new explicit principle of accountability – controllers must ensure compliance
• New concepts of ‘privacy by design’ and ‘privacy by default’
• Controller must carry out a data protection impact assessment prior to processing
data where the processing is likely to result in a high risk for the rights / freedoms
of individuals due to:
• the use of new technologies; and
• the nature, scope, context and purposes of processing.
• Individuals must not be subject to a decision based solely on automated
processing (including profiling) that either produces a legal effect or significantly
affects them, unless the decision is:
• necessary to enter into or perform a contract with that individual;
• authorised by law; or
• based on individual’s explicit consent.
Company level 2
• Controllers and processors must appoint a DPO in case of:
• regular and systematic processing of data subjects on a large scale; and
• when the core activities of the controller or the processor consist of processing on a large
scale of sensitive data or data relating to criminal convictions and offences.
• GDPR introduces an obligation to notify personal data breaches:
• to the supervisory authority within 72 hours; and
• to affected individuals without undue delay (where likely to result in a high risk to such
individuals).
• Data Processors can be liable for the security of personal data
• Obligation to take Technical and Organisation measure, but still have regard to
the state of the art and implementation costs
• Follow Codes of Conduct (from industry groups)
• Impose fines of up to EUR 20 million or up to 4% of worldwide annual turnover
What about EU-US Privacy Shield?
What’s the all fuss about Safe Harbour / Privacy
Shield? 1
• Safe Harbour scheme set up in 2000
• EU DP law forbids the movement of its citizens’ data outside of the EU,
unless it is transferred to a location which is deemed to have “adequate”
privacy protections in line with those in the EU
• The Safe Harbour agreement between the EC and the US government
essentially promised to protect EU citizens’ data if transferred by
companies in the US. It allowed companies like Facebook to self-certify
that they would protect EU citizens’ data when transferred and stored
within US data centres
• It is a self-certification scheme managed by the Federal Trade Commission
under the oversight of the US Department of Commerce
31
What’s the all fuss about Safe Harbour / Privacy
Shield? 2
• In 2008 Australian research firm (Galexia) found "the ability of the US to protect privacy
through self-regulation, backed by claimed regulator oversight was questionable‘
• After Snowden, an Austrian Max Schrems challenged FaceBook that it wasn’t keeping his
data safe from the US intelligence agencies, by taking the Irish ICO to court. This was
referred to the EU Court of Justice, where the Court ruled that Safe Harbour principles
were invalid
• 2 key findings:
o
o
US federal government agencies could use personal data under US law, but were not required
to opt in.
EU citizens did not have the same protection or rights in cases of wrong doing under Safe
Harbour as they do under EU law
• Enter Safe Harbour 2, coming your way soon
• Stop Press: EU Model Clauses may also be invalid, however binding corporate rules still
most likely OK
32
What does all this mean for your business? 1
• If you are using US based cloud services, you are transferring data, therefore you do need
to consider your response to both:
o
o
a) Pre-GDPR
b) Compliance with GDPR
• If you think you are not using any US cloud based services, audit all activities – it is more
likely that you are but just don’t know it!
• Identify all the data you currently hold or use and the data you intend to hold or use and
separate it according to your obligations and risks – this first (big) step will demonstrate
to a Supervisory Authority that you have at least started the process of understanding
what is required of you
• Use this data to undertake a privacy impact assessment
• Consider any data you hold or collect that may be excessive for the use it was collected
for, and decide a way forward which respects the new rights
• Consider the consent you currently hold and how it will need to change
33
What does all this mean for your business? 2
• Update privacy policies especially: what data you collect; how you will use
it; subject rights and how you assist in subjects exercising them; your
responsibilities; who and how to complain to
• Consider all your suppliers and all those to whom you supply services to in
the context of who holds what data and the assurance you or they need to
comply to the Regulation
• Revisit your Incident Response procedures and ensure that they work for
you minimising your risks and maximising your response
• Consider the use of specialist services on a retainer basis to assist you
doing the above plus more to instil a compliance regime, Virtual DPO,
Virtual CIRO, Legal, Incident Response Team
• Consider the use of Cyber Insurance
34
TRUSTe Survey 1
• Across US and Europe
• 100 medium to large
organisations
• Respondents had responsibilities
for IT or regulatory compliance
• 20% well prepared
• 26% just started
• 44% unaware of vaguely aware
TRUSTe Survey 2
If you remember nothing else …
• Regardless of whether the UK is a member of the EU or not, businesses in the UK will
have to comply with the Regulation, since the Regulation relates to anyone handling data
about EU citizens
• If you want to export data from the EU, then the territory that you intend to export it to
must be able to provide the same safeguards as exists in the EU
• The chances are that if you can show that you have taken a risk based approach, you will
most likely not be fined by a Supervisory Authority (ICO in the UK), its where you are
unable to demonstrate your approach that you are most likely to be fined
• Equally, it is better to give subjects rights under the GDPR earlier than later than required
by law
• Think of compliance to the EU GDPR like health and safety – certain industries / sectors
or business types / model will need to do more than others
• There will always the “data protection gone mad” syndrome, but just don’t become part
of it
37
What to do, what to do
• Identify who will be responsible
• Review your business case for all data processing (this includes):
• Assess current policies
• Assess current use of personal and sensitive data
• Brief all senior managers – as they will determine the work for their staff in
complying or not as the case may be
• Assess current 3rd party suppliers
•
•
•
•
Create a knowledge base to share with others
Produce a gap analysis
Develop a readiness plan with details on who will do what and by when
Act on the plan
Finally
We will be back here within 8-10 years from now!
Questions
[email protected]
Sarb Sembhi CISM
Chief Technology Officer & Acting Chief Information Security Officer