© Copyright 2013 by K&L Gates LLP. All rights reserved.

Navigating the Privacy Law Landscape - US and Europe

21 January, 2015

Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard, Partner, K&L Gates, Paris Andrew Gilchrist, Senior Associate, K&L Gates, London

Data Breach and Notification – a U.S. Perspective

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

klgates.com 3

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

klgates.com 4

klgates.com

Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014)

5

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

klgates.com

v v

Source: Ponemon Institute LLC Global Report on the Cost of Cyber Crime (October 2014)

v v

v

6

klgates.com 7

Different Types of Notice Industry-Specific, e.g. HIPAA / HITECH 47 Different State Notification Laws

e.g., Pennsylvania Business Partners

e.g., New Jersey Comprehensive Federal Law? Others, e.g., Regulators, AGs, Consumer Reporting Agencies, Law

Enforcement? Media Social Media SEC Filings

NOTICE REQUIREMENTS

klgates.com

Source: Ponemon Institute LLC Cost of Data Breach Study: Global Analysis (May 2014)

v

v

8

NOTICE REQUIREMENTS

klgates.com

v v

9

NOTICE REQUIREMENTS Industry-Specific, e.g. HIPAA / HITECH, GLB

klgates.com 10

47 different state notification laws, e.g., Pennsylvania

NOTICE REQUIREMENTS

klgates.com

Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person.

11

NOTICE REQUIREMENTS Business Partners, e.g., New Jersey

klgates.com 12

NOTICE REQUIREMENTS Comprehensive Federal Law?

klgates.com 13

NOTICE REQUIREMENTS

14 klgates.com

NOTICE REQUIREMENTS

15 klgates.com

NOTICE REQUIREMENTS

“[A]ppropriate disclosures may include”: “Discussion of aspects of the registrant’s business or operations

that give rise to material cybersecurity risks and the potential costs and consequences”;

“To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;

“Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;

“Risks related to cyber incidents that may remain undetected for an extended period”; and

“Description of relevant insurance coverage.”

16 Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,

http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/

SEC CYBERSECURITY GUIDANCE

We note your disclosure that an unauthorized party was able to gain access to your computer network “in a prior fiscal year.” So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage. - Alion Science and Technology Corp. S-1 filing (March 2014)

17 klgates.com

NOTICE REQUIREMENTS

Personal Data Breaches and Notifications – a UK perspective

LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into UK law by the Data Protection Act 1998 “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. (Part 1(7), Schedule 1 to DPA) – 7th principle.

No prescriptive requirements, unless sector specific regulation. No “one size fits all” but three principles:

1. Risk assessment – what is appropriate given type of data? Regard to be had to state of technology / implementation cost compared to what harm might result from breach.

2. Reliability of employees 3. Vet your data processors – written contracts

Guidance from regulator (UK Information Commissioner’s Office): Encryption? Data storage vs. transmission. International Standard 27001 / Cyber Essentials Scheme. Anonymisation? Data Sharing Code of Practice Internal policies – IT Internet use / data retention and destruction / data security / training Processes and security protocols – staff vetting and access control Disposal (CESG approved?) / decommissioning Software Updates (remedy vulnerabilities) / SQL Injections (high risk) Authentication / hashing / salted hashing

WHO DO WE NEED TO NOTIFY? What sector are you in? PECR 2003 - Notifications only compulsory for “publically available

electronic communication services” – same across all of EU – i.e. telcoms / ISPs. 24 hours after breach detection – UK ICO.

Other regulated sectors – Gambling Commission / FCA / Public sector.

Everyone else – no legal requirement, but ICO guidance. Should notify if “serious”. Overriding consideration: potential harm to individuals. Can mitigate fines vs danger of over-notifying.

Notify data subjects? Do they need to take steps to protect themselves?

Contractual obligation to notify? Police / insurers / professional bodies / bank or credit card

companies.

UK ICO ENFORCEMENT Make assessments (re-active or pro-active) Serving Information Notices / Special Information Notices Enforcement Notices Powers of entry, inspection, seizure of documents / equipment Fines of up to £500,000 – serious breaches “contravention deliberate or the data controller knew or ought to

have known that there was a risk that the contravention would occur, and of a kind likely to cause substantial damage / distress but failed to take reasonable steps to prevent it”. (s.55(A) DPA).

Selective enforcement / limited resources Individual has a direct right of action and right to compensation Criminal offences – failure to comply with an Information /

Enforcement Notice (Directors can also be prosecuted).

ENFORCEMENT TRENDS Leading video games provider (Jan 2013)

Network platform subject to several DDoS (“distributed denial of service”) attacks Hacker access customer details and passwords (no cardholder information) 100 million customers thought to be affected. Data Controller didn’t keep up to date with technical developments. Didn’t deal with system vulnerabilities even though update available Didn’t use cryptographic controls for passwords History of attacks but still used platform to hold vast amounts of personal data Didn’t react quickly enough Voluntarily reported (mitigating factor) £250,000 fine Internal cost to Data Controller thought to be in region of $171 million.

Booking agent for travel services (Dec 2012)

SQL Injection attack, allowed hacker to access over 1 million card payment details (half of which were active).

Data Controller no penetration tests / vulnerability scans and checks on basis webserver was not external facing (but could still be access over internet by individuals with basic technical skills)

No evidence of actual harm / fraud Voluntarily reported (mitigating factor) £150,000 fine.

JULY – SEPT 2014

Source: https://ico.org.uk/action-weve-taken/data-breach-trends/

JULY – SEPT 2014

Source: https://ico.org.uk/action-weve-taken/data-breach-trends/

FUTURE DEVELOPMENTS Nov 2011 - Cyber Security Strategy produced. Set agenda until 2015/16.

Set up National Cyber Security Programme (NCSP) with £860 million funding over five years. Falls under supervision of Cabinet Office. Published progress against objectives in Dec 2014.

September 2012 - BIS issued guidance for companies CESQ (information security arm of GCHQ) - 80% of known attacks

defeated by basic security practices CERT-UK set up on 31 March 2014 to take the lead in coordinating the

management of national cyber security incidents and will act as the UK central contact point for international counterparts in this field – as will be required under upcoming European Cyber-Security Directive.

5 Jun 2014 - New ISO Standard – based on ISO27000. Certification to demonstrate that industry-minimum cyber security measures adopted. From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified.

No UK specific legislation on horizon – but watch out for European Data Protection Regulation and Network and Information Security Directive.

Personal Data Breaches and Notifications – a German perspective

LEGISLATIVE REQUIREMENTS Directive 95/46/EC transposed into German law by the Federal

Data Protection Act (BDSG)

Sect. 9 / Annex 1 to sec. 9 BDSG requires data processors/controllers to implement adequate technical and organisational measures for data security, in particular:

1. Access control: Preventing unauthorised persons gaining access to data processing systems; preventing data processing systems from being used without authorisation; ensuring that authorised persons can only access data they are authorised to access.

2. Disclosure control: Ensuring that data cannot be read, copied, etc. during electronic transfer or recording; ensuring transparency which bodies data will be transferred to.

3. Input control: Ensuring possibility to trace alteration or deletion of data.

4. Job control: Ensuring in case of commissioned data processing compliance with the controllers instructions

5. Availability control: Ensuring personal data is protected against accidental destruction or loss

WHEN DO WE NEED TO NOTIFY TO DATA PROTECTION AUTHORITY (DPA) AND INFORM DATA SUBJECT?

Unlawful disclosure of special categories of personal data (e.g. ethnic heritage, religious beliefs, data referring to criminal offences or subject to professional secrecy)

Threatening serious harm to the rights or legitimate interests of data subjects

klgates.com

General notification obligation to DPA and Data Subject, applicable to all private bodies and certain public bodies (Sect. 42a BDSG):

Information to DPA:

Without undue delay Nature of the disclosure and possible harmful consequences

Information to Data Subject: Without undue delay, as soon as data is secured and criminal investigation is

not endangered Nature of the disclosure; recommendations to minimise possible harm

ENFORCEMENT BY THE DPAS IN GERMANY German DPAs may (Sect. 38 BDSG):

Monitor the implementation of the BDSG and other provisions on data protection matters including Right to request information by processors and Right to enter the property and premises for inspections

Notify data subjects in case of violation and report to prosecution authorities

Order measures to remedy violations (e.g. prohibiting data processing)

Raise fines up to EUR 300,000 in case of intended or negligent violation of certain provisions of the BDSG or other regulations on data protection (Sect. 43 BDSG)

ENFORCEMENT TRENDS There still is no common code of practice among DPAs,

which leads to varying practices in different German states (“Länder”).

In the past, German DPAs were not very strict in enforcing data protection laws by raising fines.

Example 1: Google StreetView (2008-2010): Google provides panorama pictures for ‘Street View’ While taking these pictures, surrounding WiFi data were scanned accidentally Competent DPA (Hamburg) raised fine of EUR 145,000

Example 2: AOL Server Breakdown (2014): Server Breakdown caused a leak of 500,000 user access data sets Stolen data was used for spam-mail wave Provider did not notify breach to DPA but informed users Presumably no action by competent DPA

NUMBERS AND TABLES No absolute numbers on breaches and notifications; all

DPAs are obliged to publish data protection reports, but they vary and can hardly be compared

Statement of Federal Commissioner for Data Protection: March 2011 – October 2013: 501 notifications in total

TelCom Sector: 2012: 27 notifications 2013: 66 notifications

FUTURE DEVELOPMENTS

Federal Commissioner for Data Protection endorses stricter enforcement of data protection, especially in the telecommunications sector

Legislative framework: Draft version of a German Regulation for IT-Security Draft EU Regulation

Personal Data Breaches and Notifications The French perspective

LEGISLATIVE REQUIREMENTS Directive 95/46/EC implemented in August 2004 into the French Data Protection Act of

1978 Directive 2009/136/EC “ePrivacy” implementing data breach requirements in August 2010

“Breach of personal data” - The French definition and scope

Any breach of security leading accidentally or unlawfully to the destruction, loss, alteration, disclosure or unauthorised access to personal data processed in the context of providing electronic communication services to the public.

Data breach notifications are only required from telco operators and internet access providers For any breach of personal data processed “by electronic

communication service providers operating electronic communication networks with open public access.”

LEGISLATIVE REQUIREMENTS

Two categories of notifications 1. To the French DPA

Within 24 hours of the effective knowledge, through an electronic procedure, whatever is the potential impact of the breach of personal data Notify at least the existence of the breach

Within 72 hours of the effective knowledge, through an electronic procedure, describing the breach in details: Categories of data breached, Origin, specificities and duration of the breach, Security measures and patches implemented, Potential impact on the privacy of the “affected parties”, Spontaneous information of the “affected parties”.

LEGISLATIVE REQUIREMENTS

Two categories of notifications 2. To the “affected parties”

If said breach is likely to breach personal data security or the privacy of a subscriber or any other individual.

Unless the French DPA has found that appropriate protection measures have been implemented by the service provider to ensure that the personal data are made undecipherable to any unauthorised individuals and have been applied to the data affected by said breach.

Failing this, the French DPA may serve the service provider with a formal notice to inform the “affected parties” as well, after investigating the severity of the breach.

LEGISLATIVE REQUIREMENTS

Recording of all breaches Each provider of electronic communication services

must keep and make available to the French DPA upon request, an updated record of all breaches of personal data, listing the conditions, effects and measures taken as remedies.

ANALYSIS PERFORMED BY THE FRENCH DPA

The DPA has up to two months to: Consider the potential impacts of the breach on data

security and privacy protection; Estimate whether security measures implemented

before the breach were appropriate; Evaluate whether information measures taken

towards the "affected parties" were sufficient.

ENFORCEMENT The DPA may: Require the company (Telcos and ISPs) to inform

“affected parties” or the general public. Apply any administrative fine up to €150,000

After an adversarial public or closed procedure where the company may be assisted by its counsel.

Publish a description of the breach: on its website, or on any appropriate medium at the company’s expense.

Publish whole or part of the ruling against the company on its website, or on any appropriate medium at the company’s expense.

ENFORCEMENT As of now: 7 condemnations in 2013 29 condemnations in 2014 Fines between €20,000 and €100,000 (max.) The French DPA has almost systematically been publishing

its rulings regarding data breaches

During 2015: A draft bill will be discussed starting June 2015:

extending data breach notification requirements to any data controller or processor, in any sector (public or private)

providing for penalties up to: €1,000,000, or 2% of the global annual turnover, whichever the highest.

New Draft EU Data Protection Regulation – Mandatory Data Breach Notification

INTRODUCTION

Draft EU Data Protection Regulation COM(2012)0011 – C7-0025/2012 – 2012/0011(COD); draft version published by Commission in 2012, adopted by European Parliament in March 2014; shall replace the Data Protection Directive 95/46/EC

What are the goals ?

Protection of individuals with regard to the processing of personal data

Free movement of personal data

Protection of the fundamental rights and freedoms of natural persons

Details: transfer of personal data to third countries or international organisations; mandatory data protection officer; role of independent supervisory authorities; co-operation and consistency; remedies, liability and sanctions

THE "DATA BREACH" REGULATION 2013/611 “Electronic communications service providers” must report any personal data breach to the relevant national data protection authorities and, as the case may be, to the data subjects themselves.

The notification requirement targets Internet service providers and telco operators. Email service providers are not impacted… yet.

The draft Privacy Regulation will extend data breach notification to any controller (expected in 2016)

Non-compliance with the notification requirement is subject to criminal sanctions

MANDATORY NOTIFICATION OBLIGATION - DETAILS

Who has to notify? All data processors and

commissioned data processors

To whom? Data processors to the competent

DPA Commissioned data processors to

data processor

Reason? Personal data breach

To whom? Data subject

Who has to communicate? All data processors

Reason? Personal data breach is likely to adversely affect the protection of

personal data or privacy

klgates.com 44

Art. 31: Notification Art. 32: Communication

MANDATORY NOTIFICATION OBLIGATION - DETAILS

klgates.com 45

When has to be notified? Without undue delay and where

feasable not later than 24 hours after having become aware of the breach

What has to be notified? Nature and consequences of the

breach, contact information, measures to mitigate possible

adverse effects

What has to be communicated? Nature of the breach and measures

to mitigate the possible adverse effects

When has to be communicated? After notification to DPA without

undue delay

Art. 31: Notification Art. 32: Communication

ENFORCEMENT

Competent supervisory authority may sanction administrative offences

Amount of fine shall depend on the technical and organisational measures implemented and on the collaboration with the supervisory authority

Fine can be fixed up to EUR 100,000,000 or 5 % of annual worldwide turnover, whichever is higher

klgates.com

Next Cyber Risk webinar Insuring against Cyber Risks: What are the options, and how can you maximize coverage? 25 February 2015 16:30 GMT, 11:30 EST, 08:30 PST

klgates.com 47