SlideShare a Scribd company logo

"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buzz in Europe? What U.S. Companies Should Know"

Cédric Laurant
Cédric Laurant

Cédric Laurant: Presentation at the SecureWorld Web Conference: "Incident Response: Clean Up on Aisle Nine" (29 Nov. 2012) Presentation can be downloaded at http://cedriclaurant.com/about/presentations/, http://blog.cedriclaurant.org and http://security-breaches.com.

BusinessTechnology
1 of 61
SecureWorld Web Conference – Incident Response: Clean Up on Aisle Nine Sponsored by: 1 November 29, 2012 10 AM PST
Moderator Bryan Cline, PhD VP, CSF Development & Implementation, CISO Health Information Trust Alliance (HITRUST) 2
Web Conference Agenda 3 Cédric Laurant, Esq. Attorney Cédric Laurant Law Firm & Ulys David Matthews Director of Incident Response Expedia,Inc. James Colby Vice President Radware
Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buzz in Europe? What U.S. Companies Should Know Cédric Laurant , Esq. Attorney, Cedric Laurant Law Firm & Ulys (Brussels)
www.ulys.net - www.droit-technologie.org 5 SECUREWORLD WEB CONFERENCE: “INCIDENT RESPONSE: CLEAN UP ON AISLE NINE” NOVEMBER 29, 2012 Cédric Laurant Attorney-at-Law, Cabinet Ulys (Brussels) Owner, Cedric Laurant Law Firm “INCIDENT RESPONSE: CLEAN UP ON AISLE NINE”
www.ulys.net - www.droit-technologie.org 6 DATA BREACHES AND THE UPCOMING DATA PROTECTION LEGAL FRAMEWORK: WHAT’S THE BUZZ IN EUROPE? WHAT US COMPANIES SHOULD KNOW As the upcoming EU privacy framework is in the spotlight these days in Brussels, US companies must realize that the new rules will impact their data privacy and information governance obligations, whether they are present in Europe or not.
www.ulys.net - www.droit-technologie.org 7 DATA BREACHES AND THE UPCOMING DATA PROTECTION LEGAL FRAMEWORK: WHAT’S THE BUZZ IN EUROPE? WHAT US COMPANIES SHOULD KNOW From 2015, the European data protection legal framework will change substantially in various ways. What is relevant to know in the context of this web conference is: the scope of application (the rules will apply to US companies even if they are not located in the EU), and the extent of the data security and data breach notification measures.
www.ulys.net - www.droit-technologie.org 8 You’ll learn about: A) whether your company has to care about those rules now, in the short, medium or long term. B) what is likely to change from the current regime. C) the cases in which the data breach notification and data security requirements are different than the ones in the United States and how it is going to change with the revision of the data protection legal framework. D) whether your company should change some of its procedures or policies in place to tackle the new data breach notification requirements. E) some of the solutions that can help your company to be ready for the compliance challenge of the new DP Regulation. F) essential take aways. WHAT’S IN THIS PRESENTATION FOR ME?
www.ulys.net - www.droit-technologie.org 9 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM?
www.ulys.net - www.droit-technologie.org 10 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM? In the short term
www.ulys.net - www.droit-technologie.org 11 i. if your company is a provider of publicly available electronic communications services (telecom company, ISP): notification of data breaches mandatory since June 2011 (check national law of EU Member State where your company is based). ii. if your company is not a provider of publicly available electronic communications services but does business in EU Member State where a law already compels notification of data breaches to all data controllers, regardless of the sector they belong to. As of now, it is still the exception (only a few countries have such laws), until the new DP Regulation enters into force (2015). IN THE SHORT TERM
www.ulys.net - www.droit-technologie.org 12 iii. if your company is not a provider of publicly available electronic communications services, does business in a EU Member State, but in a Member State where a data breach notification law has not been enacted yet, there is still a possibility to be subject to mandatory notification based on whether the interpretation of the country’s general data protection law or regulations, or a strict DPA’s guidelines, mandates or recommends a notification. As of now, it is the case in about 10-15 countries. IN THE SHORT TERM
www.ulys.net - www.droit-technologie.org 13 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM? In the medium term
www.ulys.net - www.droit-technologie.org 14 i. the upcoming Data Protection Regulation is scheduled to enter into force around 2015. No delay for implementation by Member States since it is a Regulation. ii. high impact of a notification to the public because of potential media backlash and impact on reputation on the US subsidiary based in Europe but also on the company based in the US. IN THE MEDIUM TERM
www.ulys.net - www.droit-technologie.org 15 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM? In the medium to long term (3-5 years)
www.ulys.net - www.droit-technologie.org 16 Implementing and delegated acts further specifying the conditions and requirements of the notification of data breaches: may take some time to get drafted by the Commission and expert groups. In the meantime, there is uncertainty due to the lack of Data Protection Authorities’s guidelines on the issue or, if they exist, about which ones will apply in which circumstances. IN THE MEDIUM TO LONG TERM (3-5 YEARS)
www.ulys.net - www.droit-technologie.org 17 B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
www.ulys.net - www.droit-technologie.org 18 a. Data Protection Regulation: is still being discussed ⇒⇒⇒⇒ some provisions may still change substantially. Likely timeline of legislative process of the Regulation. B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
www.ulys.net - www.droit-technologie.org 19 b. Current regime: i. Scope of application of the General Data Protection Directive (95/46/EC) and updated e-Privacy Directive (2002/58/EC modified by 2009/136/EC) to data controllers. Avoid misconception: Directive applies not only to EU citizens or EU residents but also to the personal data of non-Europeans whose data is processed in the EU and to companies with HQ or suppliers in Europe. ii. Data subject’s right of access: unlike in the US, right is generally more extensive and enables data subject to obtain more information and object to processing, even obtain information about logic governing processing of his personal information if a decision has been made about him automatically. ⇒⇒⇒⇒ take into account when implementing a data breach notification procedure in your company. B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
www.ulys.net - www.droit-technologie.org 20 c. Future regime: i. Scope of application: any personal data processed in the EU + any personal data processed by a controller not based in the EU but whose processing activities are directed to or serve to monitor a data subject residing in the EU; ii. Right of access: controller must provide means for electronic request if processes personal data by automated means. Commission may adopt implementing acts for laying down standard forms and specifying standard procedures; also for specifying the standard forms by which controllers, sector by sector, have to provide the information to data subjects, and the procedures for requesting access (for data subjects) and granting (for controllers). B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
www.ulys.net - www.droit-technologie.org 21 c. Future regime: iii. Right to be forgotten and to erasure, right to data portability and right to object to processing: consequences on the management of data breaches. iv. Requirement to hire a DPO: role; can be outsourced for SMEs, must be hired internally in the case of companies with more than 250 employees but criterion may change); sanctions will be higher for violations of the DP Reg.; v. Collective redress mechanisms: consequences on the implementation and management of data security measures. B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
www.ulys.net - www.droit-technologie.org 22 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 23 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION? SHORT-TERM PERSPECTIVE: what should your company under the current framework (General Data Protection Directive and e- Privacy Directive)?
www.ulys.net - www.droit-technologie.org 24 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION? Hypothesis: your company is facing a data breach that has EU elements (personal data of individuals living in the EU or subsidiary is located in one or several EU Member States) and wishes to know what are its obligations under the laws of those EU Member States. Issue: whether the law of that EU Member State requires the notification of the breach to go beyond the requirements that your company is already following with its notification under US rules.
www.ulys.net - www.droit-technologie.org 25 Legal analysis: 1. Scope of application: Is it likely that the Member States’ data breach notification legal requirements will apply? C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 26 Legal analysis: 2. Does that jurisdiction require more than the notification your company has made to the competent authority in the US or to its customers in the United States? It depends on the type of notification involved since some EU Member States currently have different requirements depending on the type of notification involved. Notification to affected customers: one example: if your company did business – or most of it – in Austria, your company would not have to notify customers either in case the data breach only results in non-economic damage, or the potential damage is minor, or the cost of informing all customers would be disproportionate, which must be assessed against the potential damage the breach may cause. Unless you became aware of a “systematic or material misuse of data” that “may cause damage to the data subject”. Notification to the Data Protection Authority: In Ireland, the DPA is applying an extensive “Personal Data Security Breach Code of Practice” that requires that it be notified of any unauthorized disclosure of personal data. C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 27 Legal analysis: 3. Need to make a risk assessment regarding the potential sanctions for non-compliance in the various EU jurisdictions, some of which require a higher level of notification than the notification already prepared by your company. Example: Spain has one of the most stringent penalty systems in the EU. Under the Spanish Data Protection Act, fines varying between EUR900 to EUR600,000 can be imposed depending on the severity of the breach. The Spanish Criminal Code also establishes criminal offences based on the violation of secrets and breach of privacy, however criminal enforcement is not common. Decisions issuing penalties have actually ranged from EUR6,000 to EUR1,091,822. C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 28 Follow-up steps your company should adopt after notifying customers or the DPA: Apart from notifying the breach to its affected customers or, if required, to a data protection authority, your company should implement, if it has not done so already, technical and organizational measures that provide for adequate data security (to comply with the general security requirements of the General Data Protection Directive (Art. 17, Dir. 95/46/EC). If compelled to notify the breach to a DPA under the law of a EU Member State (e.g., Ireland), your company may have to demonstrate that it took the appropriate technological protection measures for the data that were breached. If it cannot demonstrate it, the DPA of the concerned jurisdiction, may mandate your company to improve its security measures by implementing the appropriate technical and organizational measures to protect personal data against future accidental or intentional destruction or loss, unauthorized disclosure or access, and all other unlawful forms of processing. C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 29 Follow-up steps your company should adopt after notifying customers or the DPA: As part of those security measures, there may be the obligation to keep a document called “security document”, as in the case of the Spanish legislation. If your company has customers based in Spain, it will have to document the breach pursuant to the recommendations of the Spanish legislation. Spanish law set out a procedure for management of data breaches, including: i. establishing an internal registry (called “Security Document”) to record the type of incident and the time it occurred or was detected; ii. the effects of the breach; iii. the corrective measures applied; and iv. a record of the individuals notified (if the organization chooses to notify individuals). In practice, the level of information that must be recorded depends on the nature of the personal data concerned. The Spanish DPA is entitled to request to see the Security Document at any time. (Furthermore, Police Forces and Public Offices usually immediately report to the DPA any data breach or loss of personal data that they may be informed about (e.g. when a claim is filed with them).) C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 30 Follow-up steps your company should adopt after notifying customers or the DPA: Depending on the national law applicable, your company should also inform the other institutions that might be affected by the breach (e.g., banks). C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 31 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION? MEDIUM-TERM PERSPECTIVE (from 2015): Under the upcoming framework of the EU Data Protection Regulation
www.ulys.net - www.droit-technologie.org 32 Obligation to maintain appropriate technical and organizational security measures has been further specified (Art. 27 (v51)). Commission may issue delegated acts to further specify criteria and conditions for the security measures to take, state of the art, sector by sector, and for specific data processing situations, taking into account data protection by design and by default concepts. Importance of risk assessment. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
www.ulys.net - www.droit-technologie.org 33 Data protection by design and by default (Art. 21A (v51)). Commission may issue delegated and implementing acts in order to specify criteria and requirements for the appropriate measures and mechanisms, e.g. privacy-by- design requirements applicable across sectors, products and services; and technical standards. Documentation requirements of controllers and processors (Art. 25 (v51)). Commission may issue delegated and implementing acts to specify documentation requirements further and establish standard forms. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
www.ulys.net - www.droit-technologie.org 34 General obligation of notification of a personal data breach: Breach of personal data. To the DPA (Art. 28 (v51)): “without undue delay”, “not later than 24 hours after the breach has been established. Contents of notification: in addition to classical requirements under the most common US state data breach notification requirements: communication of the company’s DPO or contact point; measures recommended to mitigate possible adverse effects of the breach; consequences of the breach. Obligation to document all breaches. Commission may issue delegated acts to further specify requirements for establishing the breach and the circumstance sin which a controller and processor is required to notify the breach, and implementing acts to specify standard format of the notification, procedures, form and modalities of the documentation requirements. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
www.ulys.net - www.droit-technologie.org 35 General obligation of notification of a personal data breach: To the data subject (Art. 29 (v51)): Criterion: “when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject”. “Without undue delay and, as a rule, not later than 24 hours after the breach has been established by the controller.” Contents of the communication: nature of breach including categories and number of data subjects concerned and categories and number of data concerned, communication of the company’s DPO or contact point; measures recommended to mitigate possible adverse effects of the breach. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
www.ulys.net - www.droit-technologie.org 36 General obligation of notification of a personal data breach: To the data subject (Art. 29 (v51)): NOT required when controller has demonstrated to DPA that it has implemented “appropriate technological protection measures”; such measures must render data unintelligible to any person not authorized to access it. Commission may issue delegated acts to further specify the criteria and requirements as to the circumstances in which the breach is likely to adversely affect the data subject’s personal data;, and may issue implementing acts to specify the format of the communication to the data subject. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
www.ulys.net - www.droit-technologie.org 37 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION?
www.ulys.net - www.droit-technologie.org 38 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION? Gradually adapt the internal documentation your company keeps about the implementation of its data security and breach notification measures to the requirements of the upcoming Data Protection Regulation. Think of hiring soon a Data Protection Officer if your company comes within the scope of application of the Data Protection Regulation. Integrate the concept “privacy by design” within the management of data security measures.
www.ulys.net - www.droit-technologie.org 39 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION? Start by using the breach notification rules that are currently applicable to your company in the US in the same way to your company’s subsidiaries in the EU. In case one of your company’s subsidiary is not based in the EU but targets its products and services to EU-based consumers or clients, start applying the same breach notification rules but making sure to gradually adapt them to make them comply with the upcoming EU requirements of the Data Protection Regulation.
www.ulys.net - www.droit-technologie.org 40 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION? Be ready to put in place a way for data subjects residing in the EU and whose personal data your company is processing to get a detailed access to their personal data, according to the upcoming EU requirements of the Data Protection Regulation.
www.ulys.net - www.droit-technologie.org 41 E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
www.ulys.net - www.droit-technologie.org 42 Visualization tools: data breach charts and maps. E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
www.ulys.net - www.droit-technologie.org 43 Visualization tools: data breach charts and maps. E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
www.ulys.net - www.droit-technologie.org 4444 http://databreachmaps.com
www.ulys.net - www.droit-technologie.org 4545 http://databreachmaps.com
www.ulys.net - www.droit-technologie.org 4646 http://databreachmaps.com
www.ulys.net - www.droit-technologie.org 4747 http://databreachmaps.com
www.ulys.net - www.droit-technologie.org 4848 http://databreachmaps.com
www.ulys.net - www.droit-technologie.org 49 Hire a DPO in the European Member State where your company does most of its business or is established. That DPO does not have to be hired internally but its functions can be outsourced (e.g., to a law firm or a consulting firm). E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
www.ulys.net - www.droit-technologie.org 50 F) OUR ESSENTIAL TAKE AWAYS
www.ulys.net - www.droit-technologie.org 51 F) OUR ESSENTIAL TAKE AWAYS 1. The Data Protection Regulation will not necessarily mean less bureaucracy (examples: DPO hiring requirement, prior consultation necessary for highly sensitive data processing activities (e.g., to assess risk); administrative process may actually take longer in certain cases; need to constitute internal documentation demonstrating compliance).
www.ulys.net - www.droit-technologie.org 52 F) OUR ESSENTIAL TAKE AWAYS 2. Understand the future risks related to having to notify the European public of security breaches under the upcoming Data Protection Regulation: media backlash, detrimental impact on company’s reputation in the EU, potential complaints (before national DPA) or litigation (before the EU Member State’s national courts), or even collective redress litigation. Understand these risks, then get ready to address them within your company: compliance with the new rules, adequate communication strategy, EU-specific incident response strategy in place.
www.ulys.net - www.droit-technologie.org 53 F) OUR ESSENTIAL TAKE AWAYS 3. If your company comes within the scope of application of the Data Protection Regulation, it may become necessary to think of hiring – internally or externally – a Data Protection Officer.
www.ulys.net - www.droit-technologie.org 54 F) OUR ESSENTIAL TAKE AWAYS 4. Assess how tough is the DPA in its enforcement actions in the EU country where your company’s subsidiary is based or doing business (e.g., does it frequently raid or audit companies for data protection violations?; how heavy is its sanctioning power?).
www.ulys.net - www.droit-technologie.org 55 F) OUR ESSENTIAL TAKE AWAYS 5. Understand what is still uncertain about the upcoming data protection regime, and what is most likely to become mandatory; what will be enforceable right away, and what will not. Through a gap analysis, address which data security and data breach notification management measures are left for your company to implement.
www.ulys.net - www.droit-technologie.org 56 Cédric Laurant • Owner, Cedric Laurant Law Firm (http://cedriclaurant.com) • Attorney-at-Law, Cabinet ULYS (Brussels) (http://www.ulys.net) • Editor, Blog “Information Security Breaches & The Law” - http://security-breaches.com • Twitter: @cedric_laurant & @security_breach • E-mail: cedric.laurant [at] ulys [dot] net & [c [at] cedriclaurant [dot] com.
www.ulys.net - www.droit-technologie.org 57 New Technologies, Privacy & ICT Intellectual Property Cinema, Media & Entertainment E-Payment, E-Finance & Internet Banking Sport & Gaming Commercial Law ULYS, a Modern and Human Law Firm, Dedicated to Innovation ! THANK YOU FOR YOUR ATTENTION ! AREASOFEXPERTISE Cédric Laurant Attorney-at-Law, Cabinet Ulys (Brussels) (Member of the Brussels and District of Columbia Bars) [cedric.laurant [at] ulys [dot] net] “INCIDENT RESPONSE: CLEAN UP ON AISLE NINE”
www.ulys.net - www.droit-technologie.org 58 Presentation (pdf) available at: http://cedriclaurant.com & http://www.ulys.net On-demand version of the web conference is available at: https://attendee.gotowebinar.com/re cording/6643082475935128320
Open Discussion 91 Cédric Laurant, Esq. Attorney Cédric Laurant Law Firm & Ulys (Brussels) David Matthews Director of Incident Response Expedia,Inc. James Colby Vice President Radware
Closing Remarks Dr. Bryan Cline CISO HITRUST Alliance on Incident Response 92
Thank you, Radware, for making today’s program possible! Join us again January 31st, 2013 Budgeting for Governance, Risk, and Compliance Visit SecureWorldPost.com for the latest security news and blogs from industry leaders. Thank you for joining today’s web conference. 93

Recommended

Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_toAnne ndolo
 
KLL4328
KLL4328 KLL4328
KLL4328 KLIBEL
 
LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)Wolfgang Greller
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...
Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...
Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...YogeshIJTSRD
 

Recommended

Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsResearch on Legal Protection of Data Rights of E Commerce Platform Operators
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_toAnne ndolo
 
KLL4328
KLL4328 KLL4328
KLL4328 KLIBEL
 
LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)LAK16 privacy and analytics (2016)
LAK16 privacy and analytics (2016)Wolfgang Greller
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...
Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...
Research on Electronic Commerce Platform Consumer Data Rights and Legal Prote...YogeshIJTSRD
 
Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...
Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...
Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...YogeshIJTSRD
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Relationship between data protection and m&a (1)
Relationship between data protection and m&a (1)Relationship between data protection and m&a (1)
Relationship between data protection and m&a (1)Ashish vishal
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
S719a
S719aS719a
S719aecommerce
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningPolsinelli PC
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationcaniceconsulting
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Ian Beckett
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshellMatthew Butler
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT worksMorris Dorfer
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Coursera AC3GAZUZUBPH
Coursera AC3GAZUZUBPHCoursera AC3GAZUZUBPH
Coursera AC3GAZUZUBPHWilson Wu
 
Proclamation juin 2011
Proclamation juin 2011Proclamation juin 2011
Proclamation juin 2011Institut Supérieur Européen Charles Péguy
 

More Related Content

What's hot

Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...
Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...
Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...YogeshIJTSRD
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Relationship between data protection and m&a (1)
Relationship between data protection and m&a (1)Relationship between data protection and m&a (1)
Relationship between data protection and m&a (1)Ashish vishal
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data PrivacyWilmerHale
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningPolsinelli PC
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationcaniceconsulting
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Ian Beckett
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 

What's hot (20)

Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...
Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...
Research on Legal Protection of Personal Data Privacy of E Commerce Platform ...
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Relationship between data protection and m&a (1)
Relationship between data protection and m&a (1)Relationship between data protection and m&a (1)
Relationship between data protection and m&a (1)
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protection
 
S719a
S719aS719a
S719a
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer Privacy
 
Cybersecurity and Data Privacy
Cybersecurity and Data PrivacyCybersecurity and Data Privacy
Cybersecurity and Data Privacy
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformation
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislation
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher Education
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 

Viewers also liked

Coursera AC3GAZUZUBPH
Coursera AC3GAZUZUBPHCoursera AC3GAZUZUBPH
Coursera AC3GAZUZUBPHWilson Wu
 
Square One All Practice Capability 2015 BLANK
Square One All Practice Capability 2015 BLANKSquare One All Practice Capability 2015 BLANK
Square One All Practice Capability 2015 BLANKMatt Arnold
 
Презентація
ПрезентаціяПрезентація
Презентаціяolenanaumcuk34
 
перезентація
перезентаціяперезентація
перезентаціяolenanaumcuk34
 
Company Profile Emelco Qatar1
Company Profile Emelco Qatar1Company Profile Emelco Qatar1
Company Profile Emelco Qatar1Emad Ali
 
25-летие школы
25-летие школы25-летие школы
25-летие школыalla7
 
Goa beaches go visit goa
Goa beaches go visit goaGoa beaches go visit goa
Goa beaches go visit goaGo Visit Goa
 
Nuestra responsabilidad etica con el pasado
Nuestra responsabilidad etica con el pasadoNuestra responsabilidad etica con el pasado
Nuestra responsabilidad etica con el pasadoEthel Vandergriff
 
Escola moderna do cavaquinho
Escola moderna do cavaquinhoEscola moderna do cavaquinho
Escola moderna do cavaquinhoLeonardo Chaves
 
Documento negociables y no negociables
Documento negociables y no negociablesDocumento negociables y no negociables
Documento negociables y no negociablesodalystaffur
 
Multiscreen UX Design - Developing for a multitude of devices
Multiscreen UX Design - Developing for a multitude of devices Multiscreen UX Design - Developing for a multitude of devices
Multiscreen UX Design - Developing for a multitude of devices Wolfram Nagel
 

Viewers also liked (16)

Coursera AC3GAZUZUBPH
Coursera AC3GAZUZUBPHCoursera AC3GAZUZUBPH
Coursera AC3GAZUZUBPH
 
Proclamation juin 2011
Proclamation juin 2011Proclamation juin 2011
Proclamation juin 2011
 
Square One All Practice Capability 2015 BLANK
Square One All Practice Capability 2015 BLANKSquare One All Practice Capability 2015 BLANK
Square One All Practice Capability 2015 BLANK
 
Презентація
ПрезентаціяПрезентація
Презентація
 
перезентація
перезентаціяперезентація
перезентація
 
Dieta e fertilità
Dieta e fertilitàDieta e fertilità
Dieta e fertilità
 
Company Profile Emelco Qatar1
Company Profile Emelco Qatar1Company Profile Emelco Qatar1
Company Profile Emelco Qatar1
 
урок 5
урок 5урок 5
урок 5
 
25-летие школы
25-летие школы25-летие школы
25-летие школы
 
Goa beaches go visit goa
Goa beaches go visit goaGoa beaches go visit goa
Goa beaches go visit goa
 
Nuestra responsabilidad etica con el pasado
Nuestra responsabilidad etica con el pasadoNuestra responsabilidad etica con el pasado
Nuestra responsabilidad etica con el pasado
 
los peques
los pequeslos peques
los peques
 
урок 13
урок 13урок 13
урок 13
 
Escola moderna do cavaquinho
Escola moderna do cavaquinhoEscola moderna do cavaquinho
Escola moderna do cavaquinho
 
Documento negociables y no negociables
Documento negociables y no negociablesDocumento negociables y no negociables
Documento negociables y no negociables
 
Multiscreen UX Design - Developing for a multitude of devices
Multiscreen UX Design - Developing for a multitude of devices Multiscreen UX Design - Developing for a multitude of devices
Multiscreen UX Design - Developing for a multitude of devices
 

Similar to "Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buzz in Europe? What U.S. Companies Should Know"

Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Paul Richards
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2Keith Purves
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileBen Saunders
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisAngad Dayal
 
26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...
26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...
26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...accacloud
 
Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...BC Tech Association
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012lilianedwards
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 

Similar to "Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buzz in Europe? What U.S. Companies Should Know" (20)

Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
DevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay AgileDevOps vs GDPR: How to Comply and Stay Agile
DevOps vs GDPR: How to Comply and Stay Agile
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
 
26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...
26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...
26 Nov 2013 - Law and Policy Meet the Cloud, by Bernie Trudel [IIC-TRPC Singa...
 
EU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh NetworksEU Data Protection Regulation Skyhigh Networks
EU Data Protection Regulation Skyhigh Networks
 
Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guide
 
Is There Sun Behind Those Clouds
Is There Sun Behind Those CloudsIs There Sun Behind Those Clouds
Is There Sun Behind Those Clouds
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 

More from Cédric Laurant

"Retention & Online Search: How Current Challenges for Privacy Become New Thr...
"Retention & Online Search: How Current Challenges for Privacy Become New Thr..."Retention & Online Search: How Current Challenges for Privacy Become New Thr...
"Retention & Online Search: How Current Challenges for Privacy Become New Thr...Cédric Laurant
 
Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...
Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...
Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...Cédric Laurant
 
New Data Protection Laws and Case Law Trends in Central & South America
New Data Protection Laws and Case Law Trends in Central & South AmericaNew Data Protection Laws and Case Law Trends in Central & South America
New Data Protection Laws and Case Law Trends in Central & South AmericaCédric Laurant
 
Perspectivas europeas sobre la protección de los consumidores y usuarios peru...
Perspectivas europeas sobre la protección de los consumidores y usuarios peru...Perspectivas europeas sobre la protección de los consumidores y usuarios peru...
Perspectivas europeas sobre la protección de los consumidores y usuarios peru...Cédric Laurant
 
Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...
Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...
Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...Cédric Laurant
 
Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...
Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...
Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...Cédric Laurant
 
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...Cédric Laurant
 
The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)
The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)
The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)Cédric Laurant
 
Recent Privacy and Data Protection Developments in Latin America and Their Im...
Recent Privacy and Data Protection Developments in Latin America and Their Im...Recent Privacy and Data Protection Developments in Latin America and Their Im...
Recent Privacy and Data Protection Developments in Latin America and Their Im...Cédric Laurant
 

More from Cédric Laurant (9)

"Retention & Online Search: How Current Challenges for Privacy Become New Thr...
"Retention & Online Search: How Current Challenges for Privacy Become New Thr..."Retention & Online Search: How Current Challenges for Privacy Become New Thr...
"Retention & Online Search: How Current Challenges for Privacy Become New Thr...
 
Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...
Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...
Guía de Privacidad para Hispanohablantes 2012 (Privacy Guide for Spanish Spea...
 
New Data Protection Laws and Case Law Trends in Central & South America
New Data Protection Laws and Case Law Trends in Central & South AmericaNew Data Protection Laws and Case Law Trends in Central & South America
New Data Protection Laws and Case Law Trends in Central & South America
 
Perspectivas europeas sobre la protección de los consumidores y usuarios peru...
Perspectivas europeas sobre la protección de los consumidores y usuarios peru...Perspectivas europeas sobre la protección de los consumidores y usuarios peru...
Perspectivas europeas sobre la protección de los consumidores y usuarios peru...
 
Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...
Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...
Uso de las redes sociales en el ámbito laboral y derecho a la protección de l...
 
Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...
Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...
Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, ...
 
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
Cybercrime Court Decisions from Latin America - Legal and Policy Developments...
 
The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)
The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)
The BROAD and EPHR projects (Barcelona, Spain – 27 Feb. 2010)
 
Recent Privacy and Data Protection Developments in Latin America and Their Im...
Recent Privacy and Data Protection Developments in Latin America and Their Im...Recent Privacy and Data Protection Developments in Latin America and Their Im...
Recent Privacy and Data Protection Developments in Latin America and Their Im...
 

Recently uploaded

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 

Recently uploaded (20)

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 

"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buzz in Europe? What U.S. Companies Should Know"

  • 1. SecureWorld Web Conference – Incident Response: Clean Up on Aisle Nine Sponsored by: 1 November 29, 2012 10 AM PST
  • 2. Moderator Bryan Cline, PhD VP, CSF Development & Implementation, CISO Health Information Trust Alliance (HITRUST) 2
  • 3. Web Conference Agenda 3 Cédric Laurant, Esq. Attorney Cédric Laurant Law Firm & Ulys David Matthews Director of Incident Response Expedia,Inc. James Colby Vice President Radware
  • 4. Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buzz in Europe? What U.S. Companies Should Know Cédric Laurant , Esq. Attorney, Cedric Laurant Law Firm & Ulys (Brussels)
  • 5. www.ulys.net - www.droit-technologie.org 5 SECUREWORLD WEB CONFERENCE: “INCIDENT RESPONSE: CLEAN UP ON AISLE NINE” NOVEMBER 29, 2012 Cédric Laurant Attorney-at-Law, Cabinet Ulys (Brussels) Owner, Cedric Laurant Law Firm “INCIDENT RESPONSE: CLEAN UP ON AISLE NINE”
  • 6. www.ulys.net - www.droit-technologie.org 6 DATA BREACHES AND THE UPCOMING DATA PROTECTION LEGAL FRAMEWORK: WHAT’S THE BUZZ IN EUROPE? WHAT US COMPANIES SHOULD KNOW As the upcoming EU privacy framework is in the spotlight these days in Brussels, US companies must realize that the new rules will impact their data privacy and information governance obligations, whether they are present in Europe or not.
  • 7. www.ulys.net - www.droit-technologie.org 7 DATA BREACHES AND THE UPCOMING DATA PROTECTION LEGAL FRAMEWORK: WHAT’S THE BUZZ IN EUROPE? WHAT US COMPANIES SHOULD KNOW From 2015, the European data protection legal framework will change substantially in various ways. What is relevant to know in the context of this web conference is: the scope of application (the rules will apply to US companies even if they are not located in the EU), and the extent of the data security and data breach notification measures.
  • 8. www.ulys.net - www.droit-technologie.org 8 You’ll learn about: A) whether your company has to care about those rules now, in the short, medium or long term. B) what is likely to change from the current regime. C) the cases in which the data breach notification and data security requirements are different than the ones in the United States and how it is going to change with the revision of the data protection legal framework. D) whether your company should change some of its procedures or policies in place to tackle the new data breach notification requirements. E) some of the solutions that can help your company to be ready for the compliance challenge of the new DP Regulation. F) essential take aways. WHAT’S IN THIS PRESENTATION FOR ME?
  • 9. www.ulys.net - www.droit-technologie.org 9 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM?
  • 10. www.ulys.net - www.droit-technologie.org 10 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM? In the short term
  • 11. www.ulys.net - www.droit-technologie.org 11 i. if your company is a provider of publicly available electronic communications services (telecom company, ISP): notification of data breaches mandatory since June 2011 (check national law of EU Member State where your company is based). ii. if your company is not a provider of publicly available electronic communications services but does business in EU Member State where a law already compels notification of data breaches to all data controllers, regardless of the sector they belong to. As of now, it is still the exception (only a few countries have such laws), until the new DP Regulation enters into force (2015). IN THE SHORT TERM
  • 12. www.ulys.net - www.droit-technologie.org 12 iii. if your company is not a provider of publicly available electronic communications services, does business in a EU Member State, but in a Member State where a data breach notification law has not been enacted yet, there is still a possibility to be subject to mandatory notification based on whether the interpretation of the country’s general data protection law or regulations, or a strict DPA’s guidelines, mandates or recommends a notification. As of now, it is the case in about 10-15 countries. IN THE SHORT TERM
  • 13. www.ulys.net - www.droit-technologie.org 13 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM? In the medium term
  • 14. www.ulys.net - www.droit-technologie.org 14 i. the upcoming Data Protection Regulation is scheduled to enter into force around 2015. No delay for implementation by Member States since it is a Regulation. ii. high impact of a notification to the public because of potential media backlash and impact on reputation on the US subsidiary based in Europe but also on the company based in the US. IN THE MEDIUM TERM
  • 15. www.ulys.net - www.droit-technologie.org 15 A) DOES YOUR COMPANY HAVE TO CARE ABOUT THOSE RULES NOW, IN THE SHORT, MEDIUM OR LONG TERM? In the medium to long term (3-5 years)
  • 16. www.ulys.net - www.droit-technologie.org 16 Implementing and delegated acts further specifying the conditions and requirements of the notification of data breaches: may take some time to get drafted by the Commission and expert groups. In the meantime, there is uncertainty due to the lack of Data Protection Authorities’s guidelines on the issue or, if they exist, about which ones will apply in which circumstances. IN THE MEDIUM TO LONG TERM (3-5 YEARS)
  • 17. www.ulys.net - www.droit-technologie.org 17 B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
  • 18. www.ulys.net - www.droit-technologie.org 18 a. Data Protection Regulation: is still being discussed ⇒⇒⇒⇒ some provisions may still change substantially. Likely timeline of legislative process of the Regulation. B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
  • 19. www.ulys.net - www.droit-technologie.org 19 b. Current regime: i. Scope of application of the General Data Protection Directive (95/46/EC) and updated e-Privacy Directive (2002/58/EC modified by 2009/136/EC) to data controllers. Avoid misconception: Directive applies not only to EU citizens or EU residents but also to the personal data of non-Europeans whose data is processed in the EU and to companies with HQ or suppliers in Europe. ii. Data subject’s right of access: unlike in the US, right is generally more extensive and enables data subject to obtain more information and object to processing, even obtain information about logic governing processing of his personal information if a decision has been made about him automatically. ⇒⇒⇒⇒ take into account when implementing a data breach notification procedure in your company. B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
  • 20. www.ulys.net - www.droit-technologie.org 20 c. Future regime: i. Scope of application: any personal data processed in the EU + any personal data processed by a controller not based in the EU but whose processing activities are directed to or serve to monitor a data subject residing in the EU; ii. Right of access: controller must provide means for electronic request if processes personal data by automated means. Commission may adopt implementing acts for laying down standard forms and specifying standard procedures; also for specifying the standard forms by which controllers, sector by sector, have to provide the information to data subjects, and the procedures for requesting access (for data subjects) and granting (for controllers). B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
  • 21. www.ulys.net - www.droit-technologie.org 21 c. Future regime: iii. Right to be forgotten and to erasure, right to data portability and right to object to processing: consequences on the management of data breaches. iv. Requirement to hire a DPO: role; can be outsourced for SMEs, must be hired internally in the case of companies with more than 250 employees but criterion may change); sanctions will be higher for violations of the DP Reg.; v. Collective redress mechanisms: consequences on the implementation and management of data security measures. B) WHAT ARE THE GENERAL CHANGES THAT ARE LIKELY TO TAKE PLACE BETWEEN THE CURRENT AND UPCOMING DATA PROTECTION LEGAL REGIME?
  • 22. www.ulys.net - www.droit-technologie.org 22 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
  • 23. www.ulys.net - www.droit-technologie.org 23 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION? SHORT-TERM PERSPECTIVE: what should your company under the current framework (General Data Protection Directive and e- Privacy Directive)?
  • 24. www.ulys.net - www.droit-technologie.org 24 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION? Hypothesis: your company is facing a data breach that has EU elements (personal data of individuals living in the EU or subsidiary is located in one or several EU Member States) and wishes to know what are its obligations under the laws of those EU Member States. Issue: whether the law of that EU Member State requires the notification of the breach to go beyond the requirements that your company is already following with its notification under US rules.
  • 25. www.ulys.net - www.droit-technologie.org 25 Legal analysis: 1. Scope of application: Is it likely that the Member States’ data breach notification legal requirements will apply? C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
  • 26. www.ulys.net - www.droit-technologie.org 26 Legal analysis: 2. Does that jurisdiction require more than the notification your company has made to the competent authority in the US or to its customers in the United States? It depends on the type of notification involved since some EU Member States currently have different requirements depending on the type of notification involved. Notification to affected customers: one example: if your company did business – or most of it – in Austria, your company would not have to notify customers either in case the data breach only results in non-economic damage, or the potential damage is minor, or the cost of informing all customers would be disproportionate, which must be assessed against the potential damage the breach may cause. Unless you became aware of a “systematic or material misuse of data” that “may cause damage to the data subject”. Notification to the Data Protection Authority: In Ireland, the DPA is applying an extensive “Personal Data Security Breach Code of Practice” that requires that it be notified of any unauthorized disclosure of personal data. C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
  • 27. www.ulys.net - www.droit-technologie.org 27 Legal analysis: 3. Need to make a risk assessment regarding the potential sanctions for non-compliance in the various EU jurisdictions, some of which require a higher level of notification than the notification already prepared by your company. Example: Spain has one of the most stringent penalty systems in the EU. Under the Spanish Data Protection Act, fines varying between EUR900 to EUR600,000 can be imposed depending on the severity of the breach. The Spanish Criminal Code also establishes criminal offences based on the violation of secrets and breach of privacy, however criminal enforcement is not common. Decisions issuing penalties have actually ranged from EUR6,000 to EUR1,091,822. C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
  • 28. www.ulys.net - www.droit-technologie.org 28 Follow-up steps your company should adopt after notifying customers or the DPA: Apart from notifying the breach to its affected customers or, if required, to a data protection authority, your company should implement, if it has not done so already, technical and organizational measures that provide for adequate data security (to comply with the general security requirements of the General Data Protection Directive (Art. 17, Dir. 95/46/EC). If compelled to notify the breach to a DPA under the law of a EU Member State (e.g., Ireland), your company may have to demonstrate that it took the appropriate technological protection measures for the data that were breached. If it cannot demonstrate it, the DPA of the concerned jurisdiction, may mandate your company to improve its security measures by implementing the appropriate technical and organizational measures to protect personal data against future accidental or intentional destruction or loss, unauthorized disclosure or access, and all other unlawful forms of processing. C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
  • 29. www.ulys.net - www.droit-technologie.org 29 Follow-up steps your company should adopt after notifying customers or the DPA: As part of those security measures, there may be the obligation to keep a document called “security document”, as in the case of the Spanish legislation. If your company has customers based in Spain, it will have to document the breach pursuant to the recommendations of the Spanish legislation. Spanish law set out a procedure for management of data breaches, including: i. establishing an internal registry (called “Security Document”) to record the type of incident and the time it occurred or was detected; ii. the effects of the breach; iii. the corrective measures applied; and iv. a record of the individuals notified (if the organization chooses to notify individuals). In practice, the level of information that must be recorded depends on the nature of the personal data concerned. The Spanish DPA is entitled to request to see the Security Document at any time. (Furthermore, Police Forces and Public Offices usually immediately report to the DPA any data breach or loss of personal data that they may be informed about (e.g. when a claim is filed with them).) C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
  • 30. www.ulys.net - www.droit-technologie.org 30 Follow-up steps your company should adopt after notifying customers or the DPA: Depending on the national law applicable, your company should also inform the other institutions that might be affected by the breach (e.g., banks). C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION?
  • 31. www.ulys.net - www.droit-technologie.org 31 C) IN WHICH CASES ARE THE REQUIREMENTS DIFFERENT THAN THE ONES IN THE UNITED STATES? HOW IS IT GOING TO CHANGE WITH THE NEW EU DATA PROTECTION REGULATION? MEDIUM-TERM PERSPECTIVE (from 2015): Under the upcoming framework of the EU Data Protection Regulation
  • 32. www.ulys.net - www.droit-technologie.org 32 Obligation to maintain appropriate technical and organizational security measures has been further specified (Art. 27 (v51)). Commission may issue delegated acts to further specify criteria and conditions for the security measures to take, state of the art, sector by sector, and for specific data processing situations, taking into account data protection by design and by default concepts. Importance of risk assessment. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
  • 33. www.ulys.net - www.droit-technologie.org 33 Data protection by design and by default (Art. 21A (v51)). Commission may issue delegated and implementing acts in order to specify criteria and requirements for the appropriate measures and mechanisms, e.g. privacy-by- design requirements applicable across sectors, products and services; and technical standards. Documentation requirements of controllers and processors (Art. 25 (v51)). Commission may issue delegated and implementing acts to specify documentation requirements further and establish standard forms. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
  • 34. www.ulys.net - www.droit-technologie.org 34 General obligation of notification of a personal data breach: Breach of personal data. To the DPA (Art. 28 (v51)): “without undue delay”, “not later than 24 hours after the breach has been established. Contents of notification: in addition to classical requirements under the most common US state data breach notification requirements: communication of the company’s DPO or contact point; measures recommended to mitigate possible adverse effects of the breach; consequences of the breach. Obligation to document all breaches. Commission may issue delegated acts to further specify requirements for establishing the breach and the circumstance sin which a controller and processor is required to notify the breach, and implementing acts to specify standard format of the notification, procedures, form and modalities of the documentation requirements. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
  • 35. www.ulys.net - www.droit-technologie.org 35 General obligation of notification of a personal data breach: To the data subject (Art. 29 (v51)): Criterion: “when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject”. “Without undue delay and, as a rule, not later than 24 hours after the breach has been established by the controller.” Contents of the communication: nature of breach including categories and number of data subjects concerned and categories and number of data concerned, communication of the company’s DPO or contact point; measures recommended to mitigate possible adverse effects of the breach. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
  • 36. www.ulys.net - www.droit-technologie.org 36 General obligation of notification of a personal data breach: To the data subject (Art. 29 (v51)): NOT required when controller has demonstrated to DPA that it has implemented “appropriate technological protection measures”; such measures must render data unintelligible to any person not authorized to access it. Commission may issue delegated acts to further specify the criteria and requirements as to the circumstances in which the breach is likely to adversely affect the data subject’s personal data;, and may issue implementing acts to specify the format of the communication to the data subject. MEDIUM-TERM PERSPECTIVE (FROM 2015): UNDER THE UPCOMING FRAMEWORK OF THE EU DATA PROTECTION REGULATION
  • 37. www.ulys.net - www.droit-technologie.org 37 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION?
  • 38. www.ulys.net - www.droit-technologie.org 38 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION? Gradually adapt the internal documentation your company keeps about the implementation of its data security and breach notification measures to the requirements of the upcoming Data Protection Regulation. Think of hiring soon a Data Protection Officer if your company comes within the scope of application of the Data Protection Regulation. Integrate the concept “privacy by design” within the management of data security measures.
  • 39. www.ulys.net - www.droit-technologie.org 39 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION? Start by using the breach notification rules that are currently applicable to your company in the US in the same way to your company’s subsidiaries in the EU. In case one of your company’s subsidiary is not based in the EU but targets its products and services to EU-based consumers or clients, start applying the same breach notification rules but making sure to gradually adapt them to make them comply with the upcoming EU requirements of the Data Protection Regulation.
  • 40. www.ulys.net - www.droit-technologie.org 40 D) SHOULD YOUR COMPANY CHANGE SOME OF THE PROCEDURES OR POLICIES IT HAS IN PLACE IN ORDER TO TACKLE THE NEW DATA SECURITY AND BREACH NOTIFICATION REQUIREMENTS OF THE UPCOMING DATA PROTECTION REGULATION? Be ready to put in place a way for data subjects residing in the EU and whose personal data your company is processing to get a detailed access to their personal data, according to the upcoming EU requirements of the Data Protection Regulation.
  • 41. www.ulys.net - www.droit-technologie.org 41 E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
  • 42. www.ulys.net - www.droit-technologie.org 42 Visualization tools: data breach charts and maps. E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
  • 43. www.ulys.net - www.droit-technologie.org 43 Visualization tools: data breach charts and maps. E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
  • 44. www.ulys.net - www.droit-technologie.org 4444 http://databreachmaps.com
  • 45. www.ulys.net - www.droit-technologie.org 4545 http://databreachmaps.com
  • 46. www.ulys.net - www.droit-technologie.org 4646 http://databreachmaps.com
  • 47. www.ulys.net - www.droit-technologie.org 4747 http://databreachmaps.com
  • 48. www.ulys.net - www.droit-technologie.org 4848 http://databreachmaps.com
  • 49. www.ulys.net - www.droit-technologie.org 49 Hire a DPO in the European Member State where your company does most of its business or is established. That DPO does not have to be hired internally but its functions can be outsourced (e.g., to a law firm or a consulting firm). E) WHAT ARE SOME OF THE SOLUTIONS THAT CAN HELP YOUR COMPANY BE READY FOR THE COMPLIANCE CHALLENGE OF THE NEW DP REGULATION?
  • 50. www.ulys.net - www.droit-technologie.org 50 F) OUR ESSENTIAL TAKE AWAYS
  • 51. www.ulys.net - www.droit-technologie.org 51 F) OUR ESSENTIAL TAKE AWAYS 1. The Data Protection Regulation will not necessarily mean less bureaucracy (examples: DPO hiring requirement, prior consultation necessary for highly sensitive data processing activities (e.g., to assess risk); administrative process may actually take longer in certain cases; need to constitute internal documentation demonstrating compliance).
  • 52. www.ulys.net - www.droit-technologie.org 52 F) OUR ESSENTIAL TAKE AWAYS 2. Understand the future risks related to having to notify the European public of security breaches under the upcoming Data Protection Regulation: media backlash, detrimental impact on company’s reputation in the EU, potential complaints (before national DPA) or litigation (before the EU Member State’s national courts), or even collective redress litigation. Understand these risks, then get ready to address them within your company: compliance with the new rules, adequate communication strategy, EU-specific incident response strategy in place.
  • 53. www.ulys.net - www.droit-technologie.org 53 F) OUR ESSENTIAL TAKE AWAYS 3. If your company comes within the scope of application of the Data Protection Regulation, it may become necessary to think of hiring – internally or externally – a Data Protection Officer.
  • 54. www.ulys.net - www.droit-technologie.org 54 F) OUR ESSENTIAL TAKE AWAYS 4. Assess how tough is the DPA in its enforcement actions in the EU country where your company’s subsidiary is based or doing business (e.g., does it frequently raid or audit companies for data protection violations?; how heavy is its sanctioning power?).
  • 55. www.ulys.net - www.droit-technologie.org 55 F) OUR ESSENTIAL TAKE AWAYS 5. Understand what is still uncertain about the upcoming data protection regime, and what is most likely to become mandatory; what will be enforceable right away, and what will not. Through a gap analysis, address which data security and data breach notification management measures are left for your company to implement.
  • 56. www.ulys.net - www.droit-technologie.org 56 Cédric Laurant • Owner, Cedric Laurant Law Firm (http://cedriclaurant.com) • Attorney-at-Law, Cabinet ULYS (Brussels) (http://www.ulys.net) • Editor, Blog “Information Security Breaches & The Law” - http://security-breaches.com • Twitter: @cedric_laurant & @security_breach • E-mail: cedric.laurant [at] ulys [dot] net & [c [at] cedriclaurant [dot] com.
  • 57. www.ulys.net - www.droit-technologie.org 57 New Technologies, Privacy & ICT Intellectual Property Cinema, Media & Entertainment E-Payment, E-Finance & Internet Banking Sport & Gaming Commercial Law ULYS, a Modern and Human Law Firm, Dedicated to Innovation ! THANK YOU FOR YOUR ATTENTION ! AREASOFEXPERTISE Cédric Laurant Attorney-at-Law, Cabinet Ulys (Brussels) (Member of the Brussels and District of Columbia Bars) [cedric.laurant [at] ulys [dot] net] “INCIDENT RESPONSE: CLEAN UP ON AISLE NINE”
  • 58. www.ulys.net - www.droit-technologie.org 58 Presentation (pdf) available at: http://cedriclaurant.com & http://www.ulys.net On-demand version of the web conference is available at: https://attendee.gotowebinar.com/re cording/6643082475935128320
  • 59. Open Discussion 91 Cédric Laurant, Esq. Attorney Cédric Laurant Law Firm & Ulys (Brussels) David Matthews Director of Incident Response Expedia,Inc. James Colby Vice President Radware
  • 60. Closing Remarks Dr. Bryan Cline CISO HITRUST Alliance on Incident Response 92
  • 61. Thank you, Radware, for making today’s program possible! Join us again January 31st, 2013 Budgeting for Governance, Risk, and Compliance Visit SecureWorldPost.com for the latest security news and blogs from industry leaders. Thank you for joining today’s web conference. 93