European Data Protection Reform – 24 hour disclosure or undue delay?

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

24 hour disclosure or undue delay?

The new regulation establishes the consumer right to know when their data has been “hacked”. Companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible, if feasible within 24 hours, so that users can take appropriate measures. The initial 24 hour disclosure mandate was then extended by the Parliament to 72 hours. Now the last draft of the regulation doesn’t require the controller to report personal data breaches within 24 hours but rather without undue delay (Art. 31 para. 1.). Likewise, the processor no longer has the obligation to immediately inform the controller of a personal data breach but only to do so without undue delay (Art. 31 para. 2.). This change was absolutely necessary as the prior obligation was not only lacking the flexibility needed but also disproportionate. The new wording seems to sufficiently protect the interest of the data subject concerned.

“It is extremely unlikely that a company is able to analyze the full extent of a data breech and disclose it in 72 hours” adds Balboni, “we need to consider two situations: one is the notification to the data protection authority, and I think that should be done as soon as possible after you know about it. Then, the data controller should have more time to do all the necessary investigations before being obliged to notify the breach to their customers.”

Leupold is confident that the 24 hour disclosure is gone for good: “the people who drafted it finally realized that it’s unrealistic. I don’t think the 24 hours deadline will be reintroduced in the final version. The without undue delay provision is here to stay, really.” Without undue delay is a legal concept that stems from the German term “unverzüglich.” “It means that you’re not hesitating to fulfill your duty to notify a breach, that’s all. Hesitating can mean anything but two to three days at the longest seem fair to me.”

But how do you define a data breach? And how do you know you’ve been breached? According to Leupold, “Most European companies do not have any incident reporting system. They don’t know when a breach occurred. They just don’t get to know it. As long as they don’t know they can’t be subject to a fine of course because they didn’t fulfill their reporting duties.” Also, what if you have a suspicion that a data breach occurred but you can’t be sure? Is that enough to trigger the mandatory disclosure or are you only obliged to report once you know for sure? “This can’t be inferred from the light wording of the regulation Article 31. I’d say whenever you have a suspicion which is not entirely unfounded but it’s reasonable, you should report it”, explains Leupold. “In Europe most companies fall victim of Trojans, malware and similar attacks. And don’t even know. The number of companies not knowing is huge. This is an extremely difficult issue”.

According to Snead “the term “breach” needs to be defined in the contract, meaning that as long as the parties know what a breach means to them, then they can discuss timing and when they need to know. From an enterprise standpoint, negotiating about what a breach is, and then creating a strategy around it, is probably a healthier way to handle this issue than it is to say, “Every single breach has to be notified in X number of hours, or days, or whatever.” That’s the way I tend to approach it in negotiations.”



Coming Next: The enforced Data Privacy Officer – revenue generation for lawyers?

Previous: The 100 million euro fine: outrageous sanctions set a disturbing precedent.

CREDITS

 

Andreas LeupoldDr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

 

David SneadDavid Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

 

Paolo BalboniPaolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy

 

European Data Protection Reform – The 100 Million Euro Fine

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

The 100 million euro fine: outrageous sanctions set a disturbing precedent.

Under the current national European data protection laws enacted or amended in the wake of Directive 95/46/EC, administrative fines are rather limited – i.e. in Germany the maximum fine is €300,000 – and rarely imposed at all. The new regulation entails a paradigm change in that it introduces substantial sanctions for non-compliance with the new rules. Read more of this post

European Data Protection Reform – What you should know.

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

EU regulation vs. U.S. laws: a matter of cultural bias?

The consolidated version of the EU commission´s proposal for a General Data Protection Regulation following the LIBE Committee vote of October 21, 2013 differs fundamentally from the U.S. approach to the protection of personal data. “Whether one approach is better than the other, is a question of data protection culture. You might think that these are two extremes. On the one hand you have very restrictive regulation with higher fines, which are in my opinion over the top. On the other hand, there is so much leeway under the U.S. data protection laws that you can do almost anything as long as it’s not specifically prohibited.” observes Andreas Leupold, the German IT attorney recipient of the “Lawyer of The Year 2013” award who advises clients across Germany, England and the U.S.

Read more of this post

How secure is Mobile Device Management anyway?

Objective-C HookingResearchers have successfully breached the Good Technology container. MDM software can only be as secure as the underlying operating system.


As the adoption of smartphones and tablets grows exponentially, one of the biggest challenges facing corporate IT organizations is not the threat of losing the device – likely owned by the employee – but the threat of a targeted attack stealing sensitive corporate data stored on these mobile devices. As a first line of defense, an increasing number of companies rely on Mobile Device Management software and Secure Container solutions to secure and manage corporate data accessed from these mobile devices. However, a recent analysis conducted by Lacoon Mobile Security – presented a few weeks ago at the BlackHat conference in Amsterdam – shows that the leading secure container solution Good Technology can be breached and corporate email stolen from Apple iOS and Android devices.

Read more of this post

BYOD – The Benefits [VIDEO]

cesare-garlati-financial-impact-of-byod.3IT strategists and commentators alike have been talking about the cost impacts and benefits of the Consumerization of IT for years. However, no-one seems to agree on what’s actually going on out there from a financial perspective. Why? Because no one has managed to formulate an effective framework for measuring the financial impact of consumer-grade technology on the enterprise. IT managers are effectively flying blind with only a vague notion of what to measure and how to measure it.

Read more of this post

BYOD – The Hidden Costs [VIDEO]

cesare-garlati-financial-impact-of-byod.2Executives and IT leaders are struggling to understand the true costs and benefits of IT consumerization and it’s not difficult to see why. Even a cursory Google search on the subject throws up as many questions as it does conflicting answers. The reason is that no comprehensive research has been conducted into the financial impact of such programs before.

That’s why Trend Micro recently decided to take the bull by the horns and commission Forrester Consulting to conduct a rigorous, scientific study – interviewing over 200 IT leaders in the US, UK, France, and Germany. With the results we have begun to build an accurate picture for the first time of what organizations are measuring in their BYOD programs and the cost impacts, in order that IT leaders can go away and begin to formulate for themselves an effective cost benefit analysis.

Read more of this post

BYOD: You can’t manage what you don’t measure [VIDEO]

cesare-garlati-financial-impact-of-byod.1The Consumerization of IT is a trend even the most parochial IT manager has surely heard of by now. It’s sweeping through enterprises across the planet with no regard for legacy, tradition or order and can be seen as either the most exciting or terrifying thing to happen to IT in the past decade, depending on where you stand.

For many IT managers, unfortunately, the prevailing attitude is still “why should I allow it?”. They are clinging on to the old paradigm whereby IT controlled and dictated the purchasing and ongoing management of technology used by employees. This attitude just will not stand any longer – consumerization is happening, and it needs to be managed in as financially efficient a manner as possible.

Read more of this post

Webinar: The Financial Impact of BYOD.

webinar-promo-cesare-garlati-byod.1280x720.1An increasing number of organizations allow employees to use personal mobile devices to connect to corporate networks and data for work – the so-called ‘Bring Your Own Device’ phenomenon. However, a recent study by Forrester Consulting reveals that only a few companies measure and understand the actual financial impact of this new IT model and that even fewer know the true costs and benefits of Consumerization of IT.

Join us on June 27th at 11:00 PDT/2:00 EDT for a live webinar with Cesare Garlati, a sought-after expert in enterprise mobility, who will review the findings of the study and discuss:

  • Key factors that compel firms to deploy BYOD programs
  • How IT organizations measure ROI of Consumerization
  • The hidden costs of BYOD and its benefits

Cesare will explain how to develop the financial framework for your BYOD initiative so that you can unlock the full business potential of the Consumerization of IT model.

You will know the bottom line at the end of this discussion!

Video: The Dark Side of BYOD

The Dark Side of BYODThe Dark Side of BYOD: Privacy, Personal Data Loss and Device Seizure. Many employees don’t understand the implications of using their personal devices for work. Many companies don’t understand that they are in fact liable for the consequences.

 

Thought leadership video taken at the SIIA event All About The Cloud 2013 in San Francisco.

Credits: Montclare – May 2013
Original video http://www.youtube.com/watch?v=DCeqAy…

This post covers the things you always wanted to know about BYOD but were too afraid to ask.

The Financial Impact of Consumerization – Does BYOD make business sense?

enterprises-deploy-many-types-of-byod-programs-378x284One of the less understood aspects of Consumerization is its financial impact on the business. Is your BYOD program in the money?


Studies* show that an increasing number of organizations allow their employees to use personal devices to connect to corporate networks and data for work related activities – the so called Bring Your Own Device phenomenon. However, a recent study conducted by Forrester Reserach reveals that only a few companies measure the actual financial impact of this new IT model and that even fewer have a clear sense of whether Consumerization actually makes good business sense.

Read more of this post

Follow

Get every new post delivered to your Inbox.