In the era of big data and privacy protection, there are many discussions on personal data, privacy protection, and information autonomy around the whole world. In addition, personal data is a part of information assets, and it also falls within the protection scope of information security. The overall information security is built on interlocking security management measures. According to the barrel theory, information security is essentially free of 100%, drip-proof protection, except that the weaknesses that may be attacked must be continuously strengthened and related accident prevention, response and handling mechanism is an important part of management measures.
Therefore, this paper tried to start from the position of transnational enterprise and describe how to ensure legal compliance while the company need to follow different data protection laws in different jurisdiction, especially in East Asia and Europe. The countries include Japan, Taiwan, European and Thailand. This paper would direct readers to know the basic regulation and legal definition in the first part. In the second part, we would introduce the legal requirements for how to handling an event of personal data/information breach. In the third part, this paper would show you multiple data breach cases in the four countries and let you see how do other enterprises handle the crisis of data breach. Do all the incident responses comply to the applicable data protection law? How could a transnational enterprise handle the crisis legally to ensure compliance? This paper would provide advices to all the companies.
[CB20] Privacy protection and Data breach incident response regulation in East Asia and Europe by Joy Ho and Vic Huang
1. Privacy protection and Data breach incident response regulation
in East Asia and Europe
- Joy Ho & Vic Huang-
2. 2
Whoami
Vic Huang
LINE Corporation / Application Security
Engineer
Web Security
Blockchain Security
Joy Ho
LINE Corporation / Privacy Counsel
Information Security
Data protection
3. Introduction of personal
data/information definition in East
Asia and Europe
Comparison of Data breach incident
response regulation
Data breach incidents in Real world
Suggestions of Data breach incident
response
Agenda
From : Dadiani Fine Art
4. 4
Issues
1.
2.
3.
4.
What shall a transnational enterprise do while the personal data breach has happened?
How could the company interact with the data subjects?
Does the company has legal obligation to report the data breach to governmental
authorities or any other stakeholders?
What is the international trends of the accident response mechanism?
5. 5
Definition of Personal Data in East Asia and Europe
• Taiwan
• Japan
Art. 2(1) of PDPA: “…any other information that may be used to directly or indirectly
identify a natural person”
"Information about the living individual, are sufficient to distinguish specific individuals
based on the name and birth month contained in the information descriptions
(including the personal information which could be used to identify individuals by
mapping different information)''
6. 6
Definition of Personal Data in East Asia and Europe
• EU
• Thailand
Art. 4 of GDPR: any information relating to an identified or identifiable natural person
(‘data subject’).
"any information relating to a Person, which enables the identification of a Person,
whether directly or indirectly, but does not include the information of deceased
Persons.''
7. 7
Regulation of Personal Data Breach
any personal data is stolen,
disclosed, altered, or otherwise
infringed upon due to a violation
of the PDPA by a government or
non-government agency
N/A
Categories of Personal Data breach
- Confidentiality Breach
- Availability Breach
- Integrity Breach
In the event of a data breach, Data
Controllers must report the breach
to the Regulator without undue
delay, and in any event within 72
hours of becoming aware of it.
Taiwan
Japan
EU
Thailand
8. 8
Comparison of Data breach incident response regulation: Taiwan
Related
Articles
Who need to
notify
When to notify To whom
The Content of
notification
Exceptional
situations:
Do not need
to notify
Art. 12 of TW
PDPA
Art. 22 of
Enforcement
Rules of the
Personal Data
Protection Act
The institutions
which collect
personal data
after the relevant
facts of data
breach have been
clarified
Data
subject
1. the facts pertaining
to the data breach
2. the response
measures already
adopted.
N/A
9. 9
Comparison of Data breach incident response regulation: Japan
Related
Articles
Who need to
notify
When to notify To whom
The Content of
notification
Exceptional
situations:
Do not need
to notify
N/A N/A N/A N/A N/A N/A
• It is not legally required to report a data breach incident to the
Personal Information Protection Commission (the PPC) or to notify
the relevant data subjects.
• However, the PPC issued guideline recommending that this notification
be made and it is the market standard practice to report data breach
incidents in Japan.
10. 10
Comparison of Data breach incident response regulation: EU
Related
Articles
Who need
to notify
When to notify To whom
The Content of
notification
Exceptional
situations:
Do not need
to notify
Art. 33 &
34 of
GDPR
Data
controller
[Art. 33(1)]
Data
processor
[Art. 28(3)(f)]
not later than 72
hours after having
become aware of
the data breach
Art. 33
Supervisory
authority
Art. 34
Data subject
1. the nature of the
personal data breach
including the categories
and approximate
number of data
subjects concerned
2. the name and contact
details of the data
protection officer or
other contact point
3. the likely consequences
of the breach;
4. the measures taken or
proposed to be taken
the personal
data breach is
unlikely to result
in a risk to the
rights and
freedoms of
natural person
11. 11
Comparison of Data breach incident response regulation: Thailand
Related
Articles
Who need to
notify
When to notify To whom
The Content
of
notification
Exceptional
situations:
Do not need
to notify
Art. 37 of
Thailand PDPA
Data controller not later than 72
hours after having
become aware of
the data breach
The Office of Data
Protection
Committee
Data subject(with
high risk to damage
rights and freedom
data subjects)
N/A N/A
12. 12
Data breach incidents in Real world - TW
Company Date Scope
Local law
ln effect
Response
Ministry of Civil
Service
(Government)
2019.06.22
240,000 government employee
from 2005 -2012 promotion list
contained military , NSB …
• Name
• Personal Identification
• Address
• Position
√
• Announcement said the
government will improve
the protection of personal
data protection regards to
the law
1111 Job Bank 2019.07.18
0.2 million job seekers' data
• Name , address , phone ,
email
• Personal Identification
• Birth date
• Company
√
• Announcement on Official
Facebook page
• Victims can contact 1111
Job bank through phone
number or email
Lion Travel 2017.05 0.36 million customers' data X
• Announced on press
conference
• Send notifications to
13. 13
Data breach incidents in Real world - JP
Company Date Scope
Local law
ln effect
Response
Mitsubishi
2019.06.28
(2020.01.20
disclosed)
Multiple personal data
& Internal data
• 1,987 candidates data
• 4,566 employees survey
results
• 1,569 retired employees data
• Internal data
√
• Mitsubishi announced
that they will start to
notice victims. They
would assign a window
for victims to deal all the
thing
• https://www.mitsubishiele
ctric.co.jp/news/2020/012
0-b.pdf
Uniqlo 2019.05.10
0.46 million personal data
• Name , address , phone ,
email
• Buying records
• Birth date
• Part of credit card number
√
• FastRetailing announced
the incident and provided
windows for victims
14. 14
Data breach incidents in Real world - TH
Company Date Scope
Local law
ln effect
Response
Toyota 2019.3
3.1 million customers' data
• Name
• Birthdate
• Job information
X
• Related to JP Toyota
attacks. Attack is probably
from Vietnam APT32
(“ OceanLotus” or “ Cobalt
Kitty”) .No other
information for Incident
response
TrueMove
itruemart
2018.04.14
A lot of user personal data is on
a misconfiguration AWS s3
bucket owned by TrueMove
• Name
• Personal Identification
• Photo
• Phone
X
• Claimed the s3 bucket is
owned by hacker (but
close immediately)
• Announcement said they
have already notified
victims after they solved
the problem
15. 15
Data breach incidents in Real world - EU
Company Date Scope
Local law
ln effect
Response
British
Airways
2018.06 ~
2018.09
0.43 million customers
• Name
• Booking records
• Payment (credit card number)
• Address
√
• Announcement said they
will notification victims as
soon as possible as email
• The fine is considerably
smaller than the £183m
that the ICO originally
said it intended to issue
back in 2019.
• 228.75 million -> 25.85
million USD
16. 16
Check the regulations and define the process
• Risk-driven type
• For example in the GDPR and Thailand PDPA, the notification
obligation is based on the risk assessment. If a company could check
and ensure there is low risk and would not affect rights and freedom
of data subjects.
• Regulation-driven type
• For example, Taiwan PDPA belongs to this type. The article 12 of TW
PDPA ruled that the company need to notify data subjects while
there are any so-called data breach. There is no exemption or no
consideration about risks.
17. 17
Notification timing in Incident Response
NIST
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Post-Incident
Activity
SANS
Preparation
Lessons
Learned
Recovery
Eradication
Containment
Identification
Notification
to
Data
subjects
Incident
happened
18. 18
Positive attitude for positive branding
• Almost all the data protection laws require data controllers and data
processors must provide appropriate security measures in order to
prevent the loss, access, use, change, revision, or disclosure of
personal data without authorization.
• An incident response plan would be an important part of “appropriate
security measures" to manage data protection and legal compliance.
19. 19
Positive attitude for positive branding
Win the TRUST of public
Reference: https://rankingdigitalrights.org/index2019/report/privacy/