The impact of a breach in data security can be far reaching, with the risk of reputation damage affecting companies of any size. We will consider how to manage a security breach, its wider impact and building an effective cyber security for your infrastructure.

1. Data Security Breach
Knowing the legal risks and protecting your
business
17 March 2016
Paula Barrett
Partner & Head of Privacy & Information
Law

2. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
Paula Barrett
Partner
Paula is the international head of our privacy and
information law group.
With a strong background in information technology law,
Paula has developed extensive experience in data
protection/privacy law domestically and internationally.
She is currently advising on data protection compliance
issues in 80+ countries around the world and both Paula
and our data protection practice are independently
highly ranked by Chambers for their expertise.
Paula's recent experience includes advising clients on:
− their data security breach reporting obligations in the
UK and internationally, including representing clients
in their communications with the ICO and other
regulators
− successfully defending clients in response to proposed
enforcement action by the ICO
− the privacy issues arising from proposed
implementation of cloud computing solutions including
consideration of Patriot Act, ITAR and similar issues
− international data transfers in the wake of the CJEU
Safe Harbor Case, including intra-group and vendor
transfer arrangements
− the data protection compliance steps required to
implement centralised HR and CRM systems and
shared service centres globally in EMEA, North &
South America and Asia-Pacific
− the privacy issues associated with international
investigations including deployment of ethics reporting
hotline and other reporting tools
− on privacy terms for several medical devices
companies for use with clinicians, hospitals and their
patients
− rollout of data loss prevention and workplace
monitoring
− development of apps platforms
− data analytics on and offline
In Chambers, Paula’s clients report that she "cuts
through the issues - she tells you what you need to
know, the options and how to get there." .

3. − Data Security Contexts
− Current law
− Changes under EU GDPR proposals
− DLP and other data security tools
Agenda

4. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
Cyber Security

5. Eversheds LLP |
Where to Start?
Understand the Risks
Prevention
Dealing with Incident
Eversheds LLP | 21/03/2016 |

6. Eversheds LLP |
− Financial information
− Sensitive Personal Data
− Personal Data e.g. customer and staff information
− Intellectual Property
− Other corporate information
Types of Asset to be protected
21/03/2016 |

7. Eversheds LLP |
Legal
Obligations/Risks Data Protection
Sector specific
(e.g. financial
services – Prin 3)
Corporate Duties?
Directors Duties Contractual
Confidentiality (to
others) Negligence
Health & Safety Others?
Understanding Legal Risks
21/03/2016 |

8. Eversheds LLP |
− Recent global survey by Symantec: Half of employees who left or
lost their jobs in the last 12 months kept confidential corporate
data
• 40% plan to use it at their new job
− Top 5 sectors experiencing insider theft or IP, according to the
CERT Insider Threat Center:
• Information Technology (35%)
• Banking and Finance (12%)
• Chemical (11%)
• Critical Manufacturing(10%)
• Commercial Facilities (8%)
Insider Threats
21/03/2016 |

9. Eversheds LLP |
Cases in Europe
“this attack was highly complex and conducted with inside
knowledge of our most secure internal systems.“
Mobile Operator Germany – insider data theft, two million customers affected
“leaks exposed flaws in firm’s user software” and “over 400GB of
data released”
Italian cyber consultancy – employees suspected by police over leaked
company secrets
“Supermarket IT auditor bore grudge over disciplinary
misunderstanding”
UK retail chain – former employee leaks 100,000-record payroll
database
21/03/2016 |

10. Eversheds LLP |
Information
Security?
Compliance?
Legal?
Board?
HR?
marketing
& comms?
finance?
There is a myth that data security
can be addressed solely by IT
In order to succeed you need
partnerships with:
− Management
− Information Security
− Information Technology
− Physical Security
− Legal
− Human Resources
Whose role/responsibility?
21/03/2016 |

11. Current Data Security Law

12. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− Accidental loss, damage or destruction and also against
− Processing that is unauthorised or unlawful
− Required level depends on:
• nature of data
• harm that might result having regard to:
• “state of technological development”
• “cost of implementing”
There is no “one size fits all” solution – ICO
“Appropriate” measures against personal data’s:
Seventh Data Protection Principle and its Interpretation
(DPA 1998)
Current UK security requirements

13. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− Organisational as well as technical measures
• (including “taking reasonable steps to ensure the reliability
of any employees … who have access to personal data”)
− Where processing carried out by a Data Processor
• obtain from DP “sufficient guarantees” of their security measures
• take “reasonable steps” to ensure DP complies with the Act
• DP processing to be under written contract with Data Controller
• terms must include DP only acting on DC’s instructions…
• …and must impose on DP requirements at least as strict as the
Act
Specific points where the Act offers detail:
Seventh Data Protection Principle and its Interpretation
(DPA 1998)
Current UK security requirements

14. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
“The security measures that are appropriate for an organisation will depend on its
circumstances” “We cannot provide a complete guide to all aspects of security in all
circumstances”
− encryption:
• “The ICO recommends that portable and mobile devices ... used to store and
transmit personal information, … should be protected using approved encryption
software”
• “There have been a number of reports of laptop computers, containing personal
information which have been stolen … without being protected adequately. The ICO
has formed the view that in future, … where encryption … has not been used …
regulatory action may be pursued.”
• new guidance published March 2016
− security breach reporting - ICO seeks to be notified of all “serious breaches”
“Serious” not defined. ICO suggest assessment of:
data volume, sensitivity and the potential detriment to data subjects
Generally ‘case by case’, but guidance on some points
ICO Guidance
Current UK security requirements

15. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− Apply to: “service providers”
• e.g. telecoms and internet service providers (excludes “content services” providers)
− Trigger: “personal data breaches”
• defined broadly; no threshold for seriousness
− Notifying the ICO
• within 24hrs (Notification Regulation, Art 2(2))
• if full information not available, initial notification and further info within 3 days (&
then 2 weeks)
− Notifying any users likely to be adversely affected
− Keeping a log of breaches
• sufficient for ICO to verify PECR compliance – including
• facts surrounding each breach, effects and remedial action taken
Privacy and Electronic Communications Regulations 2003
(PECR)
Current UK security breach reporting requirements
Requirements:

16. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− Some prescriptive levels of detail
• e.g. Poland, Israel – requirements for security policies to cover various prescribed
areas, which must then be complied with, Germany, Italy and Spain specific
controls to be addressed in processor contracts
− Higher standards
• e.g. Germany – references to state of the art encryption technology (compare UK
‘having regard to cost’, and to overall appropriateness given likely harm), Spain
and Italy
− Approaches to breach reporting:
• uncommon to find statutory obligation to proactively report– exists in Germany but
only for sensitive personal data
• ‘implied reporting’: Spain – Security Document must be open for DPA inspection
• Netherlands – new mandatory reporting law 2016
EU approach broadly consistent, but:
Selected departures from the UK approach
Current requirements in other jurisdictions

17. Data Security under GDPR

18. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− General Data Protection Regulation (“GDPR”) still awaiting final adoption – likely in force from mid 2018
− New security rules apply to controller AND processor
− Appropriate technical and organisational measures to ensure a level of security appropriate to the risk including as
appropriate
• pseudonymisation and encryption
• ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services
• ability to restore availability and access in a timely manner in the vent of a technical or physical incident
• process for regularly testing, assessing and evaluating the effectiveness
− Regard to be had to state of the art and costs of implementation, nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for rights and freedoms
− Regard to be had to risks presented by data processing, in particular from accidental or unlawful destruction, loss,
alteration, unauthorised disclosure, access to data transmitted, stored or processed
− Adoption of codes/certification mechanisms can be used to evidence compliance
− Controller and processor to take steps to prevent any person acting under their authority from processing except under
instruction unless required by law
− Controls on appointment of subprocessors and processor obligations to flow down GDPR responsibilities to subprocessors
− Security links to wider accountability, record keeping, privacy by design and other aspects of GDPR
Heightened Security Responsibilities
GDPR Data Security Standards

19. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− Controller reporting both to relevant Authority within 72 hours of awareness
• unless unlikely to result in a risk for rights and freedoms of individuals
− Controller reporting to Data Subject without undue delay is likely to result
in a high risk to the rights and freedoms of individuals
• some exceptions apply e.g. if encryption used to render the data
unintelligible
• steps taken so that high risk no longer likely to materialise
− Processor reporting to controller without undue delay
− Prescribed detail for notification of content
− All breaches to be documented
Mandatory Reporting
GDPR Data Security Breach Reporting

20. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− Fines – breach of data security obligation falls within the 2% turnover threshold (liability for breach of other
provisions up to 4%)
− Damages – greater potential exposure for both controller and processors
− Contracts
• relationship between processors and controllers will change
• pre-contract due diligence for both?
• controls over data changes and ongoing adequacy assessment?
• terms and schedules will likely become more detailed
• Eversheds Cloud Survey – over 50% walked away because of data terms
− Other developments
• EU Network and Information Security Directive –agreement announced 2015 but final version yet to be
published
• the main thrust will be creating national and union security plans and reporting and sharing of
information between member states
• scope of application to “market operators” keenly awaited
• alongside traditional utilities those involved in various forms of communications service provision may
also be designated as “market operators”
• the detail on the level of security and reporting obligations on those market operators (such as the
social platforms and search engines etc) is likely to have been varied in the final version
GDPR Consequences

21. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
Spotlight on the
− Over 30% of purchaser respondents stated concern over where data is
hosted and/or accessed from, or lack of information about that, triggered
them walking away
− Top 3 issues for walk away cited as data related from purchasers
− http://www.eversheds.com/global/en/what/sectors/tmt/spotlight-on-the-
cloud/index.page
Spotlight on the Cloud Survey 2016

22. Eversheds LLP |
Know what
to do
Cyber/Data
Incident
Response Team
identified?
Internal
notification
processes (NB
communications
may be down)
Rehearsal?
Disaster
Recovery Plan
Business
Continuity Plan
Investigate
Fact
finding/investiga
tion – what type
of data, volume,
timing
Identify the
vulnerability
Remove ongoing
threat
Use of legal
privilege
Notices
Notifying
individuals or
third parties
whose data is
affected
Notifying
regulators,
police or other
bodies of attack
Listed businesses – market
announcement required?
Notifying shareholders
under Listing principles?
Price Sensitive
information/ insider
notification?
Ongoing
communications
Dealing
with
incident
IP protection
strategy – cease
and desist,
injunctions etc
Recovery of
monies stolen
Cyber extortion Lessons learnt
If an incident arises – have a Plan A…
21/03/2016 |

23. Data Loss Prevention Tools

24. Eversheds LLP |
Can you monitor
employees in
compliance with the
applicable
employment, labor
and data protection
laws?
Monitoring to protect; pitfalls await
21/03/2016 |

25. Eversheds LLP |
Multiple “privacy” Dimensions
Privacy Laws
Employment &
Labour Law
Human Rights
Convention
Communications
Law
Harmonisation Gaps Widen on International Roll-Out
21/03/2016 |

26. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
− Data Security is a concern across all business sectors
− Not just about “cyber” but also threats from within
− Legal landscape on data risk is changing globally
− Data security standards are increasing through guidance and cases
− Future changes ahead under proposed General Data Protection Regulation with
deepen and widen responsibilities for data security
− Contracting arrangements between controllers and processors are likely to
change over the coming months as the new laws are anticipated
− Preparation for responding to current rules and for future law changes is
important
− Data security breaches should form part of current crisis management plans
− Care is needed when looking at the tools you may deploy to provide security
protection to ensure that you don’t inadvertently create other compliance issues
Summary
Main topics considered
Eversheds LLP |

27. Eversheds LLP | 21/03/2016 |Eversheds LLP | 21/03/2016 |
Paula Barrett
Partner at Eversheds
PaulaBarrett@eversheds.com
Connect with me on LinkedIn: In/Paula-Barrett
Connect on Twitter: @PrivacyGlobal
Visit Privacy and Data Protection at www.eversheds.com
Keep in touch
Eversheds LLP |

28. eversheds.com
©2015 Eversheds LLP
Eversheds LLP is a limited liability partnership
eversheds.com
©2015 Eversheds LLP
Eversheds LLP is a limited liability partnership
For more information
contact:
Paula Barrett
Head of International Privacy
& Information Law
email:
paulabarrett@eversheds.com