Breach Notification and Incident Response Andrew Cormack Janet TLP: White
Breach Notification • Current Telecoms Directive (telcos) – Privacy breach => privacy regulator and affected parties – Integrity/availability breach => telco regulator => ENISA (see report) • Draft Data Protection Regulation (all) – Privacy breach => privacy regulator and affected parties (within 24 hours) • Rumoured Cybersecurity Directive (? ? ? ) – Integrity/availability breach => ? ? ? regulator => ENISA • Draft E-Signatures regulation also has notification requirements • Many incidents will require multiple notifications – With different requirements on timescales/severity/format
Information Sharing • Current Data Protection Directive – Incident response is a legitimate interest for telcos – Can disclose personal data for own and recipient’s legitimate interest • E. g. Telling bank their customer has been phished • Draft Data Protection Regulation – Incident response is a legitimate interest for everyone – Can disclose for own legitimate interest • Apparently not for recipient’s interest – Including outside EEA
Thoughts. . . • Does this indicate trends? – From voluntary to mandatory disclosure? – From mesh to hub-and-spoke model of sharing? • Could affect priorities after an incident – Legal duty to report rather than contain/fix? • Must help law build on known good practice – Talk to your legislators/regulators
THANK YOU Janet, Lumen House Library Avenue, Harwell Oxford Didcot, Oxfordshire t: +44 (0) 1235 822200 f: +44 (0) 1235 822399 e: Andrew. Cormack@ja. net t: @Janet_Leg. Reg b: http: //webmedia. company. ja. net/edlabblogs/regulatory-developments/
Скачать презентацию Breach Notification and Incident Response Andrew Cormack Janet
fcb9f39629fd4b121e82ed3af899cbe6.ppt