isaca belgium heartbleed open forum - legal issues

Click to edit Master title styleOpen Forum HEARTBLEED

Thursday, 22th

of April 2014

Brussels, 22 April 2014 2

Agenda

1. 18:30 Welcome

2. 18:45 Heartbleed business issues

3. 19:30 Break

4. 19:50 Heartbleed legal issues

5. 20:30 Close


Close

Brussels, 22 April 2014

HEARTBLEED – IMPACT

ON YOUR BUSINESS

MARC VAEL & JOHAN VANDENDRIESSCHE

4


Heartbleed – what is it?

• Heartbleed

• Security issue in OpenSSL

• Business impact

• Legal impact

• Legal issues

• Contractual issues

• Liability?

5


HEARTBLEED LEGAL

ISSUES

6


Data Protection

• Limitations in relation to the

processing of personal data

• Very large legal interpretation to the

concept of personal data

• Not necessarily sensitive information

(although stricter rules apply to special

categories of personal data)

• Encrypted data is still personal data

• Processing: “any operation or set of

operations which is performed upon

personal data […]”

7


Data Protection

• The data processing must comply with

specific principles

• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

8


Data Protection

• Security obligation

• General obligation

• Specific obligations

• Obligations in relation to the use of data

processors

• Belgian Data Protection Commission

has issued a list of security measures

that can be implemented

9


Data Protection

• General obligation to implement

security measures

• Technical measures

• User access management

• IT security (anti-virus, firewall, …)

• Fire prevention measures

• Organizational measures

• Data categorization (confidentiality level)

• Employee policies

10


Data Protection

• General obligation to implement

security measures

• Both types of measures are

interchangeable

• Protection against any unauthorized

processing

• Adequate level of protection taking into

account:

• Available technology and costs;

• Nature of concerned personal data and the

potential risks

11


Data Protection

• Specific security obligations

• Obligation to ensure data quality

• Need-to-know access restriction

• Access must be limited to those persons that

need access

• Access must be limited to the personal data

they need

12


Data Protection

• Specific security obligation

• Information obligation

• Provide employees that process personal data

information on data protection legislation

• information obligation is stricter if more

sensitive data is processed (limited training)

• Ensure that software used for the data

processing limits processing to what is

notified

13


Data Protection

• Breach of the security obligations?

• Adequate protection?

• Security is not an absolute obligation

• Remedial action?

• Data breach notification

• Not applicable under the current Belgian

Data Protection Act

• Mitigation strategy (part of the remedial

action)

• Future obligation (draft regulations)

14


Communications

• Electronic communications

• Data breach notification

• Privacy by design?

• BIPT notice on 11 April

“Indien deze kwetsbaarheid de veiligheid

van de netwerken en de elektronische-

communicatiediensten zou aantasten, zal

het BIPT een grondigere analyse uitvoeren

in samenwerking met de betrokken

operatoren”

15


Communications

• Security obligation

• Highest possible level of protection

• Available technology

• Costs

• Appears to be stricter than data protection

law

• Who: providers of communications

services, software developers

(communication software) and network

operators

16


Communications

• Data breach notification• Network operators

• Inform the Belgian Institute for Postal Services and

Telecommunications (BIPT – IBPT) and the subscribers

about particulars risks in relation to the security of their

network (“risk analysis” - “prior information”)

• Take all necessary measures to inform relevant

authorities, network operators and subscribers as soon

as possible about any violation of the integrity of their

network (“procedures” - “data security breach

notification”)

17


HEARTBLEED

CONTRACTUAL ISSUES

18


Confidentiality obligations

• Confidentiality = standard practice

• NDA

• Confidentiality clause in an agreement

• Scope of obligations

• Non-disclosure

• Access restrictions

• Restrictions of use (purpose bound)

• Data breach notification (actual and/or

suspected breach)?

• Review scope to assess impact

19


Confidentiality obligations

• Example clause

“The Receiving Party agrees:

• to keep all Confidential Information secret and confidential; and

• not to disclose the Confidential Information to any person, other than

the Authorized Recipients, without prior written consent of the

Disclosing Party; and

• not to use the Confidential Information for any purpose other than for

the Purpose; and

• to implement all the technical and organizational security practices

that are necessary to protect the Confidential Information against any

unauthorised copying, use, disclosure, access and damage or

erasure; and

• to notify the Disclosing Party immediately if it suspects or becomes

aware of any unauthorised copying, use, disclosure, access and

damage or erasure.”

20


Security obligations

• Security obligations

• Obligation included in data processing

clause

• Specific obligations for specific services

• Impact depends on the wording the

clause (scope, required level of

security, data breach notification

obligations)

21


Security obligations

• Examples of obligations:“take appropriate technical and organisational measures against any

unauthorised or unlawful processing, and to evaluate at regular intervals

the adequacy of such security measures, amending these measures

where necessary; to the extent such technical and organisational

measures have not been established by this Agreement, the Contractor

will maintain safeguards no less rigorous then those maintained by the

Contractor for its own similar Personal Data. The Client shall have the

right to request a written description of the security measures.

ensure that access, inspection, processing and provision of the Personal

Data shall take place only in accordance with the need-to-know principle,

i.e. information shall be provided only to those persons who require the

Personal Data for their work in relation to the performance of the

Services;”

22


Warranties

• B2B warranty

• Purely contractual arrangement

• General or related to deliverables

• Contract

• Duration

• Scope

• Remedies

• Covered by maintenance & support?

• Patent and latent defects

• Third-Party IP exclusion?23


Warranties

• Compliance of the deliverable with

agreed specifications and

functionalities

“The Supplier warrants that the Deliverables shall comply with the

specifications and functionalities described in Annex 1.”

“The Supplier warrants that the Deliverables shall substantially comply

with the specifications and functionalities described in Annex 1.”

24


Warranties

• Absence of harmful code“any software used by the Supplier or provided to the Client

under this Agreement is free from viruses, Trojans, worms and

similar rogue programs or malicious code (whatever its nature)

and the Contractor has used the latest (at the time of delivery)

available detection software, prior to supply to the Client or use

of the software;”

“any Software Deliverable shall be free from viruses, Trojan

horses, worms and similar malicious code, nor contain any

backdoor, blocking mechanism (other than an intended

functionality of the software) or timebomb, nor any

undocumented functionality;”

25


Warranties

• Heartbleed: warranty issue?

• Carefully review wording the scope of the

warranty

• Consequences?

• Review duration of the warranty period

and the remedies

• Usually duty to repair free of charge within

a reasonable period of time or in

accordance with an agreed service level

• Additional liability?

• ‘Sole remedy’ wording?

26


LIABILITY ISSUES

27


Liability issues

• Liability

• Nature of (contractual) obligations

• Negligent act or omission

• Standard of care: a reasonably diligent and careful

person placed under the same circumstances

• Damage

• Causality

• Implementation of the impact OpenSSL

solution?

• Lack of action following discovery of

the heartbleed bug

28


Contact details

Johan Vandendriessche

Partner

crosslaw CVBA

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.crosslaw.be

Marc Vael

International Vice President

ISACA

Mobile Phone +32 473 99 30 31

E-mail [email protected]

Website www.isaca.org

mailto:[email protected]

http://www.crosslaw.be/

http://www.isaca.org/


ISACA BELGIUM

isaca belgium heartbleed open forum - legal issues

Law