isaca belgium heartbleed open forum - legal issues
DESCRIPTION
An overview of legal issues in relation to the heartbleed bug for discussion purposes at the ISACA heartbleed open forum: data protection law, communications law, warranty issues and liability.TRANSCRIPT
Click to edit Master title styleOpen Forum HEARTBLEED
Thursday, 22th
of April 2014
Brussels, 22 April 2014 2
Agenda
1. 18:30 Welcome
2. 18:45 Heartbleed business issues
3. 19:30 Break
4. 19:50 Heartbleed legal issues
5. 20:30 Close
Brussels, 22 April 2014 3
Close
Brussels, 22 April 2014
HEARTBLEED – IMPACT
ON YOUR BUSINESS
MARC VAEL & JOHAN VANDENDRIESSCHE
4
Brussels, 22 April 2014
Heartbleed – what is it?
• Heartbleed
• Security issue in OpenSSL
• Business impact
• Legal impact
• Legal issues
• Contractual issues
• Liability?
5
Brussels, 22 April 2014
HEARTBLEED LEGAL
ISSUES
6
Brussels, 22 April 2014
Data Protection
• Limitations in relation to the
processing of personal data
• Very large legal interpretation to the
concept of personal data
• Not necessarily sensitive information
(although stricter rules apply to special
categories of personal data)
• Encrypted data is still personal data
• Processing: “any operation or set of
operations which is performed upon
personal data […]”
7
Brussels, 22 April 2014
Data Protection
• The data processing must comply with
specific principles
• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
8
Brussels, 22 April 2014
Data Protection
• Security obligation
• General obligation
• Specific obligations
• Obligations in relation to the use of data
processors
• Belgian Data Protection Commission
has issued a list of security measures
that can be implemented
9
Brussels, 22 April 2014
Data Protection
• General obligation to implement
security measures
• Technical measures
• User access management
• IT security (anti-virus, firewall, …)
• Fire prevention measures
• Organizational measures
• Data categorization (confidentiality level)
• Employee policies
10
Brussels, 22 April 2014
Data Protection
• General obligation to implement
security measures
• Both types of measures are
interchangeable
• Protection against any unauthorized
processing
• Adequate level of protection taking into
account:
• Available technology and costs;
• Nature of concerned personal data and the
potential risks
11
Brussels, 22 April 2014
Data Protection
• Specific security obligations
• Obligation to ensure data quality
• Need-to-know access restriction
• Access must be limited to those persons that
need access
• Access must be limited to the personal data
they need
12
Brussels, 22 April 2014
Data Protection
• Specific security obligation
• Information obligation
• Provide employees that process personal data
information on data protection legislation
• information obligation is stricter if more
sensitive data is processed (limited training)
• Ensure that software used for the data
processing limits processing to what is
notified
13
Brussels, 22 April 2014
Data Protection
• Breach of the security obligations?
• Adequate protection?
• Security is not an absolute obligation
• Remedial action?
• Data breach notification
• Not applicable under the current Belgian
Data Protection Act
• Mitigation strategy (part of the remedial
action)
• Future obligation (draft regulations)
14
Brussels, 22 April 2014
Communications
• Electronic communications
• Data breach notification
• Privacy by design?
• BIPT notice on 11 April
“Indien deze kwetsbaarheid de veiligheid
van de netwerken en de elektronische-
communicatiediensten zou aantasten, zal
het BIPT een grondigere analyse uitvoeren
in samenwerking met de betrokken
operatoren”
15
Brussels, 22 April 2014
Communications
• Security obligation
• Highest possible level of protection
• Available technology
• Costs
• Appears to be stricter than data protection
law
• Who: providers of communications
services, software developers
(communication software) and network
operators
16
Brussels, 22 April 2014
Communications
• Data breach notification• Network operators
• Inform the Belgian Institute for Postal Services and
Telecommunications (BIPT – IBPT) and the subscribers
about particulars risks in relation to the security of their
network (“risk analysis” - “prior information”)
• Take all necessary measures to inform relevant
authorities, network operators and subscribers as soon
as possible about any violation of the integrity of their
network (“procedures” - “data security breach
notification”)
17
Brussels, 22 April 2014
HEARTBLEED
CONTRACTUAL ISSUES
18
Brussels, 22 April 2014
Confidentiality obligations
• Confidentiality = standard practice
• NDA
• Confidentiality clause in an agreement
• Scope of obligations
• Non-disclosure
• Access restrictions
• Restrictions of use (purpose bound)
• Data breach notification (actual and/or
suspected breach)?
• Review scope to assess impact
19
Brussels, 22 April 2014
Confidentiality obligations
• Example clause
“The Receiving Party agrees:
• to keep all Confidential Information secret and confidential; and
• not to disclose the Confidential Information to any person, other than
the Authorized Recipients, without prior written consent of the
Disclosing Party; and
• not to use the Confidential Information for any purpose other than for
the Purpose; and
• to implement all the technical and organizational security practices
that are necessary to protect the Confidential Information against any
unauthorised copying, use, disclosure, access and damage or
erasure; and
• to notify the Disclosing Party immediately if it suspects or becomes
aware of any unauthorised copying, use, disclosure, access and
damage or erasure.”
20
Brussels, 22 April 2014
Security obligations
• Security obligations
• Obligation included in data processing
clause
• Specific obligations for specific services
• Impact depends on the wording the
clause (scope, required level of
security, data breach notification
obligations)
21
Brussels, 22 April 2014
Security obligations
• Examples of obligations:“take appropriate technical and organisational measures against any
unauthorised or unlawful processing, and to evaluate at regular intervals
the adequacy of such security measures, amending these measures
where necessary; to the extent such technical and organisational
measures have not been established by this Agreement, the Contractor
will maintain safeguards no less rigorous then those maintained by the
Contractor for its own similar Personal Data. The Client shall have the
right to request a written description of the security measures.
ensure that access, inspection, processing and provision of the Personal
Data shall take place only in accordance with the need-to-know principle,
i.e. information shall be provided only to those persons who require the
Personal Data for their work in relation to the performance of the
Services;”
22
Brussels, 22 April 2014
Warranties
• B2B warranty
• Purely contractual arrangement
• General or related to deliverables
• Contract
• Duration
• Scope
• Remedies
• Covered by maintenance & support?
• Patent and latent defects
• Third-Party IP exclusion?23
Brussels, 22 April 2014
Warranties
• Compliance of the deliverable with
agreed specifications and
functionalities
“The Supplier warrants that the Deliverables shall comply with the
specifications and functionalities described in Annex 1.”
“The Supplier warrants that the Deliverables shall substantially comply
with the specifications and functionalities described in Annex 1.”
24
Brussels, 22 April 2014
Warranties
• Absence of harmful code“any software used by the Supplier or provided to the Client
under this Agreement is free from viruses, Trojans, worms and
similar rogue programs or malicious code (whatever its nature)
and the Contractor has used the latest (at the time of delivery)
available detection software, prior to supply to the Client or use
of the software;”
“any Software Deliverable shall be free from viruses, Trojan
horses, worms and similar malicious code, nor contain any
backdoor, blocking mechanism (other than an intended
functionality of the software) or timebomb, nor any
undocumented functionality;”
25
Brussels, 22 April 2014
Warranties
• Heartbleed: warranty issue?
• Carefully review wording the scope of the
warranty
• Consequences?
• Review duration of the warranty period
and the remedies
• Usually duty to repair free of charge within
a reasonable period of time or in
accordance with an agreed service level
• Additional liability?
• ‘Sole remedy’ wording?
26
Brussels, 22 April 2014
LIABILITY ISSUES
27
Brussels, 22 April 2014
Liability issues
• Liability
• Nature of (contractual) obligations
• Negligent act or omission
• Standard of care: a reasonably diligent and careful
person placed under the same circumstances
• Damage
• Causality
• Implementation of the impact OpenSSL
solution?
• Lack of action following discovery of
the heartbleed bug
28
Brussels, 22 April 2014 29
Contact details
Johan Vandendriessche
Partner
crosslaw CVBA
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be
Marc Vael
International Vice President
ISACA
Mobile Phone +32 473 99 30 31
E-mail [email protected]
Website www.isaca.org
Brussels, 22 April 2014 30
ISACA BELGIUM