ISACA Belgium Heartbleed Open Forum - Legal Issues

1,098 views

Published on

An overview of legal issues in relation to the heartbleed bug for discussion purposes at the ISACA heartbleed open forum: data protection law, communications law, warranty issues and liability.

Published in: Law, Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,098
On SlideShare
0
From Embeds
0
Number of Embeds
52
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

ISACA Belgium Heartbleed Open Forum - Legal Issues

  1. 1. Click to edit Master title styleOpen Forum HEARTBLEED Thursday, 22th of April 2014
  2. 2. Brussels, 22 April 2014 2 Agenda 1. 18:30 Welcome 2. 18:45 Heartbleed business issues 3. 19:30 Break 4. 19:50 Heartbleed legal issues 5. 20:30 Close
  3. 3. Brussels, 22 April 2014 3 Close
  4. 4. Brussels, 22 April 2014 HEARTBLEED – IMPACT ON YOUR BUSINESS MARC VAEL & JOHAN VANDENDRIESSCHE 4
  5. 5. Brussels, 22 April 2014 Heartbleed – what is it? • Heartbleed • Security issue in OpenSSL • Business impact • Legal impact • Legal issues • Contractual issues • Liability? 5
  6. 6. Brussels, 22 April 2014 HEARTBLEED LEGAL ISSUES 6
  7. 7. Brussels, 22 April 2014 Data Protection • Limitations in relation to the processing of personal data • Very large legal interpretation to the concept of personal data • Not necessarily sensitive information (although stricter rules apply to special categories of personal data) • Encrypted data is still personal data • Processing: “any operation or set of operations which is performed upon personal data […]” 7
  8. 8. Brussels, 22 April 2014 Data Protection • The data processing must comply with specific principles • Proportionality • Purpose limitation • Limited in time • (Individual and collective) Transparency • Data quality • Data security 8
  9. 9. Brussels, 22 April 2014 Data Protection • Security obligation • General obligation • Specific obligations • Obligations in relation to the use of data processors • Belgian Data Protection Commission has issued a list of security measures that can be implemented 9
  10. 10. Brussels, 22 April 2014 Data Protection • General obligation to implement security measures • Technical measures • User access management • IT security (anti-virus, firewall, …) • Fire prevention measures • Organizational measures • Data categorization (confidentiality level) • Employee policies 10
  11. 11. Brussels, 22 April 2014 Data Protection • General obligation to implement security measures • Both types of measures are interchangeable • Protection against any unauthorized processing • Adequate level of protection taking into account: • Available technology and costs; • Nature of concerned personal data and the potential risks 11
  12. 12. Brussels, 22 April 2014 Data Protection • Specific security obligations • Obligation to ensure data quality • Need-to-know access restriction • Access must be limited to those persons that need access • Access must be limited to the personal data they need 12
  13. 13. Brussels, 22 April 2014 Data Protection • Specific security obligation • Information obligation • Provide employees that process personal data information on data protection legislation • information obligation is stricter if more sensitive data is processed (limited training) • Ensure that software used for the data processing limits processing to what is notified 13
  14. 14. Brussels, 22 April 2014 Data Protection • Breach of the security obligations? • Adequate protection? • Security is not an absolute obligation • Remedial action? • Data breach notification • Not applicable under the current Belgian Data Protection Act • Mitigation strategy (part of the remedial action) • Future obligation (draft regulations) 14
  15. 15. Brussels, 22 April 2014 Communications • Electronic communications • Data breach notification • Privacy by design? • BIPT notice on 11 April “Indien deze kwetsbaarheid de veiligheid van de netwerken en de elektronische- communicatiediensten zou aantasten, zal het BIPT een grondigere analyse uitvoeren in samenwerking met de betrokken operatoren” 15
  16. 16. Brussels, 22 April 2014 Communications • Security obligation • Highest possible level of protection • Available technology • Costs • Appears to be stricter than data protection law • Who: providers of communications services, software developers (communication software) and network operators 16
  17. 17. Brussels, 22 April 2014 Communications • Data breach notification • Network operators • Inform the Belgian Institute for Postal Services and Telecommunications (BIPT – IBPT) and the subscribers about particulars risks in relation to the security of their network (“risk analysis” - “prior information”) • Take all necessary measures to inform relevant authorities, network operators and subscribers as soon as possible about any violation of the integrity of their network (“procedures” - “data security breach notification”) 17
  18. 18. Brussels, 22 April 2014 HEARTBLEED CONTRACTUAL ISSUES 18
  19. 19. Brussels, 22 April 2014 Confidentiality obligations • Confidentiality = standard practice • NDA • Confidentiality clause in an agreement • Scope of obligations • Non-disclosure • Access restrictions • Restrictions of use (purpose bound) • Data breach notification (actual and/or suspected breach)? • Review scope to assess impact 19
  20. 20. Brussels, 22 April 2014 Confidentiality obligations • Example clause “The Receiving Party agrees: • to keep all Confidential Information secret and confidential; and • not to disclose the Confidential Information to any person, other than the Authorized Recipients, without prior written consent of the Disclosing Party; and • not to use the Confidential Information for any purpose other than for the Purpose; and • to implement all the technical and organizational security practices that are necessary to protect the Confidential Information against any unauthorised copying, use, disclosure, access and damage or erasure; and • to notify the Disclosing Party immediately if it suspects or becomes aware of any unauthorised copying, use, disclosure, access and damage or erasure.” 20
  21. 21. Brussels, 22 April 2014 Security obligations • Security obligations • Obligation included in data processing clause • Specific obligations for specific services • Impact depends on the wording the clause (scope, required level of security, data breach notification obligations) 21
  22. 22. Brussels, 22 April 2014 Security obligations • Examples of obligations: “take appropriate technical and organisational measures against any unauthorised or unlawful processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary; to the extent such technical and organisational measures have not been established by this Agreement, the Contractor will maintain safeguards no less rigorous then those maintained by the Contractor for its own similar Personal Data. The Client shall have the right to request a written description of the security measures. ensure that access, inspection, processing and provision of the Personal Data shall take place only in accordance with the need-to-know principle, i.e. information shall be provided only to those persons who require the Personal Data for their work in relation to the performance of the Services;” 22
  23. 23. Brussels, 22 April 2014 Warranties • B2B warranty • Purely contractual arrangement • General or related to deliverables • Contract • Duration • Scope • Remedies • Covered by maintenance & support? • Patent and latent defects • Third-Party IP exclusion? 23
  24. 24. Brussels, 22 April 2014 Warranties • Compliance of the deliverable with agreed specifications and functionalities “The Supplier warrants that the Deliverables shall comply with the specifications and functionalities described in Annex 1.” “The Supplier warrants that the Deliverables shall substantially comply with the specifications and functionalities described in Annex 1.” 24
  25. 25. Brussels, 22 April 2014 Warranties • Absence of harmful code “any software used by the Supplier or provided to the Client under this Agreement is free from viruses, Trojans, worms and similar rogue programs or malicious code (whatever its nature) and the Contractor has used the latest (at the time of delivery) available detection software, prior to supply to the Client or use of the software;” “any Software Deliverable shall be free from viruses, Trojan horses, worms and similar malicious code, nor contain any backdoor, blocking mechanism (other than an intended functionality of the software) or timebomb, nor any undocumented functionality;” 25
  26. 26. Brussels, 22 April 2014 Warranties • Heartbleed: warranty issue? • Carefully review wording the scope of the warranty • Consequences? • Review duration of the warranty period and the remedies • Usually duty to repair free of charge within a reasonable period of time or in accordance with an agreed service level • Additional liability? • ‘Sole remedy’ wording? 26
  27. 27. Brussels, 22 April 2014 LIABILITY ISSUES 27
  28. 28. Brussels, 22 April 2014 Liability issues • Liability • Nature of (contractual) obligations • Negligent act or omission • Standard of care: a reasonably diligent and careful person placed under the same circumstances • Damage • Causality • Implementation of the impact OpenSSL solution? • Lack of action following discovery of the heartbleed bug 28
  29. 29. Brussels, 22 April 2014 29 Contact details Johan Vandendriessche Partner crosslaw CVBA Mobile Phone +32 486 36 62 34 E-mail j.vandendriessche@crosslaw.be Website www.crosslaw.be Marc Vael International Vice President ISACA Mobile Phone +32 473 99 30 31 E-mail marc@vael.net Website www.isaca.org
  30. 30. Brussels, 22 April 2014 30 ISACA BELGIUM

×