Your SlideShare is downloading. ×
0
Click to edit PRIVACY
Open Forum Master title style

Thursday, 20th of February 2014
Agenda

1. 18:30
2. 18:45
3. 19:30
4. 19:50
5. 20:30

Welcome
Datalogging – Privacy Issues
Break
Datalogging – Other Issue...
Close

Leuven, 20 February 2014

3
DATALOGGING– PRIVACY
(AND OTHER) ISSUES
JOHAN VANDENDRIESSCHE

Leuven, 20 February 2014

4
Datalogging

• Logfile or log
• Record of events
• Types of logs
• Event logs
• Transaction logs
• Communication logs (IM ...
Datalogging

• Legal obligations
• Obligation to keep a specific log
• Pharmacists (pharmaceutical drugs)
• Employee file
...
High level legal framework

• Act of 8 December 1992
• Processing of personal data

• Act of 13 June 2005
• Electronic com...
CREATING AN IT LOG

Leuven, 20 February 2014

8
Data Protection

• Limitations in relation to the
processing of personal data
• Very large legal interpretation to the
con...
Data Protection

• The data processing must comply with
specific principles
•
•
•
•
•
•

Proportionality
Purpose limitatio...
Data Protection

• Security obligation
• General obligation
• Specific obligations
• Obligations in relation to the use of...
Data Protection

• General obligation to implement
security measures
• Technical measures
• User access management
• IT se...
Data Protection

• General obligation to implement
security measures
• Both types of measures are
interchangeable
• Protec...
Data Protection

• Specific security obligations
• Obligation to ensure data quality
• Need-to-know access restriction
• A...
Data Protection

• Specific security obligation
• Information obligation
• Provide employees that process personal data
in...
Logging as a security measure

• Logging as a security measure
• Purpose of its own?
• Linked to the purpose it aims to se...
Logging for marketing purposes

• Logging = processing for a specific
purpose
• Re-use of existing logs for marketing
purp...
ACCESSING AN IT LOG

Leuven, 20 February 2014

18
Accessing an IT log

• Access to an IT log
• Access authority
• Company policies
• Roles & Responsabilities

• Workfloor p...
Cybercrime

• Criminal acts posing a threat against
the confidentiality, the integrity and the
availability of IT systems ...
Cybercrime

• Hacking
• “the unauthorized intrusion in or
maintenance of access to an IT system”
(article 550bis Criminal ...
Cybercrime

• Hacking
• Sanctions (also applicable in case of
attempt to hack)
• Internal hacking
• Fines: 26 to 25.000 EU...
Cybercrime

• Hacking
• Criminal sanctions are increased:
• Copying any data on the IT system
• Use of the IT system or us...
Cybercrime

• Computer sabotage
• “the direct or indirect insertion,
modification or erasure of information in
an IT syste...
Cybercrime

• Computer sabotage
• Sanction (also applicable in case of
attempted sabotage):
• Fine: 26 to 25.000 EUR (x6);...
Cybercrime

• Computer fraud
• “the insertion, modification or erasure of
information in an IT system or any other
change ...
Cybercrime

• Computer fraud
• Sanction
• Fine: 26 to 100.000 EUR (x6); and/or
• Prison sentence: 6 months up to 5 years

...
Cybercrime

• Computer forgery
• “the insertion, modification or erasure of
information in an IT system or any other
chang...
Cybercrime

• Computer forgery
• Knowingly using such forged data is also
a criminal offence
• Attempted computer forgery ...
Electronic communications

• Electronic communication is protected
• Interception of electronic communication
• Art. 314bi...
Electronic communications

• Article 314bis of the Criminal Code
• Interception of communication
• Unlikely to apply in ca...
Electronic communications

• Article 125 of the Act of 13 June 2005
• Specific exceptions exist (only business
relevant ex...
Electronic communication

• Article 128 of the Act of 13 June 2005
• Communication logs as evidence
• Legal business trans...
Electronic communication

• Monitoring of any form of electronic
communication
• Use of e-mail
• Use of Internet

• CBA No...
Electronic communication

• CBA No. 81
• Procedural requirements
• Collective information
• Individual information

• Sanc...
Logs as evidence

• Admissible
• Type of evidence (‘matters of fact’ vs
‘legal acts’)
• Lawful
• Illegal evidence
• Illega...
Logs as evidence

• “Antigoon” case law
• Illegally obtained evidence
• Evidence is no longer automatically
discarded

• E...
Logs as evidence

• Problems with electronic evidence
• Rules of evidence strongly favour “paper
evidence”
• Courts may be...
Logs as evidence

• General rules
• ensure the accountability and integrity of
any electronic evidence at all times
• Impl...
Log as evidence

• Practical approach in Belgium
• If feasible, define the probatory value of
logs by agreement
• Ensure t...
Contact details
Johan Vandendriessche
Partner
crosslaw CVBA
Mobile Phone +32 486 36 62 34
E-mail j.vandendriessche@crossla...
ISACA BELGIUM

Leuven, 20 February 2014

42
Upcoming SlideShare
Loading in...5
×

Privacy (and other) issues concerning datalogging

439

Published on

ISACA Belgium Privacy Open Forum - Privacy issues with IT logs

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
439
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Privacy (and other) issues concerning datalogging"

  1. 1. Click to edit PRIVACY Open Forum Master title style Thursday, 20th of February 2014
  2. 2. Agenda 1. 18:30 2. 18:45 3. 19:30 4. 19:50 5. 20:30 Welcome Datalogging – Privacy Issues Break Datalogging – Other Issues Close Leuven, 20 February 2014 2
  3. 3. Close Leuven, 20 February 2014 3
  4. 4. DATALOGGING– PRIVACY (AND OTHER) ISSUES JOHAN VANDENDRIESSCHE Leuven, 20 February 2014 4
  5. 5. Datalogging • Logfile or log • Record of events • Types of logs • Event logs • Transaction logs • Communication logs (IM logs) • Scope and purpose can be varying • Quality control (bugfixing) • Evidence for business transactions • Marketing (website traffic log) Leuven, 20 February 2014 5
  6. 6. Datalogging • Legal obligations • Obligation to keep a specific log • Pharmacists (pharmaceutical drugs) • Employee file • Obligations to store a specific log • Focus today: various IT logs • Keeping logs • (Re-)Using logs Leuven, 20 February 2014 6
  7. 7. High level legal framework • Act of 8 December 1992 • Processing of personal data • Act of 13 June 2005 • Electronic communication • CBA n° 81 concerning workfloor cameras • Workfloor privacy • Cybercrime Leuven, 20 February 2014 7
  8. 8. CREATING AN IT LOG Leuven, 20 February 2014 8
  9. 9. Data Protection • Limitations in relation to the processing of personal data • Very large legal interpretation to the concept of personal data • Not necessarily sensitive information (although stricter rules apply to special categories of personal data) • Logs may contain personal data • Processing: “any operation or set of operations which is performed upon personal data […]” Leuven, 20 February 2014 9
  10. 10. Data Protection • The data processing must comply with specific principles • • • • • • Proportionality Purpose limitation Limited in time (Individual and collective) Transparency Data quality Data security Leuven, 20 February 2014 10
  11. 11. Data Protection • Security obligation • General obligation • Specific obligations • Obligations in relation to the use of data processors • Belgian Data Protection Commission has issued a list of security measures that can be implemented Leuven, 20 February 2014 11
  12. 12. Data Protection • General obligation to implement security measures • Technical measures • User access management • IT security (anti-virus, firewall, …) • Fire prevention measures • Organizational measures • Data categorization (confidentiality level) • Employee policies Leuven, 20 February 2014 12
  13. 13. Data Protection • General obligation to implement security measures • Both types of measures are interchangeable • Protection against any unauthorized processing • Adequate level of protection taking into account: • Available technology and costs; • Nature of concerned personal data and the potential risks Leuven, 20 February 2014 13
  14. 14. Data Protection • Specific security obligations • Obligation to ensure data quality • Need-to-know access restriction • Access must be limited to those persons that need access • Access must be limited to the personal data they need Leuven, 20 February 2014 14
  15. 15. Data Protection • Specific security obligation • Information obligation • Provide employees that process personal data information on data protection legislation • information obligation is stricter if more sensitive data is processed (limited training) • Ensure that software used for the data processing limit processing to what is notified Leuven, 20 February 2014 15
  16. 16. Logging as a security measure • Logging as a security measure • Purpose of its own? • Linked to the purpose it aims to secure? • Scope of logging • Nature of data processing • Data controller must be able to justify choices Leuven, 20 February 2014 16
  17. 17. Logging for marketing purposes • Logging = processing for a specific purpose • Re-use of existing logs for marketing purposes • Compatible purpose? • Secondary processing for statistical purposes (big data?) Leuven, 20 February 2014 17
  18. 18. ACCESSING AN IT LOG Leuven, 20 February 2014 18
  19. 19. Accessing an IT log • Access to an IT log • Access authority • Company policies • Roles & Responsabilities • Workfloor privacy restrictions • Communications law restrictions • Use of an IT log • Probatory value of an IT log Leuven, 20 February 2014 19
  20. 20. Cybercrime • Criminal acts posing a threat against the confidentiality, the integrity and the availability of IT systems and data • Hacking • Computer sabotage • Computer fraud & computer forgery • Investigation powers • Cooperation duty of IT experts Leuven, 20 February 2014 20
  21. 21. Cybercrime • Hacking • “the unauthorized intrusion in or maintenance of access to an IT system” (article 550bis Criminal Code) • Internal hacking • Person with access rights that exceeds such rights • With a fraudulent purpose or with the purpose to cause damage • External hacking • Person without access rights • Knowingly • There is no requirement of breach of security measures Leuven, 20 February 2014 21
  22. 22. Cybercrime • Hacking • Sanctions (also applicable in case of attempt to hack) • Internal hacking • Fines: 26 to 25.000 EUR (x6); and/or • Prison sentence: 3 months up to 1 year (doubled in case of intent to fraud) • External hacking • Fines: 26 to 25.000 EUR (x6); and/or • Prison sentence: 6 months up to 2 years Leuven, 20 February 2014 22
  23. 23. Cybercrime • Hacking • Criminal sanctions are increased: • Copying any data on the IT system • Use of the IT system or use thereof to hack another IT system • Damage to the IT system or its data or any third-party IT system or data Leuven, 20 February 2014 23
  24. 24. Cybercrime • Computer sabotage • “the direct or indirect insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system” (article 550ter Criminal Code) • Virus, worm, or any other malicious code • Unauthorized time-locks or other blocking mechanisms • Developing, distributing or commercializing malicious code or tools to commit computer sabotage is a criminal offence Leuven, 20 February 2014 24
  25. 25. Cybercrime • Computer sabotage • Sanction (also applicable in case of attempted sabotage): • Fine: 26 to 25.000 EUR (x6); and/or • Prison sentence: 6 months up to 3 years (increased in case of fraudulent intent or intention to cause damage) • Criminal sanctions are increased in case of: • Causing damage to data in any IT system as a result of computer sabotage • Interfering with the proper functioning of any IT system as a result of computer sabotage • Sanctions are doubled in some cases of cybercrime recidivism Leuven, 20 February 2014 25
  26. 26. Cybercrime • Computer fraud • “the insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system in view of obtaining an illegitimate economic advantage for oneself or for others” (article 504quater Criminal Code) • Economic advantage: any material or immaterial good (e.g. money, intellectual property rights, titles to real estate…) Leuven, 20 February 2014 26
  27. 27. Cybercrime • Computer fraud • Sanction • Fine: 26 to 100.000 EUR (x6); and/or • Prison sentence: 6 months up to 5 years • Attempted computer fraud is punished with lower criminal sanctions • Sanctions are doubled in some cases of cybercrime recidivism Leuven, 20 February 2014 27
  28. 28. Cybercrime • Computer forgery • “the insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system in view of changing the legal effect of that information” (article 210bis Criminal Code) • Sanction • Fine: 26 to 100.000 EUR (x6); and/or • Prison sentence: 6 months up to 5 years Leuven, 20 February 2014 28
  29. 29. Cybercrime • Computer forgery • Knowingly using such forged data is also a criminal offence • Attempted computer forgery is punished with lower criminal sanctions • Sanctions are doubled in some cases of cybercrime recidivism Leuven, 20 February 2014 29
  30. 30. Electronic communications • Electronic communication is protected • Interception of electronic communication • Art. 314bis of the Criminal Code • Access to electronic communication • Art. 124-125 of the Act of 13 June 2005 • Specific rules for telco’s and callcenters • Specific problem for investigation of email and IM logfiles Leuven, 20 February 2014 30
  31. 31. Electronic communications • Article 314bis of the Criminal Code • Interception of communication • Unlikely to apply in case of auditing or consulting logfiles • Article 124 of the Act of 13 June 2005 • General interdiction to: • Consult any electronic communication • Identify participants to such electronic communication • To process in any manner such electronic communication UNLESS: if consent is obtained from all participants Leuven, 20 February 2014 31
  32. 32. Electronic communications • Article 125 of the Act of 13 June 2005 • Specific exceptions exist (only business relevant exceptions are mentioned): • If allowed or imposed by law • With the sole purpose of ensuring the proper functioning of the network or the proper performance of the communication service • For offering a service that consists of preventing the receipt of unsolicited electronic communication, provided consent has been obtained for the recipient • No distinction is made between private and professional communication! Leuven, 20 February 2014 32
  33. 33. Electronic communication • Article 128 of the Act of 13 June 2005 • Communication logs as evidence • Legal business transactions • Evidence of a commercial transaction or other business communication • Conditions • Prior information on registration, purposes and duration of registration Leuven, 20 February 2014 33
  34. 34. Electronic communication • Monitoring of any form of electronic communication • Use of e-mail • Use of Internet • CBA No. 81 allows a limited degree of monitoring • Surveillance is possible for limited purposes • The prevention of illegal acts, slander and violation of decency • The protection of the economic, trade and financial interests of the company • The protection of the security and proper functioning of the company’s IT system • The compliance with company policies in relation to online technologies Leuven, 20 February 2014 34
  35. 35. Electronic communication • CBA No. 81 • Procedural requirements • Collective information • Individual information • Sanctions? • Prior hearing • Link with work regulations Leuven, 20 February 2014 35
  36. 36. Logs as evidence • Admissible • Type of evidence (‘matters of fact’ vs ‘legal acts’) • Lawful • Illegal evidence • Illegally obtained evidence • Probatory value (‘credibility’) • Weight carried by the submitted evidence • Influenced by the reliability • Gathering process of digital evidence • Inherent reliability (?) • Derogation by agreement? Leuven, 20 February 2014 36
  37. 37. Logs as evidence • “Antigoon” case law • Illegally obtained evidence • Evidence is no longer automatically discarded • Evidence is retained, except: • Nullity is legally imposed sanction • Unfair trial • Impact on reliability • Small note: “Antigoon” case law is relatively new and still evolving Leuven, 20 February 2014 37
  38. 38. Logs as evidence • Problems with electronic evidence • Rules of evidence strongly favour “paper evidence” • Courts may be reluctant in the face of new technologies • Case law usually dismisses electronic evidence at the slightest indication of the possibility of fraud / tampered evidence Leuven, 20 February 2014 38
  39. 39. Logs as evidence • General rules • ensure the accountability and integrity of any electronic evidence at all times • Implement procedures and policies / provide evidence that these policies are regularly verified or audited Leuven, 20 February 2014 39
  40. 40. Log as evidence • Practical approach in Belgium • If feasible, define the probatory value of logs by agreement • Ensure that the evidence collection is organized in a manner guaranteeing evidence integrity • Ensure that the evidence is stored in a secure manner • Court proceedings may include a court expertise Leuven, 20 February 2014 40
  41. 41. Contact details Johan Vandendriessche Partner crosslaw CVBA Mobile Phone +32 486 36 62 34 E-mail j.vandendriessche@crosslaw.be Website www.crosslaw.be Leuven, 20 February 2014 41
  42. 42. ISACA BELGIUM Leuven, 20 February 2014 42
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×