The document discusses recent EU legislation around security breach notification duties. It summarizes that the 2009 EU ePrivacy Directive first introduced security breach notification requirements for telecom providers and ISPs. Recent EU proposals aim to expand these duties to other sectors by 1) extending notification to data protection authorities and individuals under the 2012 General Data Protection Regulation and 2) requiring notifications for public administrations and critical infrastructure operators under the 2013 Network and Information Security Directive. The proposals seek to increase harmonization of security breach response across EU member states but questions remain around practical implementation details.
Data Privacy & Compliance Considerations on Using Cloud ServicesAmazon Web Services
Learn about the factors organization should consider when hosting data in Cloud. What are the risks, benefits and implications for data protection and privacy when moving to the business data and applications to cloud?
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
Guide UK Data Protection Law EUROPA - Internal Market - Data Protection - Data Protection Guide – What are your rights as a citizen?http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
Data Privacy & Compliance Considerations on Using Cloud ServicesAmazon Web Services
Learn about the factors organization should consider when hosting data in Cloud. What are the risks, benefits and implications for data protection and privacy when moving to the business data and applications to cloud?
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
Guide UK Data Protection Law EUROPA - Internal Market - Data Protection - Data Protection Guide – What are your rights as a citizen?http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
En enero de este año, la Comisión Europea reveló un borrador de su Reglamento de Protección de Datos Europea para reemplazar la anterior Directiva de Protección de Datos.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)Tom Meagher
If you are interested in how the newly amended Privacy Act and the current Spam Act may affect your business and marketing plans, and also how such applies if you do business in the "cloud", you engage in eCommerce or use data-hosting facilities, then this is for you.
Data protection law in India is currently facing many problem and resentments due the absence of proper legislative framework. There is an ongoing explosion of cyber crimes on a global scale. The theft and sale of stolen data is happening across vast continents where physical boundaries pose no restriction or seem non-existent in this technological era. India being the largest host of outsourced data processing in the world could become the epicentre of cyber crimes this is mainly due absence of the appropriate legislation
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Service provider liability: Legal Issues in Research Data Collection and Shar...EUDAT
| www.eudat.eu | v1.0, June 2014 - Are hosting providers liable for the data that they store? And what about if they do not have actual knowledge of illegal activity? Are you sure that contractual liability limitations (eg. in Terms of Service) provide you with the right protection? This module addresses such questions. Download the presentation and find out.
Who is it for?: Researchers, Data Managers, General public.
En enero de este año, la Comisión Europea reveló un borrador de su Reglamento de Protección de Datos Europea para reemplazar la anterior Directiva de Protección de Datos.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Privacy Act, Spam Act and "the Cloud" seminar (May 2014)Tom Meagher
If you are interested in how the newly amended Privacy Act and the current Spam Act may affect your business and marketing plans, and also how such applies if you do business in the "cloud", you engage in eCommerce or use data-hosting facilities, then this is for you.
Data protection law in India is currently facing many problem and resentments due the absence of proper legislative framework. There is an ongoing explosion of cyber crimes on a global scale. The theft and sale of stolen data is happening across vast continents where physical boundaries pose no restriction or seem non-existent in this technological era. India being the largest host of outsourced data processing in the world could become the epicentre of cyber crimes this is mainly due absence of the appropriate legislation
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Service provider liability: Legal Issues in Research Data Collection and Shar...EUDAT
| www.eudat.eu | v1.0, June 2014 - Are hosting providers liable for the data that they store? And what about if they do not have actual knowledge of illegal activity? Are you sure that contractual liability limitations (eg. in Terms of Service) provide you with the right protection? This module addresses such questions. Download the presentation and find out.
Who is it for?: Researchers, Data Managers, General public.
OA Network: Heading for Joint Standards and Enhancing Cooperation: Value‐Adde...Stefan Buddenbohm
OA‐Network collaborates with other associated German Open Access‐related projects and pursues the overarching aim to increase the visibility and the ease of use of the German research output. For this end a technical infrastructure is established to offer value‐added services based on a shared information space across all participating repositories. In addition to this OA‐Network promotes the DINI‐certificate for Open Access repositories (standardization) and a regularly communication exchange in the German repository landscape.
How to put in action business relationships in order to enlarge the scope, the potential value and the business reputation, for all players: companies, professionals, vendors, distributors, channels
Discussion of the main elements of the draft Data Protection Regulation: what difference will it make to industry practice and user rights to control their data?
EU General Data Protection: Implications for Smart Meteringnuances
This presentation provides the reader with an insight into the politics of EU Data protection as well as an overview of the key stakeholders. We focus on the implication for the smart metering industry.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent.
But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies.
This presentation will:
- Review the current EU laws, and contrast them with laws in other parts of the world;
- Examine the arguments for strengthening data protection in Europe, and the likely outcomes;
- Look at what security teams should already be doing to put themselves ahead of legislative changes;
- Outline strategies and technologies organisations need to meet current and future data protection requirements
- Help infosecurity teams to explain the changes – and their consequences – to their boards
New Media Internet Expression and European Data ProtectionDavid Erdos
These slides are based on my keynote address to the Maison Française d'Oxford conference "Data Privacy Law: Policy and Legal Challenges", 20 November 2015. Drawing on both doctrinal analysis and a survey of European Data Protection Authorities (DPAs) it makes four key claims about law and practice as entrenched in C-131/12 Google Spain (2014). Firstly, both the Court of Justice and especially European DPAs have adopted an expansive interpretative stance as regards data protection applied to internet expression. Secondly, that paradigm has serious implications for a range of internet actors beyond search engines. Thirdly, enforcement has been both limited and sporadic. Fourthly, a focus by DPAs on enforcement can result in the production of detailed guidance which "reads down" the law and therefore is some tension with the expansive interpretative stance generally adopted, the implementation of the Google Spain decision against search engines being a case in point.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Similar to 20131009 aon security breach legislation (20)
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
4. EU 2009
• new provisions inserted in the EU
electronic communications privacy
(ePrivacy) directive (art. 4)
• introduction of first EU security breach
notification duty
• limited scope: providers of public
electronic communications networks and
services
• Belgium 2012: transposition in art. 114/1
and 114/2 of the e-communications act
5. Summary
• notification of specific risk of network
security breach
• to the NRA (Belgium: BIPT)
• to subscribers
• notification of actual security breach with
important impact
• to the NRA (Belgium: BIPT)
• NRA can notify further to EU
• notification of security breach regarding
personal data
• to the NRA (Belgium: BIPT)
• to subscribers and/or users
6.
7. Details
• timeframe?
• which information to communicate?
• via which channel?
• when should individuals be notified?
• role of encryption
• ...
9. EU Proposals to extend the notification duty
1. Draft general data protection regulation (January 2012)
2. Draft e-identification and trust services regulation (June 2012)
3. Draft network and information security (NIS) directive (February 2013)
10. Draft NIS Directive
a) Obligations for Member States
b) Cooperation mechanism
c) Requirements for market operators and public administrations
Note: minimum harmonisation (minimum common capacity building)!
11. NIS: Duties for public administrations and market
operators
• Obligation to take appropriate technical and organisational measures to manage the risks
• Obligation to notify to the national competent authority incidents having a significant impact on
the security of core services
• National competent authority may inform the public where it determines that it is in the public
interest
• EC will be empowered to adopt delegated acts (art. 18)
12. “Market operators”: Annex II of the Draft NIS
Directive
• Providers of “information society services” (operating in the EU)
• e-commerce platforms
• internet payment gateways
• social networks
• search engines
• cloud computing services
• application stores
• Operators of “critical information infrastructures” (CIIP operators)
• Energy
• Transport
• Banking
• Financial market infrastructures (stock exchange, clearinghouses)
• Health sector
13. EU Proposals to extend the notification duty
1. Draft general data protection regulation (January 2012)
2. Draft e-identification and trust services regulation (June 2012)
3. Draft network and information security (NIS) directive (February 2013)
15. “e-Identification”: mutual recognition
• idea:
• if an online (government) service in a Member State requires access
authentication by means of an e-ID,
• then this service should be accessible for e-ID’s notified
by other Member States
16. “Trust Services”
• stricter rules for “trust service providers” (e.g. annual security audit)
• “trust services”: services related to e-signatures, timestamps, e-documents, e-
delivery, website authentication, digital certificates
• introduction of security breach notification (to supervisory bodies and data
protection commissioners)
• “qualified” trust services : presumption of legal validity
17. EU Proposals to extend the notification duty
1. Draft general data protection regulation (January 2012)
2. Draft e-identification and trust services regulation (June 2012)
3. Draft network and information security (NIS) directive (February 2013)
18. On 25 January 2012 the European Commission has
officially released a proposal for a comprehensive reform of the
1995 data protection rules on personal data processing.
19. 1. One single European law
If adopted, the proposed Regulation will be valid across the EU.
As a consequence, companies established in more than one EU country
will no longer experience difficulties to cope with the divergent rules of
the EU Member States.
20. 2. Every company supervised by one
data protection commissioner
Personal data processing by companies established in more than
one EU country will be monitored by one single supervisory
authority.
In principle this will be the data protection commission of the
country where the company has its main establishment.
21. 3. Also applicable to companies outside the
EU
Theoretically the proposed Regulation claims to be applicable on
the processing of personal data of data subjects residing in the EU
by a controller not established in the EU,
… where the processing activities are related to the offering of
goods or services to such data subjects, or to the monitoring of
the behaviour of such data subjects.
22. 4. Basic rules remain but would be
better implemented
The supervisory authorities will be empowered to fine
companies that violate EU data protection rules.
This can lead to penalties of up to €1 million or up to 2% of the
global annual turnover of a company.
Moreover responsibility and liability of the controller for any
processing of personal data is more clearly established.
23. 5. Abolition of the general obligation to notify
The general notification obligation would be abolished, and
replaced by procedures and mechanisms which focus instead on
those processing operations which are likely to present specific
risks.
24. 6. Data protection officers
The controller and the processor would in the future be requested
to designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or
b) the processing is carried out by an enterprise employing 250
persons or more; or
(c) the core activities of the controller or the processor consist of
processing operations which, by virtue of their nature, their scope
and/or their purposes, require regular and systematic monitoring of
data subjects.
25. 7. Consent: always explicit
Tacit consent will no longer be sufficient as a legal ground for
personal data processing.
Moreover consent can no longer be integrated into terms and
conditions but must be presented distinguishable in its appearance
from this other matter.
26. 8. Right to be forgotten?
The right to erasure would be extended in such a way that a
controller who has made the personal data public would be
obliged to inform third parties which are processing such data
that a data subject requests them to erase any links to, or
copies or replications of that personal data.
27. 9. “Data portability”
The data subject would be allowed to transmit those data, which
they have provided, from one automated application, such as a
social network, into another one.
This should apply where the data subject provided the data to the
automated processing system, based on their consent or in the
performance of a contract.
28. 10. Security breach notification
As soon as a controller becomes aware that a personal data breach
has occurred, he would be obliged to notify this breach to the
supervisory authority without undue delay and, where feasible,
within 24 hours.
The individuals whose personal data could be adversely affected
by the breach would also have to be notified without undue delay
in order to allow them to take the necessary precautions.
29. Conclusions
• current scope still limited (telecom providers, ISPs, etc.)
• extension to other sectors under discussion
• lack of co-ordination between proposed rules is criticized
• many questions remain about practical implementation
30. Jos Dumortier
time.lex - Information & Technology Law
Congresstraat 35
B-1000 Brussel
(t) +32 (0)2 229 19 47
www.timelex.eu / jos.dumortier@timelex.eu