Tag: compliance and regulatory

[vc_row][vc_column][vc_single_image image=”2416″ img_size=”full” alignment=”center” el_class=”svgfotka”][/vc_column][/vc_row][vc_row][vc_column][vc_btn title=”Download GDPR workflow” link=”url:https%3A%2F%2Fbdv.studiocauldron.com%2Fwp-content%2Fuploads%2F2018%2F07%2Fgdpr_hodogram_eng.pdf||target:%20_blank|”][/vc_column][/vc_row]

By Marija Boskovic Batarelo, LL.M Privacy Counsel, Batarelo Dvojkovic Vuchetich Law Firm  

INTRODUCTION

Privacy by Default principle is a part of Privacy by Design concept which consists of a set of seven foundational principles, developed back in the ‘90s. Privacy by Design stipulates privacy that takes into account all the privacy features beforehand and promotes privacy, not only as a matter of compliance with legislation and regulatory frameworks, but as default mode of operation.[1] During the last ten years, Privacy by Design has been widely accepted all over the world and most recently it was introduced as a part of the General Data Protection Regulation (EU Regulation 2016/679, hereinafter: GDPR) as data protection by design and by default.  

REGULATION OF CODE

Since Directive 95/46/EC demonstrated that the law cannot successfully keep track with fast technological developments and global digital market, the GDPR implemented rules regarding data protection by design and by default as a way of regulating behaviour by code. The code, as a system of rules used in information and communication technologies (hereinafter: ICT) to convert information, has no particular architecture that cannot be changed. By imposing obligation to integrate privacy into ICT settings, the code could equip data subject (identified or identifiable natural person) with more powers than law alone. This code can change, either because it evolves in a different way, or because governments or businesses push it to evolve in a particular way. It is up to national legislations to balance between privacy of individual, public security, and economic interests. Competition between different stakeholders (consumers, businesses, and governments) could develop. Authors of code might develop code that displaces law, while authors of law might respond with law that displaces code.[2]  

DATA PROTECTION BY DEFAULT UNDER THE GDPR

Ensuring privacy through default settings seek to foster data subject’s rights and deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given ICT system. Thus, no action is required on the part of the individual to protect their privacy – it is built into the system, by default.[3] The GDPR in Article 25 paragraph 2 prescribes: “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”   Such general provision can create lots of debates and we can expect many discussions and interpretations until the GDPR will be fully applicable and certification mechanism for compliance with data protection by design and default will be in place. Obvious question that pops out after reading this provision is – should any data ought to be collected without consent or data controllers should decide upon the level of collection of personal data that is necessary for each specific purpose of the processing? This question is particularly interesting with regards to smartphones, in which case there are many applications that collect various personal data and certain personal data is necessary for actual functioning of the application (for example, location).  

CONCLUDING REMARKS

Data protection by default puts a significant liability burden on developers of ICT platforms and applications. According to this principle all the ICT should be developed and implemented with mechanisms for ensuring data protection by default and the minimum necessary for collection purposes should be preciously defined. The technology should provide an opportunity for explicit consent and data subject must choose to share certain data. The law shall set limitations and grounds for the processing of data and contracts shall define precise scope of default settings. However, at this point we do not have clear guidelines prescribed by law and many ICT solutions usually have terms and conditions that are quite general.   What could be recommended as a good practice is that ICT should be developed as a mechanism that, by its initial settings, allows only minimum of collection of personal data along with minimum time of storage and defined circle of personal authorised to access the data. Only upon consent of data subject those settings would be changed, allowing more scope regarding data processing. This would mean, for example, that data controller would initially perform only such processing of data that is necessary for the core functionality of an application or service. Also, processing data that is prescribed by law, pursues legitimate interest, is necessary for vital interest of data subject or public interest, could be initially justified, whereas for all the processing of data outside of the limited scope, data controller would need additional consent and such consent would then change the default settings.   [1] https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf. [2] Lawrence Lessig “The Law of the Horse: What Cyberlaw Might Teach”, Research Publication No. 1999-05 12/1999, p. 532. [3] A. Cavoukian, Ph.D., Comments on the European Commission’s Comprehensive Approach on personal Data Protection in the EU – Public Authority, 13 January 2011, p. 2.  

As with IT development during recent years, most companies tend to store their data in an electronic form. This provides them with many benefits, namely a more productive business conduct as well as reduced costs. However, this allows for data to be more vulnerable to cyberattacks. Cyberattacks have recently become more and more common and their actual number is not known having in mind the difficulty of their discovery. The awareness of their existence must find its place in a due diligence process in order to give them an appropriate weight in the negotiations of a deal.  

Cyberattacks in M&A deals

Cyberattacks have made the spotlights in 2013 when Neiman Marcus, a department store, experienced a cyberattack involving injection of malware into the customer payment-processing system. This resulted in compromising data of about 350,000 customer payment cards. The company’s knowledge of the malware was non-existent for a period during which the company entered an M&A to be acquired by another group. During this period, neither Neiman Marcus nor its acquirers were aware of their data being compromised. Shortly after the acquisition was completed, several fraudulent uses of credit cards were discovered which subsequently resulted in massive class-action claims against Neiman Marcus. Not being the sole such incident (Yahoo as another example), Neiman Marcus cyberattack illustrates that there is a growing need to assess a target company’s cyber vulnerabilities and the potential repercussions from incidents not just to protect the target company but to protect the acquirer itself. Cybersecurity due diligence must become an integral part of M&A and to be done properly, must begin at the earliest practicable time in the transaction.  

Cybersecurity due diligence

The scope of this area of due diligence will be different for each specific case. Nevertheless, certain guidelines should be followed in order to execute cybersecurity due diligence as more qualitative as possible. This would provide the acquirer with the approximation of the actual condition of the target company’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets and putting acquirer into a position which would allow him to fully protect his interests.

1. Initial assessment

The acquirers should firstly assess which data is important for the business of the target company and how the company processes them.

2. Internal protection

The target company should have internal rules and regulations on how to protect its digital assets. Acquirers should assess (i) whether such internal rules and regulations are appropriate whether the target company has effectively implemented such rules and regulations (i.e. do they regularly train their employees? Are security measures implemented? Are they aware of any non-compliances?). It is very important to assess whether the target company is properly prepared to identify cyberattacks and to respond within the relevant timeframes.

3. External regulations

When applicable, acquirers should assess the target company’s compliance with any external regulations governing cybersecurity issues.

4. Assessment of third-party relationships

Acquirers should investigate all (relevant/material) third-party relationships of the target company and assess whether the agreements with any vendors and other suppliers and contractors have appropriate contractual protection in place that ensure that the third party properly deals with the target company’s data and has appropriate IT security systems in place. Third-party contracts should also provide for contractual notification obligations and emergency response mechanisms, as well as audit rights for the target company to verify compliance with the foregoing.

5. Assessment of past security breaches

Most importantly, acquirers should confirm with the target company whether there have been any past security breaches and if yes, assess their scope and impact. In this regard, they should specifically assess:

• what data might the attackers have gained access to (did they read files, change permissions, made copies of customer lists);
• what data might the attackers have viewed and exfiltrated copies of;
• what data might the attackers have changed? Did they modify data contained in certain files and, if so, what changes did they make;
• what defences of the target did the attackers force the target’s system to reveal (not knowing what the attackers have learned may cause a target to be far more vulnerable to future cyberattacks than the target (or an acquirer) may realize;
• did the attackers gain entry by breaching a layer of the target’s system that did not have the same defences as other layers? At some of a target’s computer-network system layers there may be fewer or different protections than at others. The cyber attackers can breach a system by going through a layer that lacks protections at a higher or lower layer.

  Finally, to protect the acquirer, cybersecurity risks should eventually be dealt with in the final and binding transaction documents. Acquirers should consider requesting representations and warranties, including on the absence of current and past security incidents, implementation of appropriate internal rules and regulations and compliance therewith, compliance with applicable data protection and data / IT security laws, and absence of disputes and investigations relating to cybersecurity and data breaches. Additionally, they should request indemnities for specific identified risks, such as pending litigation, or risks of a general nature, for which acquirers expect that issues will likely arise in the future, such as pre-closing taxes or, in some jurisdictions, environmental matters (concerning leaks that occurred prior to closing).  

Cybersecurity Draft Act

In order to achieve high level of cybersecurity and protect service providers, Croatian Cybersecurity Draft Act provides for the key service operators (service such as banking, rail transport sector, air traffic) and digital service providers (services such as marketplace, online search engines, cloud services) to take technical and organizational measures for risk management, measures to prevent and mitigate the effects of the incidents on the security of the network and information systems and measures for determining the risk of incidents, prevention, detection and resolution of incidents and alleviating the impact of the incident. The providers should also inform competent bodies of any such cybersecurity incident. The implementation of such measures should mitigate the possible risks for cybersecurity as well as be a source of information for the acquirer when a company was the target of cyberattack.