Published on April 23, 2014
Click to edit Master title styleOpen Forum HEARTBLEED Thursday, 22th of April 2014
Brussels, 22 April 2014 2 Agenda 1. 18:30 Welcome 2. 18:45 Heartbleed business issues 3. 19:30 Break 4. 19:50 Heartbleed legal issues 5. 20:30 Close
Brussels, 22 April 2014 3 Close
Brussels, 22 April 2014 HEARTBLEED – IMPACT ON YOUR BUSINESS MARC VAEL & JOHAN VANDENDRIESSCHE 4
Brussels, 22 April 2014 Heartbleed – what is it? • Heartbleed • Security issue in OpenSSL • Business impact • Legal impact • Legal issues • Contractual issues • Liability? 5
Brussels, 22 April 2014 HEARTBLEED LEGAL ISSUES 6
Brussels, 22 April 2014 Data Protection • Limitations in relation to the processing of personal data • Very large legal interpretation to the concept of personal data • Not necessarily sensitive information (although stricter rules apply to special categories of personal data) • Encrypted data is still personal data • Processing: “any operation or set of operations which is performed upon personal data […]” 7
Brussels, 22 April 2014 Data Protection • The data processing must comply with specific principles • Proportionality • Purpose limitation • Limited in time • (Individual and collective) Transparency • Data quality • Data security 8
Brussels, 22 April 2014 Data Protection • Security obligation • General obligation • Specific obligations • Obligations in relation to the use of data processors • Belgian Data Protection Commission has issued a list of security measures that can be implemented 9
Brussels, 22 April 2014 Data Protection • General obligation to implement security measures • Technical measures • User access management • IT security (anti-virus, firewall, …) • Fire prevention measures • Organizational measures • Data categorization (confidentiality level) • Employee policies 10
Brussels, 22 April 2014 Data Protection • General obligation to implement security measures • Both types of measures are interchangeable • Protection against any unauthorized processing • Adequate level of protection taking into account: • Available technology and costs; • Nature of concerned personal data and the potential risks 11
Brussels, 22 April 2014 Data Protection • Specific security obligations • Obligation to ensure data quality • Need-to-know access restriction • Access must be limited to those persons that need access • Access must be limited to the personal data they need 12
Brussels, 22 April 2014 Data Protection • Specific security obligation • Information obligation • Provide employees that process personal data information on data protection legislation • information obligation is stricter if more sensitive data is processed (limited training) • Ensure that software used for the data processing limits processing to what is notified 13
Brussels, 22 April 2014 Data Protection • Breach of the security obligations? • Adequate protection? • Security is not an absolute obligation • Remedial action? • Data breach notification • Not applicable under the current Belgian Data Protection Act • Mitigation strategy (part of the remedial action) • Future obligation (draft regulations) 14
Brussels, 22 April 2014 Communications • Electronic communications • Data breach notification • Privacy by design? • BIPT notice on 11 April “Indien deze kwetsbaarheid de veiligheid van de netwerken en de elektronische- communicatiediensten zou aantasten, zal het BIPT een grondigere analyse uitvoeren in samenwerking met de betrokken operatoren” 15
Brussels, 22 April 2014 Communications • Security obligation • Highest possible level of protection • Available technology • Costs • Appears to be stricter than data protection law • Who: providers of communications services, software developers (communication software) and network operators 16
Brussels, 22 April 2014 Communications • Data breach notification • Network operators • Inform the Belgian Institute for Postal Services and Telecommunications (BIPT – IBPT) and the subscribers about particulars risks in relation to the security of their network (“risk analysis” - “prior information”) • Take all necessary measures to inform relevant authorities, network operators and subscribers as soon as possible about any violation of the integrity of their network (“procedures” - “data security breach notification”) 17
Brussels, 22 April 2014 HEARTBLEED CONTRACTUAL ISSUES 18
Brussels, 22 April 2014 Confidentiality obligations • Confidentiality = standard practice • NDA • Confidentiality clause in an agreement • Scope of obligations • Non-disclosure • Access restrictions • Restrictions of use (purpose bound) • Data breach notification (actual and/or suspected breach)? • Review scope to assess impact 19
Brussels, 22 April 2014 Confidentiality obligations • Example clause “The Receiving Party agrees: • to keep all Confidential Information secret and confidential; and • not to disclose the Confidential Information to any person, other than the Authorized Recipients, without prior written consent of the Disclosing Party; and • not to use the Confidential Information for any purpose other than for the Purpose; and • to implement all the technical and organizational security practices that are necessary to protect the Confidential Information against any unauthorised copying, use, disclosure, access and damage or erasure; and • to notify the Disclosing Party immediately if it suspects or becomes aware of any unauthorised copying, use, disclosure, access and damage or erasure.” 20
Brussels, 22 April 2014 Security obligations • Security obligations • Obligation included in data processing clause • Specific obligations for specific services • Impact depends on the wording the clause (scope, required level of security, data breach notification obligations) 21
Brussels, 22 April 2014 Security obligations • Examples of obligations: “take appropriate technical and organisational measures against any unauthorised or unlawful processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary; to the extent such technical and organisational measures have not been established by this Agreement, the Contractor will maintain safeguards no less rigorous then those maintained by the Contractor for its own similar Personal Data. The Client shall have the right to request a written description of the security measures. ensure that access, inspection, processing and provision of the Personal Data shall take place only in accordance with the need-to-know principle, i.e. information shall be provided only to those persons who require the Personal Data for their work in relation to the performance of the Services;” 22
Brussels, 22 April 2014 Warranties • B2B warranty • Purely contractual arrangement • General or related to deliverables • Contract • Duration • Scope • Remedies • Covered by maintenance & support? • Patent and latent defects • Third-Party IP exclusion? 23
Brussels, 22 April 2014 Warranties • Compliance of the deliverable with agreed specifications and functionalities “The Supplier warrants that the Deliverables shall comply with the specifications and functionalities described in Annex 1.” “The Supplier warrants that the Deliverables shall substantially comply with the specifications and functionalities described in Annex 1.” 24
Brussels, 22 April 2014 Warranties • Absence of harmful code “any software used by the Supplier or provided to the Client under this Agreement is free from viruses, Trojans, worms and similar rogue programs or malicious code (whatever its nature) and the Contractor has used the latest (at the time of delivery) available detection software, prior to supply to the Client or use of the software;” “any Software Deliverable shall be free from viruses, Trojan horses, worms and similar malicious code, nor contain any backdoor, blocking mechanism (other than an intended functionality of the software) or timebomb, nor any undocumented functionality;” 25
Brussels, 22 April 2014 Warranties • Heartbleed: warranty issue? • Carefully review wording the scope of the warranty • Consequences? • Review duration of the warranty period and the remedies • Usually duty to repair free of charge within a reasonable period of time or in accordance with an agreed service level • Additional liability? • ‘Sole remedy’ wording? 26
Brussels, 22 April 2014 LIABILITY ISSUES 27
Brussels, 22 April 2014 Liability issues • Liability • Nature of (contractual) obligations • Negligent act or omission • Standard of care: a reasonably diligent and careful person placed under the same circumstances • Damage • Causality • Implementation of the impact OpenSSL solution? • Lack of action following discovery of the heartbleed bug 28
Brussels, 22 April 2014 29 Contact details Johan Vandendriessche Partner crosslaw CVBA Mobile Phone +32 486 36 62 34 E-mail email@example.com Website www.crosslaw.be Marc Vael International Vice President ISACA Mobile Phone +32 473 99 30 31 E-mail firstname.lastname@example.org Website www.isaca.org
Brussels, 22 April 2014 30 ISACA BELGIUM
This brief presentation covers the concept of 'Fit for purpose' obligation in vari...
The Affordable Care Act (ACA) has met with further hurdles as a DC Court of Appeal...
An impartial and clear mindset is needed when presiding over court proceedings tha...
VONNIS waarbij Hedwig Van Roy niet meer mag zeggen uitvinder te zijn van CLICS. Er...
Constitucional habeas corpus cc liminar
ISACA® is a nonprofit, independent association that advocates for professionals involved in information security, ... Current Issue ...
It’s called the “Heartbleed vulnerability ... issue in the news that ... it is sent not during neutralizes the Open Source “Heartbleed ...
... from a legal point of view! Tonight, an ISACA Belgium Chapter meeting was organised within the context of the Open Privacy Forum. ... legal issues ...
Having advised on legal issues related to ... Regular host for the Privacy Open Forum at ISACA Belgian ... 2013 ISACA Belgium Best Presenter Award ...