advertisement

Privacy (and other) issues concerning datalogging

100 %
0 %
advertisement
Information about Privacy (and other) issues concerning datalogging

Published on February 21, 2014

Author: Johan_Vdd

Source: slideshare.net

Description

ISACA Belgium Privacy Open Forum - Privacy issues with IT logs
advertisement

Click to edit PRIVACY Open Forum Master title style Thursday, 20th of February 2014

Agenda 1. 18:30 2. 18:45 3. 19:30 4. 19:50 5. 20:30 Welcome Datalogging – Privacy Issues Break Datalogging – Other Issues Close Leuven, 20 February 2014 2

Close Leuven, 20 February 2014 3

DATALOGGING– PRIVACY (AND OTHER) ISSUES JOHAN VANDENDRIESSCHE Leuven, 20 February 2014 4

Datalogging • Logfile or log • Record of events • Types of logs • Event logs • Transaction logs • Communication logs (IM logs) • Scope and purpose can be varying • Quality control (bugfixing) • Evidence for business transactions • Marketing (website traffic log) Leuven, 20 February 2014 5

Datalogging • Legal obligations • Obligation to keep a specific log • Pharmacists (pharmaceutical drugs) • Employee file • Obligations to store a specific log • Focus today: various IT logs • Keeping logs • (Re-)Using logs Leuven, 20 February 2014 6

High level legal framework • Act of 8 December 1992 • Processing of personal data • Act of 13 June 2005 • Electronic communication • CBA n° 81 concerning workfloor cameras • Workfloor privacy • Cybercrime Leuven, 20 February 2014 7

CREATING AN IT LOG Leuven, 20 February 2014 8

Data Protection • Limitations in relation to the processing of personal data • Very large legal interpretation to the concept of personal data • Not necessarily sensitive information (although stricter rules apply to special categories of personal data) • Logs may contain personal data • Processing: “any operation or set of operations which is performed upon personal data […]” Leuven, 20 February 2014 9

Data Protection • The data processing must comply with specific principles • • • • • • Proportionality Purpose limitation Limited in time (Individual and collective) Transparency Data quality Data security Leuven, 20 February 2014 10

Data Protection • Security obligation • General obligation • Specific obligations • Obligations in relation to the use of data processors • Belgian Data Protection Commission has issued a list of security measures that can be implemented Leuven, 20 February 2014 11

Data Protection • General obligation to implement security measures • Technical measures • User access management • IT security (anti-virus, firewall, …) • Fire prevention measures • Organizational measures • Data categorization (confidentiality level) • Employee policies Leuven, 20 February 2014 12

Data Protection • General obligation to implement security measures • Both types of measures are interchangeable • Protection against any unauthorized processing • Adequate level of protection taking into account: • Available technology and costs; • Nature of concerned personal data and the potential risks Leuven, 20 February 2014 13

Data Protection • Specific security obligations • Obligation to ensure data quality • Need-to-know access restriction • Access must be limited to those persons that need access • Access must be limited to the personal data they need Leuven, 20 February 2014 14

Data Protection • Specific security obligation • Information obligation • Provide employees that process personal data information on data protection legislation • information obligation is stricter if more sensitive data is processed (limited training) • Ensure that software used for the data processing limit processing to what is notified Leuven, 20 February 2014 15

Logging as a security measure • Logging as a security measure • Purpose of its own? • Linked to the purpose it aims to secure? • Scope of logging • Nature of data processing • Data controller must be able to justify choices Leuven, 20 February 2014 16

Logging for marketing purposes • Logging = processing for a specific purpose • Re-use of existing logs for marketing purposes • Compatible purpose? • Secondary processing for statistical purposes (big data?) Leuven, 20 February 2014 17

ACCESSING AN IT LOG Leuven, 20 February 2014 18

Accessing an IT log • Access to an IT log • Access authority • Company policies • Roles & Responsabilities • Workfloor privacy restrictions • Communications law restrictions • Use of an IT log • Probatory value of an IT log Leuven, 20 February 2014 19

Cybercrime • Criminal acts posing a threat against the confidentiality, the integrity and the availability of IT systems and data • Hacking • Computer sabotage • Computer fraud & computer forgery • Investigation powers • Cooperation duty of IT experts Leuven, 20 February 2014 20

Cybercrime • Hacking • “the unauthorized intrusion in or maintenance of access to an IT system” (article 550bis Criminal Code) • Internal hacking • Person with access rights that exceeds such rights • With a fraudulent purpose or with the purpose to cause damage • External hacking • Person without access rights • Knowingly • There is no requirement of breach of security measures Leuven, 20 February 2014 21

Cybercrime • Hacking • Sanctions (also applicable in case of attempt to hack) • Internal hacking • Fines: 26 to 25.000 EUR (x6); and/or • Prison sentence: 3 months up to 1 year (doubled in case of intent to fraud) • External hacking • Fines: 26 to 25.000 EUR (x6); and/or • Prison sentence: 6 months up to 2 years Leuven, 20 February 2014 22

Cybercrime • Hacking • Criminal sanctions are increased: • Copying any data on the IT system • Use of the IT system or use thereof to hack another IT system • Damage to the IT system or its data or any third-party IT system or data Leuven, 20 February 2014 23

Cybercrime • Computer sabotage • “the direct or indirect insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system” (article 550ter Criminal Code) • Virus, worm, or any other malicious code • Unauthorized time-locks or other blocking mechanisms • Developing, distributing or commercializing malicious code or tools to commit computer sabotage is a criminal offence Leuven, 20 February 2014 24

Cybercrime • Computer sabotage • Sanction (also applicable in case of attempted sabotage): • Fine: 26 to 25.000 EUR (x6); and/or • Prison sentence: 6 months up to 3 years (increased in case of fraudulent intent or intention to cause damage) • Criminal sanctions are increased in case of: • Causing damage to data in any IT system as a result of computer sabotage • Interfering with the proper functioning of any IT system as a result of computer sabotage • Sanctions are doubled in some cases of cybercrime recidivism Leuven, 20 February 2014 25

Cybercrime • Computer fraud • “the insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system in view of obtaining an illegitimate economic advantage for oneself or for others” (article 504quater Criminal Code) • Economic advantage: any material or immaterial good (e.g. money, intellectual property rights, titles to real estate…) Leuven, 20 February 2014 26

Cybercrime • Computer fraud • Sanction • Fine: 26 to 100.000 EUR (x6); and/or • Prison sentence: 6 months up to 5 years • Attempted computer fraud is punished with lower criminal sanctions • Sanctions are doubled in some cases of cybercrime recidivism Leuven, 20 February 2014 27

Cybercrime • Computer forgery • “the insertion, modification or erasure of information in an IT system or any other change to the normal use of information in an IT system in view of changing the legal effect of that information” (article 210bis Criminal Code) • Sanction • Fine: 26 to 100.000 EUR (x6); and/or • Prison sentence: 6 months up to 5 years Leuven, 20 February 2014 28

Cybercrime • Computer forgery • Knowingly using such forged data is also a criminal offence • Attempted computer forgery is punished with lower criminal sanctions • Sanctions are doubled in some cases of cybercrime recidivism Leuven, 20 February 2014 29

Electronic communications • Electronic communication is protected • Interception of electronic communication • Art. 314bis of the Criminal Code • Access to electronic communication • Art. 124-125 of the Act of 13 June 2005 • Specific rules for telco’s and callcenters • Specific problem for investigation of email and IM logfiles Leuven, 20 February 2014 30

Electronic communications • Article 314bis of the Criminal Code • Interception of communication • Unlikely to apply in case of auditing or consulting logfiles • Article 124 of the Act of 13 June 2005 • General interdiction to: • Consult any electronic communication • Identify participants to such electronic communication • To process in any manner such electronic communication UNLESS: if consent is obtained from all participants Leuven, 20 February 2014 31

Electronic communications • Article 125 of the Act of 13 June 2005 • Specific exceptions exist (only business relevant exceptions are mentioned): • If allowed or imposed by law • With the sole purpose of ensuring the proper functioning of the network or the proper performance of the communication service • For offering a service that consists of preventing the receipt of unsolicited electronic communication, provided consent has been obtained for the recipient • No distinction is made between private and professional communication! Leuven, 20 February 2014 32

Electronic communication • Article 128 of the Act of 13 June 2005 • Communication logs as evidence • Legal business transactions • Evidence of a commercial transaction or other business communication • Conditions • Prior information on registration, purposes and duration of registration Leuven, 20 February 2014 33

Electronic communication • Monitoring of any form of electronic communication • Use of e-mail • Use of Internet • CBA No. 81 allows a limited degree of monitoring • Surveillance is possible for limited purposes • The prevention of illegal acts, slander and violation of decency • The protection of the economic, trade and financial interests of the company • The protection of the security and proper functioning of the company’s IT system • The compliance with company policies in relation to online technologies Leuven, 20 February 2014 34

Electronic communication • CBA No. 81 • Procedural requirements • Collective information • Individual information • Sanctions? • Prior hearing • Link with work regulations Leuven, 20 February 2014 35

Logs as evidence • Admissible • Type of evidence (‘matters of fact’ vs ‘legal acts’) • Lawful • Illegal evidence • Illegally obtained evidence • Probatory value (‘credibility’) • Weight carried by the submitted evidence • Influenced by the reliability • Gathering process of digital evidence • Inherent reliability (?) • Derogation by agreement? Leuven, 20 February 2014 36

Logs as evidence • “Antigoon” case law • Illegally obtained evidence • Evidence is no longer automatically discarded • Evidence is retained, except: • Nullity is legally imposed sanction • Unfair trial • Impact on reliability • Small note: “Antigoon” case law is relatively new and still evolving Leuven, 20 February 2014 37

Logs as evidence • Problems with electronic evidence • Rules of evidence strongly favour “paper evidence” • Courts may be reluctant in the face of new technologies • Case law usually dismisses electronic evidence at the slightest indication of the possibility of fraud / tampered evidence Leuven, 20 February 2014 38

Logs as evidence • General rules • ensure the accountability and integrity of any electronic evidence at all times • Implement procedures and policies / provide evidence that these policies are regularly verified or audited Leuven, 20 February 2014 39

Log as evidence • Practical approach in Belgium • If feasible, define the probatory value of logs by agreement • Ensure that the evidence collection is organized in a manner guaranteeing evidence integrity • Ensure that the evidence is stored in a secure manner • Court proceedings may include a court expertise Leuven, 20 February 2014 40

Contact details Johan Vandendriessche Partner crosslaw CVBA Mobile Phone +32 486 36 62 34 E-mail j.vandendriessche@crosslaw.be Website www.crosslaw.be Leuven, 20 February 2014 41

ISACA BELGIUM Leuven, 20 February 2014 42

Add a comment

Related pages

Privacy (and other) issues concerning datalogging - Documents

5. Datalogging• Logfile or log • Record of events • Types of logs • Event logs • Transaction logs • Communication logs (IM logs)• Scope and ...
Read more

Privacy Issues | LinkedIn

privacy issues that are at issue when requesting an employee’s ... Privacy issues and internet privacy. 5,317 ... (and other) issues concerning datalogging.
Read more

Email Privacy Concerns - FindLaw

Deleting an email from your inbox doesn't mean there aren't multiple other ... Privacy Act and the Patriot Act. Email privacy is ... issues to be concerned ...
Read more

It Privacy Issues | LinkedIn

Patient privacy issues pertaining to medical records have become a big topic among medical professionals since the shift to ...
Read more

Issues Concerning Different Beam Lines Integration

Issues Concerning Different Beam Lines Integration. C. Bracco, E. Gschwendtner, B. Goddard, M. Meddahi, A. Petrenko, F. Velotti Acknowledgements: ...
Read more

BALANCED ENVIRONMENTAL SCIENCE EDUCATION, BESE: OUTDOOR ...

... OUTDOOR PRIMARY SCIENCE IN THE IRISH CURRICULAR CONTEXT AND THE CASE OF DATALOGGING ... issues concerning ... concerning their use of datalogging ...
Read more

Data-logging: Effects on practical science - researchgate.net

The paper concludes with a discussion of the latter issues. ... "Concerning effects of laboratories employing ... amongst other things, measurement, ...
Read more

Living Trusts, Asset Protection and Other Issues - Law

... living trusts, asset protection and other issues in Arizona. In this presentation you will learn the commonly asked questions and answers for living ...
Read more