TODAY’S GENER AL COUNSEL FALL 2018
Cybersecurity
STEP 1 ASSESSMENT OF RISKS
First, an immediate analysis must be made of the risks. This assessment must address the following points: • What type of data is involved? What are the risks for individuals (i.e., reputation, physical safety, financial loss, and so forth)? • Who may be affected by the breach? Staff, customers or clients, suppliers? • How many individuals are likely to be affected by the breach? • How did the breach occur? Did it occur when data was being processed by a data processor? This step is critical. It will allow the company to understand what happened to the data and thereby to ensure compliance, including any need to inform the relevant data protection authority and/or data subjects of the breach. STEP 2 CONTAINING AND MITIGATING DAMAGE
At this stage, immediate consideration should be given as to how to contain matters and limit damage — for example, isolating or closing a compromised section of the network, or replacing lost data from a backup. This step requires significant involvement by the company’s IT and legal departments to define the appropriate technical measures to be taken. STEP 3 NOTIFYING THE DATA PROTECTION AUTHORITY WHEN REQUIRED
In case of a personal data breach, the company may have to notify the relevant local authority. Local regulations may specify a deadline for this notification. The GDPR provides that, subject to very limited exceptions, this notification must be made within 72 hours after having become aware of the breach. In China, and in Argentina’s proposed bill, companies must report a breach to the competent government authority “in a timely manner.” To meet this obligation, it is important to put in place a protocol allowing companies to detect and trace any breach of the
systems within their organization containing personal data. The content of this notification also depends on local laws. For example, the GPDR provides that the notification must include the nature of the personal data breach, the categories of personal data concerned and the measures that the company has taken or proposes to
• The company has taken subsequent measures to ensure that the risks are no longer likely to materialize. • It would involve disproportionate effort for the company; instead, there needs to be a public notice or similar measure whereby data subjects are informed in an equally effective manner.
In France, failure to comply with data protection rules is a criminal offence.
STEP 5 AVOIDING DATA PROTECTION BREACHES
take. The GDPR and the proposed Argentine bill also provide that companies must document and keep a record of all personal data breaches. STEP 4 NOTIFYING INDIVIDUALS AFFECTED
Depending on local regulations, companies may have to give notice of a data breach to the data subjects affected. In the United States, for example, companies must report the breach to the impacted individual(s), depending on the level of risk posed to the person’s rights. The GDPR and the proposed Argentine bill stipulate that this notice to data subjects must be made in clear and simple language. The Argentine bill states that such notice must be given at the same time as notice to the authorities, while the GDPR provides that the notice to data subjects must be given “as soon as possible.” The GDPR provides that this notice is not required if any of the following conditions are met: • The company implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach — in particular, measures such as encryption that render the personal data unintelligible to any person who is not authorized to access it.
To avoid data protection breaches, companies should implement appropriate policies or update them as needed. For example, data protection policies should be implemented so that anyone involved in the processing of personal data would be aware of the applicable rules, as well as the measures to be taken in the event of a data breach. These policies should be communicated to employees who should also receive special training to further reduce the companies’ risk of a data breach. In the United States, data protection has typically received much less attention than in the EU or elsewhere in the industrialized world. However, a slew of recent high-profile data privacy cases and incidents have resulted in lawmakers taking a much closer look at data privacy law and the data protection mechanisms that companies have in place today. Whether this will lead to comprehensive national data privacy reform legislation remains to be seen. ■
Guillaume Bordier is a partner at the French law firm Capstan Avocats and a member of Ius Laboris, the global HR and employment law firm alliance. The author would like to acknowledge the contributions from Ius Laboris member firms for providing valuable national input to the article, including Eduardo Juan Viñales of Argentinian law firm Funes de Rioja, Bo Zhou of Chinese law firm Fangda Partners, and Jeremy Corapi of United States law firm FordHarrison. gbordier@capstan.fr
39