1. CMG Events 2016 Data Security under the Regulation and Beyond 29 September 2016 John Magee William Fry

2. The Threat Landscape

3. Session Agenda Data Security Obligations Under the GDPR Security Obligations Under Other Laws Security Incident Response Plans Managing Cyber Threats

4. It Will Never Happen…

5. Data Protection Commissioner Annual Report 2015

6. Data Protection Commissioner Annual Report Case Study: Theft of Unencrypted Laptop  Security standards need to be periodically reviewed  What may have been an acceptable standard five years ago, may not now be acceptable  Don’t forget the little things - human error the biggest cause of breaches

7. - Data Protection - Contracts - Duty of Care - PCI DSS - ISO 27001 - Fiduciary Obligations - Sector Regulation (e.g. CBOI) - The Budapest Convention - Criminal Damage Act 1991 - Criminal Justice (Theft and Fraud Offences) Act 2001 - Criminal Justice Act 2011 - Criminal Justice (Offences Relating to Information Systems) Bill 2016 Victim Suspect The Regulatory & Legal Landscape Network and Information Security Directive

8. EU General Data Protection Regulation EU General Data Protection Regulation : Implementation date - 25 May 2018 Sanctions 2% - 4% Annual Global Turnover (or €10m - €20m) Damages for material and non-material damage Key Data Security Provisions: Changes to data security standards Breach Notification - 72 hours Information Notice - security measures and underlying logic in data processing

9. GDPR: Data Security Obligations Security Standards(same)Additional Factors (similar) Pseudonymisation (new)  State of the art  Costs of implementation  Nature, scope, context and purposes of processing  State of the art  Costs of implementation  Nature, scope, context and purposes of processing  Ensure confidentiality, integrity, availability & resilience  Ability to restore availability & access (disaster recovery)  Test, assess & evaluate (regularly)  Ensure confidentiality, integrity, availability & resilience  Ability to restore availability & access (disaster recovery)  Test, assess & evaluate (regularly)  Data not attributable to specific person without use of additional information (key)  Key to be kept separately  Procedures to ensure no identification takes place  Data not attributable to specific person without use of additional information (key)  Key to be kept separately  Procedures to ensure no identification takes place

10. GDPR: Notification to Data Protection Authority Notify DPA without undue delay and, where feasible, not later than 72 hours after becoming aware of it If reporting late… reasoned justification for late notification Notification not necessary if unlikely to be a risk to rights and freedoms  Personal data breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

11. GDPR: Notification To Data Protection Authority Nature of personal data breach (categories, number of data subjects, data affected, etc.) Contact information for company Data Protection Officer Likely consequences of the personal data breach Proposed strategy to address breach and mitigation measures used (if any) No requirement for a processor to make a DPA notification – obligation to notify controller only

12. GDPR: Notification To Data Subjects Personal data breach likely to result in a high risk to the rights and freedoms of individuals Timing Must notify data subjects “without undue delay” Factors (Recitals) As soon as reasonably feasible Need to mitigate immediate risk of damage – prompt notification Need to implement appropriate measures – may justify longer delay Exceptions Technical &organisational measures implemented (data unidentifiable) Action taken: high risk no longer likely to materialise Notification would involve disproportionate effort

13. GDPR: Notification To Data Subjects Notification must be in clear and plain language Contact information for company Data Protection Officer Likely consequences of the personal data breach Proposed strategy to address breach and mitigation measures used (if any) Notification should be made in close cooperation with DPA

14. Network and Information Security Directive  Operators of essential services & digital service providers - includes sectors in the areas of banking, energy, digital & financial market infrastructure, health and transport  Improve network security safeguards  Increase knowledge on cyber threats  Secure networks in order to protect the provision of online services  OESs must notify of security incident likely to have a “significant impact” on the continuity of services  Discretion towards member states to set penalties for infringement of national provisions – must be effective, proportionate and dissuasive  Adopted 18 December 2015  Entered into force in August 2016 – 21 month transposition period  National Cyber Security Centre to be established Scope Purpose Obligations Timeline

15. Central Bank Guidance (September 2016)  Covers all entities regulated by the Central Bank  Governance, risk management, cybersecurity and outsourcing to be addressed  Lack of holistic view of IT risk flagged  Inadequate data classification frameworks and policies currently implemented  Alignment between firms’ IT strategy and overall business strategy is weak  Insufficient staff training and vendor due diligence Cybersecurity to be top priority item for boards

16. Security Incident Response Plans 1)Mobilise response team 2)Assess scale of attack and information at risk 3)Engage legal counsel 4)Initiate forensics 5)Review insurance cover provisions 6)Monitor bank accounts 7)Consider steps to contain the incident 8)Understand notification requirements 9)Engage PR expertise 10)Undertake post-breach remediation 10 Critical Actions

17. Cyber Threats: Prevention Is Better Than Cure Short Term Cybersecurity on board agenda Cross departmental working group (not just IT Department!) Legal & regulatory obligations Medium Term Information security policy Staff training Incident response plan Long Term Audit Ongoing monitoring & testing Relationship with authorities

18. Questions & Answers cybersecurity@williamfry.com John Magee Partner D: + 353 1 489 6532 E: john.magee@williamfry.com