The Legal Position and Societal Effects of Security Breach Notification Laws

The Legal Position and Societal Effects of Security Breach Notification Laws

146 Pages · 2013 · 1.88 MB · English

the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union' (Proposed Cybersecurity Directive) COM. (2013) 48 final. 5 A Dutch initiative for an SBNL focusing on loss of integrity will be discussed extensively in

The Legal Position and Societal Effects of Security Breach Notification Laws free download


Master Thesis Bernold Nieuwesteeg August 2013 The Legal Position and Societal Effects of Security Breach Notification Laws The Legal Position and Societal Effects of Security Breach Notification Laws Master Thesis Author: BFH Nieuwesteeg BSc LLB Email: [email protected] August 2013 Faculty of Law, Economics and Governance LLM European Law Graduation committee Graduation supervisor: Dr SA de Vries Associate Professor at the Europa Institute; Jean Monnet Chair in EU Single Market Law & Fundamental Rights Second reader: Dr A van den Brink Associate Professor & Director at the Europa Institute Faculty of Technology, Policy and Management MSc Systems Engineering, Policy Analysis and Management Graduation committee Chairman: Prof Dr MJG van Eeten Professor Governance of Cybersecurity 1 st supervisor: Drir BM Steenhuisen Assistant Professor at the research group Policy, Organization, Law and Gaming 2 nd supervisor: Drir J van den Berg Associate Professor at the research group Information and Communication Technology This thesis is written in Cambria Cambria was designed by Dutch typographer Jelle Bosma in 2004, with Steve Matteson and Robin Nicholas It is specifically designed to be esthetically pleasing at relatively small sizes, which might facilitate the reader to achieve enhanced thought experiments © 2004 Cambria: Ascender Corporation v Executive summary This thesis scrutinizes the proportionality and describes the subsidiarity of proposals for security breach notification laws (hereafter: SBNLs) in the European Union An SBNL obliges that a security breach within a company or government must be notified to affected customers and a supervisory authority A law stands the proportionality test if the requirements of effectiveness and necessity are met 1 Effectiveness means that there is a causal relationship between the measure and the aim pursued Necessity means that no less restrictive policy options are available that achieve the same aims 2 The closely linked subsidiarity test assesses the necessity of the European Union approach: the question whether the aims of the SBNL and cybersecurity cannot be achieved sufficiently by the Member States individually 3 Subsidiarity is to a great extent a political question and consequently described more limitedly Why these tests? Proportionality and subsidiarity are fundamental principles of EU law They demand the European legislature not to go beyond what is necessary to attain the objectives in the Treaties and to only adopt measures if a European Union approach has added value The European Court of Justice scrutinizes whether European legislation is in accordance with these principles The laws that have been assessed are Article 31 of the proposed Data Protection Regulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive (hereafter: PCD) 4 Article 31 PDPR concerns a single uniform personal data breach notification obligation A personal data breach entails the unauthorized access to and/or theft of personal data Article 14 PCD concerns the harmonization of national (significant) loss of integrity breach notification obligations 5 A loss of integrity concerns the loss of control over computer systems A personal data breach always entails a loss of integrity, but a loss of integrity can also occur without the loss of personal data The aim of the SBNL in the PDPR is “to ensure that individuals are in control of their 1 Joined Cases C‐92/09 and C‐93/09 Volker und Markus Schecke and Eifert [2010] ECR I‐0000 2 Damian Chalmers, Gareth Davies and Giorgio Monti European Union Law (second edition, Cambridge University Press 2010) 362 There is also a third criterion, proportionality strictu sensu, which is sometimes mentioned separately, see section 321 of this research 3 See also Protocol (No 2) on the Application of the Principles of Subsidiarity and Proportionality [2007] OJ C‐310/207; Paul Graig and Gráinne de Búrca, EU Law ‐ Text Cases and Materials (fifth edition, Oxford University Press 2011) 95 4 European Commission ‘Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ (Proposed Data Protection Regulation) COM (2012) 11 final; European Commission ‘Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union’ (Proposed Cybersecurity Directive) COM (2013) 48 final 5 A Dutch initiative for an SBNL focusing on loss of integrity will be discussed extensively in this thesis vi personal data and trust the digital environment” 6 in order to “increase the effectiveness of the fundamental right to data protection” 7 The aim of the SBNL in the PCD is: “to create a culture of risk management and improve the sharing of information between the private and public sectors” 8 The subsidiarity question covers cybersecurity in general and SBNLs in particular The Commission argues that a European cybersecurity approach is necessary because of the cross border aspect of the Internet, the necessity of a uniform secure Internet for the Single Market and the protection of fundamental rights Indeed, there is European cybersecurity legislation and a European cybersecurity policy framework Regarding the PDPR and the PCD in particular, the Commission argues that there is a need to harmonize national initiatives in order to create a level playing field, legal certainty and lower administrative burdens for companies to notify A literature review in this thesis shows that the United States aims to replace a state level SBNLs by a federal SBNL The obligation to comply simultaneously with multiple SBNLs caused significant administrative burdens for companies This strengthens the conception that SBNLs can better be achieved at a European level, although this remains a political consideration From an apolitical point of view, this thesis did not find a convincing argument about the inappropriateness of a European approach regarding cybersecurity and SBNLs The proportionality test contains two elements The first element of the proportionality test, the effectiveness test, is performed more extensively in this thesis than the Commission did in its impact assessment of both the PDPR and the PCD Legal scholars and the European legislator, usually assess the first aspect of proportionality limitedly 9 In the PDPR and PCD, the Commission did not mention in what way the SBNL is suitable to achieve the aim “to ensure that individuals are in control of their personal data and thrust in the digital environment” and “to create a culture of risk management and improvement of information sharing between private and public parties” This is a deficiency in the analysis of legislation This thesis challenges the aforementioned assumption that determination of causality is straightforward This is done by a more substantive assessment of the proportionality test This thesis contributes an empirical study from a security economics perspective, in order to substantively review (the complexity of) effects of SBNLs Do the (expected) effects of SBNLs match the aims it should attain according to the European proposals? 6 European Commission ‘Impact Assessment accompanying (proposed) Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ (Impact Assessment of the Data Protection Regulation) SEC(2012) 72 final, section 531 7 Ibid 8 European Commission ‘Impact Assessment accompanying the Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union’ (Impact assessment of the Cybersecurity Directive) SWD (2013) 32 final, section 61 9 See for instance Jan H Jans, ‘Proportionality Revisited’ (2000) 27(3) Legal Issues of Economic Integration 239, 240 and section 12 of this research vii And are these effects desirable? Legal impact assessments can benefit from this perspective, because knowledge about the effectiveness of the law will be enhanced To structure the empirical study, a first and second order effect of SBNLs have been distinguished The first order effect is the effect of (characteristics of) SBNLs on the amount of breach notifications Generating notifications is not one of the final aims of the proposed legislation, but a means to achieve the second order effect The second order effect includes the positive and negative effects of the law on society A literature review is conducted to provide an overview of what is already known concerning those two effects The quantitative analysis systematically assesses the first order effect of American SBNLs by a longitudinal dataset containing security breach notifications The subsequent qualitative analysis reviews the perception of Dutch security experts and managers regarding the first and second order effect and outcomes of the quantitative analysis The results can substantiate the first element of the Commissions’ proportionality test of European SBNLs: This study proves the first order effect empirically by means of analyzing American data The laws have an effect on the amount of breach notifications The effect is relatively large: a notification increase of at least 50% can be attributed to the law, by a fixed effects regression analyzing differences in breach notification before and after the introduction of the law The database is partly constructed by underlying sources that only register officially notified breaches, which can explain this high relative increase From an absolute perspective, the effect is minor: less than 005% of the companies notified a security breach in America in the eight‐year period that was researched To compare: a recent study in the United Kingdom published that 88% of the companies surveyed had experienced data theft in 2009 The low absolute number of breaches could be explained by the incompleteness of the dataset, high compliance costs for a company due to reputation damage and unawareness of breaches The introduction of the law thus has a structural first order effect, at least in the database of known security breaches It is however ambiguous which aspects of the law cause this effect Literature review and qualitative analysis showed that enforced sanctions generate compliance with the law and that reputation damage is a major driver for non‐compliance Confidential treatment of the notification and benefits from information sharing about security breaches are perceived as minor incentives for compliance The quantitative analysis only confirmed that some American laws qualified as strict by American Attorneys cause an increase in notifications, but it is ambiguous what exactly makes these laws strict The literature review and the qualitative study demonstrated several positive second order effects perceived in literature and by security managers and experts, such as increased investments in security, fostered cooperation between companies (literature only), increased awareness of consumers of security breaches and faster risk mitigation The first two effects match with the aim of the PCD to 1) create a culture of risk management and 2) enhance information exchange between the private and public sectors respectively The last two effects correspond with the aim of the PDPR to viii enhance personal data control of individuals However, the positive effects can be nuanced The security managers interviewed already shared security information with competitors, and did not see an incentive for cooperation with the government following from a security breach notification, because they did not value the government as a center of expertise Moreover, a security expert challenged the effect of increased investments in security because the law provides an incentive to notify, not to improve security practices Accepting the ‘risk’ of a notification might be less expensive than improving security practices in order to avoid notifications This is however not confirmed in literature review or by other qualitative analysis, which implicates that the risk of not providing incentives to improve security practices at all must be perceived as low Lastly, an increased number of security breach notifications might result in an overload of information that could also result in disinterest and a notification fatigue instead of enhanced awareness and risk mitigation 10 This overload is not a big treat given the current low amount of notified security breaches For instance, in America, about 600 million records were breached in the eight‐year period observed 11 This would entail that, on average, an American citizen would be notified twice in eight year Hence, the second order effects in literature and qualitative analysis, although they are perceptions that can be nuanced, do match the objectives pursued in legislation But, the objectives are vaguely defined and while their attainment could constitute effectiveness in the legal sense, the question remains what makes an SBNL effective and when an SBNL is effective Moreover, there are also additional negative effects associated with SBNL in literature and qualitative analysis, such as reputational costs and maintenance costs The effects of SBNLs and their relation with the aims of legislation are mapped in table 1 Effects Order Lit Qual Quan Relation with legislation Enforced sanctions 1st V V X Reputational damage V V ‐ Appropriateness V V ‐ Benefits inf sharing V V ‐ Confidential treatment X V ‐ Overall first order effect ‐ V V Faster risk mitigation 2nd (positive) V V ‐ Aim PDPR: enhance personal data control of individuals Increased awareness consumers V V ‐ Aim PDPR: trust in the digital environment Increased security investments V V ‐ Aim PCD: create a culture of risk management Fostered cooperation V X ‐ Aim PCD: enhance 10 Impact assessment PDPR (n 6), section 1431 under 4) 11 The three largest breaches in the United States database contain 300 million records, see chapter 5 ix information exchange between the private and public sectors Reputational costs for companies 2nd (negative) V V ‐ Compliance costs for companies V V ‐ (Only) compliance costs are estimated by the Commission Maintenance and processing costs for Member States V ‐ ‐ Costs of increased investments and cooperation for companies V ‐ ‐ Notification fatigue for consumers V ‐ ‐ ‐Aim PDPR: enhance personal data control of individuals ‐Aim PDPR: trust in the digital environment Incentive to notify, not to improve security for companies ‐ V ‐ Aim PCD: create a culture of risk management Table 1: effects of SBNLs (V=proved or mentioned; X=disproved; “‐“ = not researched) The second element of the proportionality test concerns the question whether there are less restrictive equally effective measures available The SBNL can restrict companies, because it infringes the fundamental freedom to conduct a business by imposing administrative, compliance‐ and reputational costs 12 This study offers two observations concerning this infringement First, the freedom to conduct business is more infringed than the Commission states The cost assessment of the Commission only included the costs of making a notification, which are estimated between 125 euro and 20000 euro per notification But, literature and qualitative analysis showed that there are costs that the Commission did not take into account, such as the reputation damage incurred (estimations up to 2% of a company’s turnover) and the costs of processing and enforcement of breach notifications The cost estimation of the Commission thus is undervalued compared with the total societal costs of an SBNL Second, the coexistence of the PDPR and the PCD unnecessarily infringes the freedom to provide a business as it imposes unnecessary costs for companies In many cases, a breach thus should be notified twice to both the European supervisory authority and to 12 See also within the context of Case C‐70/10 Scarlet Extended v SABAM [2011] ECR I‐0000, discussed in section 322 of this research The freedom to conduct business can be infringed by imposing unnecessary administrative burdens x the competent national authority, because the scope of personal data loss and loss of integrity overlap 13 Second, the proposals are regulated by a different legal instrument and emit different signals The confidential treatment in the PCD will not function properly if simultaneously companies are forced to publicly disclose the same information in the PDPR To conclude, the fuzziness of the aims and the complexity of measuring effects hamper the determination of a reasonable expectation of causality between the measure and the aims pursued The Commission sets aims that are fuzzy and hard to measure, and does not specify how these

------------- Read More -------------

Download the-legal-position-and-societal-effects-of-security-breach-notification-laws.pdf

The Legal Position and Societal Effects of Security Breach Notification Laws related documents

DEPARTMENT of HEALTH and HUMAN - Centers for Disease Control and

507 Pages · 2008 · 6.61 MB · English

influenza, natural disasters, and terrorism, while remaining focused on the threats to health and local, tribal and territorial health network.

A Typology of Victim Characterization in Television Crime Dramas

33 Pages · 2010 · 278 KB · English

her analysis of one season of Law & Order, NYPD Blue, and The Practice. She found that only

Immigration and Economy in the Globalization Process

236 Pages · 2002 · 1.63 MB · English

will need employees with the right skills and motivation. Switching to an active im- Finland by analyzing the development of the volume of foreign-born and foreign na- tionals and direct foreign . In the globalization trend of corporations, competition has shifted from natural re- source and expen

Interpreting sloppy stick figures by graph rectification and

14 Pages · 2001 · 822 KB · English

1 Interpreting sloppy stick figures by graph rectification and constraint-based matching. James V. Mahoney and Markus P. J. Fromherz Xerox Palo Alto Research Center

International Student Guide for Employment in the US

19 Pages · 2012 · 741 KB · English

Problem- If you do not speak English as a native language, you are at a distinct disadvantage communicating with recruiters. Solution- Consciously make an effort to talk with Americans: • Make presentations, take English courses, and work tirelessly at improving your English skills. • Ask a fel

Assistance and Accountability in Externally Managed Schools

37 Pages · 2008 · 263 KB · English

Edison Schools, Inc., is the largest and most visible among a growing number of. Education Management profit EMOs were managing 521 public schools serving nearly 240,000 students across the United . educational services; and management consulting under the “Edison Alliance” flag, through 

List of Developing Nations Afghanistan Albania Algeria Angola

2 Pages · 2011 · 538 KB ·

Algeria. Angola. Antigua and Barbuda. Argentina. Armenia. Azerbaijan Hungary. India. Indonesia. Iran, Islamic Republic of. Iraq. Jamaica. Jordan.

22 NAVAJO NATION COUNCIL | Office of the Speaker

2 Pages · 2013 · 295 KB · English

Law and Order Committee receives update regarding and an additional amount of $1.4 million to ensure operation through operations through the winter season.

The European Car Parking Sector Sees M&A Flurry, But Will It Be An Easy Ride For Investors?

11 Pages · 2017 · 813 KB · English

The European Car Parking Sector Sees M&A Flurry, But Will It Be An Easy Ride For Investors? spglobal.com/ratingsdirect. Dec. 6, 2017. 2. Despite lots of M&A activity in the. European car parking sector, the future is somewhat uncertain. Acquisitions are the major growth catalyst for operators, but

Building Permits Granted Development Services Department City of San Antonio

84 Pages · 2012 · 272 KB · English

438 RICHLAND HILLS DR BLDG 10. DL CAMBRIDGE DEV GROUP, INC. (713)961-1336 x. 2251200. NEW 2-STORY MULTI-FAMILY APARTMEN. $947,363.00 2284202. 20x4=80 sq ft at csw, 171 sq ft at approach. $0.00. 3106 PIEDRA DE RIO. PRESIDIO CONST LLC. (210)679-8837 x. 2284203.