The Legal Position and Societal Effects of Security Breach Notification Laws

The Legal Position and Societal Effects of Security Breach Notification Laws

146 Pages · 2013 · 1.88 MB · English

the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union' (Proposed Cybersecurity Directive) COM. (2013) 48 final. 5 A Dutch initiative for an SBNL focusing on loss of integrity will be discussed extensively in

The Legal Position and Societal Effects of Security Breach Notification Laws free download

Master Thesis Bernold Nieuwesteeg August 2013 The Legal Position and Societal Effects of Security Breach Notification Laws The Legal Position and Societal Effects of Security Breach Notification Laws Master Thesis Author: BFH Nieuwesteeg BSc LLB Email: [email protected] August 2013 Faculty of Law, Economics and Governance LLM European Law Graduation committee Graduation supervisor: Dr SA de Vries Associate Professor at the Europa Institute; Jean Monnet Chair in EU Single Market Law & Fundamental Rights Second reader: Dr A van den Brink Associate Professor & Director at the Europa Institute Faculty of Technology, Policy and Management MSc Systems Engineering, Policy Analysis and Management Graduation committee Chairman: Prof Dr MJG van Eeten Professor Governance of Cybersecurity 1 st supervisor: Drir BM Steenhuisen Assistant Professor at the research group Policy, Organization, Law and Gaming 2 nd supervisor: Drir J van den Berg Associate Professor at the research group Information and Communication Technology This thesis is written in Cambria Cambria was designed by Dutch typographer Jelle Bosma in 2004, with Steve Matteson and Robin Nicholas It is specifically designed to be esthetically pleasing at relatively small sizes, which might facilitate the reader to achieve enhanced thought experiments © 2004 Cambria: Ascender Corporation v Executive summary This thesis scrutinizes the proportionality and describes the subsidiarity of proposals for security breach notification laws (hereafter: SBNLs) in the European Union An SBNL obliges that a security breach within a company or government must be notified to affected customers and a supervisory authority A law stands the proportionality test if the requirements of effectiveness and necessity are met 1 Effectiveness means that there is a causal relationship between the measure and the aim pursued Necessity means that no less restrictive policy options are available that achieve the same aims 2 The closely linked subsidiarity test assesses the necessity of the European Union approach: the question whether the aims of the SBNL and cybersecurity cannot be achieved sufficiently by the Member States individually 3 Subsidiarity is to a great extent a political question and consequently described more limitedly Why these tests? Proportionality and subsidiarity are fundamental principles of EU law They demand the European legislature not to go beyond what is necessary to attain the objectives in the Treaties and to only adopt measures if a European Union approach has added value The European Court of Justice scrutinizes whether European legislation is in accordance with these principles The laws that have been assessed are Article 31 of the proposed Data Protection Regulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive (hereafter: PCD) 4 Article 31 PDPR concerns a single uniform personal data breach notification obligation A personal data breach entails the unauthorized access to and/or theft of personal data Article 14 PCD concerns the harmonization of national (significant) loss of integrity breach notification obligations 5 A loss of integrity concerns the loss of control over computer systems A personal data breach always entails a loss of integrity, but a loss of integrity can also occur without the loss of personal data The aim of the SBNL in the PDPR is “to ensure that individuals are in control of their 1 Joined Cases C‐92/09 and C‐93/09 Volker und Markus Schecke and Eifert [2010] ECR I‐0000 2 Damian Chalmers, Gareth Davies and Giorgio Monti European Union Law (second edition, Cambridge University Press 2010) 362 There is also a third criterion, proportionality strictu sensu, which is sometimes mentioned separately, see section 321 of this research 3 See also Protocol (No 2) on the Application of the Principles of Subsidiarity and Proportionality [2007] OJ C‐310/207; Paul Graig and Gráinne de Búrca, EU Law ‐ Text Cases and Materials (fifth edition, Oxford University Press 2011) 95 4 European Commission ‘Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ (Proposed Data Protection Regulation) COM (2012) 11 final; European Commission ‘Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union’ (Proposed Cybersecurity Directive) COM (2013) 48 final 5 A Dutch initiative for an SBNL focusing on loss of integrity will be discussed extensively in this thesis vi personal data and trust the digital environment” 6 in order to “increase the effectiveness of the fundamental right to data protection” 7 The aim of the SBNL in the PCD is: “to create a culture of risk management and improve the sharing of information between the private and public sectors” 8 The subsidiarity question covers cybersecurity in general and SBNLs in particular The Commission argues that a European cybersecurity approach is necessary because of the cross border aspect of the Internet, the necessity of a uniform secure Internet for the Single Market and the protection of fundamental rights Indeed, there is European cybersecurity legislation and a European cybersecurity policy framework Regarding the PDPR and the PCD in particular, the Commission argues that there is a need to harmonize national initiatives in order to create a level playing field, legal certainty and lower administrative burdens for companies to notify A literature review in this thesis shows that the United States aims to replace a state level SBNLs by a federal SBNL The obligation to comply simultaneously with multiple SBNLs caused significant administrative burdens for companies This strengthens the conception that SBNLs can better be achieved at a European level, although this remains a political consideration From an apolitical point of view, this thesis did not find a convincing argument about the inappropriateness of a European approach regarding cybersecurity and SBNLs The proportionality test contains two elements The first element of the proportionality test, the effectiveness test, is performed more extensively in this thesis than the Commission did in its impact assessment of both the PDPR and the PCD Legal scholars and the European legislator, usually assess the first aspect of proportionality limitedly 9 In the PDPR and PCD, the Commission did not mention in what way the SBNL is suitable to achieve the aim “to ensure that individuals are in control of their personal data and thrust in the digital environment” and “to create a culture of risk management and improvement of information sharing between private and public parties” This is a deficiency in the analysis of legislation This thesis challenges the aforementioned assumption that determination of causality is straightforward This is done by a more substantive assessment of the proportionality test This thesis contributes an empirical study from a security economics perspective, in order to substantively review (the complexity of) effects of SBNLs Do the (expected) effects of SBNLs match the aims it should attain according to the European proposals? 6 European Commission ‘Impact Assessment accompanying (proposed) Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ (Impact Assessment of the Data Protection Regulation) SEC(2012) 72 final, section 531 7 Ibid 8 European Commission ‘Impact Assessment accompanying the Proposal for a Directive of the European Parliament and of the Council Concerning measures to ensure a high level of network and information security across the Union’ (Impact assessment of the Cybersecurity Directive) SWD (2013) 32 final, section 61 9 See for instance Jan H Jans, ‘Proportionality Revisited’ (2000) 27(3) Legal Issues of Economic Integration 239, 240 and section 12 of this research vii And are these effects desirable? Legal impact assessments can benefit from this perspective, because knowledge about the effectiveness of the law will be enhanced To structure the empirical study, a first and second order effect of SBNLs have been distinguished The first order effect is the effect of (characteristics of) SBNLs on the amount of breach notifications Generating notifications is not one of the final aims of the proposed legislation, but a means to achieve the second order effect The second order effect includes the positive and negative effects of the law on society A literature review is conducted to provide an overview of what is already known concerning those two effects The quantitative analysis systematically assesses the first order effect of American SBNLs by a longitudinal dataset containing security breach notifications The subsequent qualitative analysis reviews the perception of Dutch security experts and managers regarding the first and second order effect and outcomes of the quantitative analysis The results can substantiate the first element of the Commissions’ proportionality test of European SBNLs: This study proves the first order effect empirically by means of analyzing American data The laws have an effect on the amount of breach notifications The effect is relatively large: a notification increase of at least 50% can be attributed to the law, by a fixed effects regression analyzing differences in breach notification before and after the introduction of the law The database is partly constructed by underlying sources that only register officially notified breaches, which can explain this high relative increase From an absolute perspective, the effect is minor: less than 005% of the companies notified a security breach in America in the eight‐year period that was researched To compare: a recent study in the United Kingdom published that 88% of the companies surveyed had experienced data theft in 2009 The low absolute number of breaches could be explained by the incompleteness of the dataset, high compliance costs for a company due to reputation damage and unawareness of breaches The introduction of the law thus has a structural first order effect, at least in the database of known security breaches It is however ambiguous which aspects of the law cause this effect Literature review and qualitative analysis showed that enforced sanctions generate compliance with the law and that reputation damage is a major driver for non‐compliance Confidential treatment of the notification and benefits from information sharing about security breaches are perceived as minor incentives for compliance The quantitative analysis only confirmed that some American laws qualified as strict by American Attorneys cause an increase in notifications, but it is ambiguous what exactly makes these laws strict The literature review and the qualitative study demonstrated several positive second order effects perceived in literature and by security managers and experts, such as increased investments in security, fostered cooperation between companies (literature only), increased awareness of consumers of security breaches and faster risk mitigation The first two effects match with the aim of the PCD to 1) create a culture of risk management and 2) enhance information exchange between the private and public sectors respectively The last two effects correspond with the aim of the PDPR to viii enhance personal data control of individuals However, the positive effects can be nuanced The security managers interviewed already shared security information with competitors, and did not see an incentive for cooperation with the government following from a security breach notification, because they did not value the government as a center of expertise Moreover, a security expert challenged the effect of increased investments in security because the law provides an incentive to notify, not to improve security practices Accepting the ‘risk’ of a notification might be less expensive than improving security practices in order to avoid notifications This is however not confirmed in literature review or by other qualitative analysis, which implicates that the risk of not providing incentives to improve security practices at all must be perceived as low Lastly, an increased number of security breach notifications might result in an overload of information that could also result in disinterest and a notification fatigue instead of enhanced awareness and risk mitigation 10 This overload is not a big treat given the current low amount of notified security breaches For instance, in America, about 600 million records were breached in the eight‐year period observed 11 This would entail that, on average, an American citizen would be notified twice in eight year Hence, the second order effects in literature and qualitative analysis, although they are perceptions that can be nuanced, do match the objectives pursued in legislation But, the objectives are vaguely defined and while their attainment could constitute effectiveness in the legal sense, the question remains what makes an SBNL effective and when an SBNL is effective Moreover, there are also additional negative effects associated with SBNL in literature and qualitative analysis, such as reputational costs and maintenance costs The effects of SBNLs and their relation with the aims of legislation are mapped in table 1 Effects Order Lit Qual Quan Relation with legislation Enforced sanctions 1st V V X Reputational damage V V ‐ Appropriateness V V ‐ Benefits inf sharing V V ‐ Confidential treatment X V ‐ Overall first order effect ‐ V V Faster risk mitigation 2nd (positive) V V ‐ Aim PDPR: enhance personal data control of individuals Increased awareness consumers V V ‐ Aim PDPR: trust in the digital environment Increased security investments V V ‐ Aim PCD: create a culture of risk management Fostered cooperation V X ‐ Aim PCD: enhance 10 Impact assessment PDPR (n 6), section 1431 under 4) 11 The three largest breaches in the United States database contain 300 million records, see chapter 5 ix information exchange between the private and public sectors Reputational costs for companies 2nd (negative) V V ‐ Compliance costs for companies V V ‐ (Only) compliance costs are estimated by the Commission Maintenance and processing costs for Member States V ‐ ‐ Costs of increased investments and cooperation for companies V ‐ ‐ Notification fatigue for consumers V ‐ ‐ ‐Aim PDPR: enhance personal data control of individuals ‐Aim PDPR: trust in the digital environment Incentive to notify, not to improve security for companies ‐ V ‐ Aim PCD: create a culture of risk management Table 1: effects of SBNLs (V=proved or mentioned; X=disproved; “‐“ = not researched) The second element of the proportionality test concerns the question whether there are less restrictive equally effective measures available The SBNL can restrict companies, because it infringes the fundamental freedom to conduct a business by imposing administrative, compliance‐ and reputational costs 12 This study offers two observations concerning this infringement First, the freedom to conduct business is more infringed than the Commission states The cost assessment of the Commission only included the costs of making a notification, which are estimated between 125 euro and 20000 euro per notification But, literature and qualitative analysis showed that there are costs that the Commission did not take into account, such as the reputation damage incurred (estimations up to 2% of a company’s turnover) and the costs of processing and enforcement of breach notifications The cost estimation of the Commission thus is undervalued compared with the total societal costs of an SBNL Second, the coexistence of the PDPR and the PCD unnecessarily infringes the freedom to provide a business as it imposes unnecessary costs for companies In many cases, a breach thus should be notified twice to both the European supervisory authority and to 12 See also within the context of Case C‐70/10 Scarlet Extended v SABAM [2011] ECR I‐0000, discussed in section 322 of this research The freedom to conduct business can be infringed by imposing unnecessary administrative burdens x the competent national authority, because the scope of personal data loss and loss of integrity overlap 13 Second, the proposals are regulated by a different legal instrument and emit different signals The confidential treatment in the PCD will not function properly if simultaneously companies are forced to publicly disclose the same information in the PDPR To conclude, the fuzziness of the aims and the complexity of measuring effects hamper the determination of a reasonable expectation of causality between the measure and the aims pursued The Commission sets aims that are fuzzy and hard to measure, and does not specify how these

------------- Read More -------------

Download the-legal-position-and-societal-effects-of-security-breach-notification-laws.pdf

The Legal Position and Societal Effects of Security Breach Notification Laws related documents

Habiting Space and the Representational Limits of Latour's Semiotics of Assemblies.

18 Pages · 2002 · 1.06 MB · English

mantles 81 underclothing. On the top of . The favourite type of Australian house is laid out in an oblong block bisected by Furthermore, items such as the hair trunk map Elliott's present life in Australia to the one he . reading with the semantic exhaustion of a given place: 'The reading of space

Data Structures and Encoding

128 Pages · 2014 · 3.37 MB · English

The Unicode documents provide extensive documentation on these issues. 4. The GBK character set is an extension of the GB 2312-1980 character set and supports the Chinese characters in GB. 13000.1-93 that is the Chinese adaptation of Unicode 1.1. The GBK is code point backward compatible to 

The Messenger Newsletter

8 Pages · 2016 · 1.13 MB · English

Even a “quiet” restaurant or the “sanctuary” of a. Sunday morning Prayer, Conversing with God, describes prayer not as a one-way very quietly. Elijah heard God not as a mighty wind, not Please see Lone Tree Point, page 5 

User-Friendly Ontology Editing and Visualization Tools: The

6 Pages · 2009 · 588 KB · English

User-friendly ontology editing and visualization tools: the OWLeasyViz approach Nadia Catenazzi, Lorenzo Sommaruga, Riccardo Mazza Semantic and Multimedia Systems Lab

A review of the literature regarding stress among nursing students during their clinical education

11 Pages · 2014 · 212 KB · English

Background: There has been increased attention in the literature about stress among nursing students. It has Keywords: Clinical Practice, Literature Review, Nursing Students, Stress, Nursing Education, Clinical Education, McKenna, L. & Plummer, V. (2013) Indonesian student nurses' perceptions.

In re Marriage of Bloom 2014 IL App (2d) 130642

8 Pages · 2014 · 39 KB · English

Respondent, Michelle Bloom, appeals an order of the circuit court of Du Page County imposing sanctions against . Respondent contends that our decision in In re Marriage of Bloom, 2013 IL App. (2d) 1210863-U, somehow . She cites In re Marriage of Yakin, 107 Ill. App. 3d 1103, 1120. (1982), for the 

1 In the Footsteps of Giants My Itinerary from Glasgow to Princeton

38 Pages · 2004 · 1.17 MB · English

barefoot and were therefore considered unsuitable playmates for her. My mother . of triumph, encouragement or disapproval from the huge combative crowds, then made A stranger in a new land, I had been immediately made.

Performative regional (dis)integration: transnational markets, mobile commodities, and bordered ...

23 Pages · 2011 · 1.92 MB · English

one single agrocommodity, the tomato, and two border regions (Morocco ^ EU themselves from criticism, blaming unwelcome external infringements 

Chef Solus and the Explorers Introduce The Food Groups

1 Pages · 2009 · 970 KB · English

Chef Solus and the Explorers Introduce The Food Groups Visit www.ChefSolus.com for printable worksheets for kids, nutrition education games, puzzles, activities and more!

Proteomics and Protein Analyses of Ovine and Caprine Body Fluids

11 Pages · 2014 · 890 KB · English

1Department of Veterinary Public Health, Faculty of Veterinary Medicine, Agricultural University of Tirana, Albania; Although the proteomes of body fluids have been described in detail for some animal species, there are few equivalent . by the identification and application of specific protein bio