KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Hello, everyone. Welcome for the copy. A call webinar on strategic information, security, investment planning today, we're working on the legal perspective of that subject. Coping a call Analyst is leading European ID Analyst company. And as such likes to bring some really new information on the it sector to you, to all it professionals, most of you will know. And my name is Carson K. I'm a lawyer working based in Germany.
I'm a fellow Analyst of coping a call, and that's why I will go through this webinar with you presenting to you the legal perspective of this very important subject we're in the time of budgeting right now. So I believe that this is a really good timing for strategic information, security, investment planning. So I hope most of you will have prepared some expectations and questions, and I'd like to go through some rules and Cates to start with. We would like to introduce first, the upcoming cooking a call events to you. We will have the IRS hosting in November 27th and 28th.
This is the annual information risk and security summit. And I'm proudly participating in this as one of the five dialogue session is there will be moderation by a patrons and Analyst. So you will receive a lot of information and various hot topics such as challenges of the cloud computing, Troy cloud, mobile, social computing, or identity identity information, quality or mature cloud, for example, will one will be one of the issues.
And also for those who care for subject today will find more information and an in-depth information with the part that I will go through at the IRS in November in Frankfurt. And there will be 10 good reasons to invest in an information security system from a legal perspective. So this is something like a deeper perspective on what we will strive today. So for all of those who might care about this subject further on, please don't hesitate to get in touch with us or see us at the IRS with the EIC.
In 2014, we may will have, I think the major event of 2014 concerned European identity and cloud conference. Everyone who has been there last year, I don't need to explain to everyone else should really come and see. I know that we are already deep into planning and on the website of you might want to see what we have prepared for you already. Some guidelines for the webinar. It's very important to know you are muted centrally. So don't worry about anything that you give out as a noise. You don't have to meet yourself or unmute yourself.
If you have any questions, please use the control panel on the right hand side of your screen, go to webinar control panel will open. If you want to hit some questions, I will answer those questions happily mostly at the end of the webinar. So don't worry about it. I do see all the questions that you impose and possibly they don't fit from what I have prepared. I will definitely answer our questions at the end of this session.
Also, we will record the webinar. The podcast podcast recording will be available tomorrow for all of, of those who care to the agenda. As just mentioned before I will lead through the webinar. And after that, we will have questioned answers. I'm looking forward to hear all of your concerns and questions, but let's jump into what I've prepared. We discussed strategic information, security, investment planning. So this is really on the intersection between it law organization, quality and budgeting at the end. So naturally as a lawyer, I will mainly take the legal perspective as announced.
However, the legal perspective does mean at the end technical organizational measures and legal precautions. So even the legal perspective, doesn't stick to only legal precautions, such as the appropriate contracts, for example, but also focuses very strongly on the technical organizational measures. So everything it does at the end does have a legal impact for compliance. The focus we have is on current law and foreseeable future development. So everything you might take as a argumentation for budgeting also has to go into the future.
If you wanna do a, a, an accurate legal planning or an illicit planning of your it budgets, then keep in mind that you don't wanna just patch the past and stay with whatever is required for today. It's really that you for the future need to be prepared. And this is actually what we legally focus on. If you're not prepared for the future, you're not ready for today. The general data protection regulation, the GDPR, and I will refer to it as the regulation throughout this webinar will derive as a new legislation from the EU. Whereas right now we have the framework in place for many years.
And we also above that have many national different data protection ideas in the place we will then with the regulation, have a harmonized status of data protection that really does help. If you wanna have a harmonized, it harmonized it landscape. You can really stress the need of that with this legal perspective of the upcoming EU regulation, because there will be no national regulation anymore in data protection, starting in 2016, from what we know on. And after that, there will be no national frameworks regulating us in any field.
So let's go on and check some of the major points I found out in the case of data loss, due to the unsuitable information security measure. That's how I will start for all the points to give you a good overview. What's the various issues we have here. It's a bit of a checklist at the end. If you want, authorities will possibly impose a fine, and of course that's a well known argumentation. Everyone really has heard about that. So it's a bit obvious that I will have to start with that. Don't worry about it.
There will be less obvious cases, but to give a bit more information on the obvious possibility of a fine, we will have a drastic change under the regime of this EU government with a million Euro per case, possibly of course, up to a million per case. And the 2% of the annual worldwide turnover. This is something that many people don't know, many decision takers have not been aware of yet. And everything that we will discuss today will be summarized under this. If you do not comply with what the regulation gives us, then we will certainly be in the risk of having this possible, very high fine.
It's the turnover. It's not the gain and it's a million per case. Whereas for example, in Germany and some other of the other European members, did we at the moment have a hundred thousand in place. Then also we have the interesting discussion. What actually is a case is a case. If I have done something wrong and whole database is insecure in information, for example, has gotten lost, or is a case, a single person that suffers any negative input from such incident.
It, it is completely open. So there is legal argumentations going on that really claim a database with a hundred thousand people in there, a possible a hundred thousand cases. On the other hand, we have many good reasons for believing one case. It's really the database with all the information in there. So that's really in the flow. We expect that that to be defined in the next year or two until we have the new legislation in place, but this is really very open and it just shows us how undecided yet the legislator is when it comes to fines.
Also, we all know that fines are very rare at the moment in the national surroundings. And I strongly believe that in the EU context, which this will really go high up, we will have a higher risk of being fined because the comparison between the various countries will be easy and there will be statistics of the various authorities and they are in strong conflict with each other sometime and, and strong competence. And as I know, this will not be erased to the bottom. It will be erased to the top. You wanna be prepared for 2016, if you are European data protection authority.
So you better prepare what you wanna do in order to have your files and to have your cases and to have your press. So I expect this to be more case of the future, not only raised by money, but also raised by importance and number of cases, anyone who intentionally or gently does not adopt internal policy or doesn't prepare for demonstrating compliance, define also will amongst other things, for example, the nature, gravity and duration, of course of the bridge be fixed with due regard to the technical and organizational measures. That's what I meant mentioned before.
So it's not only how heavily things get go wrong and how weekly your organization might be prepared. Or in this particular case may act, it's really the technical organizational measures that are in place and that are implemented, but also that are made transparent. So it's not only about do something. It's also do something nice and talk about it. Meaning prepare all the technical organizational measures and keep them really recorded. And at all times be prepared to introduce to third parties what you've done. So this is something that will go far more into focus.
If you are not prepared to show what you've done, it's like you haven't done anything. That's a pretty simple rule. And this might lead to possible science as well. Technical organizational measures of current standard need to be introduced. That's one of the, that's some of the outcomes you need to really prepare for your access control. So it's not only about having a good access right system. It's about having access control and being able to work on it.
If you have somebody leaves, you might not take too long time to make this person leave out of your data systems, prevent storage media from being red copied, modified, or may move without authorization. This is really about the security of transport of data. Then it's about insurance of the possible check to establish to which body's personal data can be communicated by means of data, transmission facilities, which is as simple as you give data to someone as part of your business process. And you need to know who will receive it, who is in charge of it there.
Whom can you ask if something has gone wrong? Where do you receive this data from on the other hand and so on, you really need to have a transparent data flow from where the data derives to where the data goes and what we know that happens in the practices that you, as it folks will not focus on where the data derives. You just keep the system running and people working with the information don't care from where the, where the information will be situated then.
So this is really something about working together and working together with who works with the data and who takes care of the information security. This is really about knowing if you're the left knowing what does the right then you need to ensure that it's possible to check and establish which personal data have been put into data processing systems by human. At what time, what we understand to be most difficult in practice is getting rid of information. Mostly organizations are not well prepared for getting rid of any information because they are not organized on where they have. What?
So it's difficult to find out what we really don't need anymore. What we can rid of get rid of. So both goes really together where we have our, where do we have our data and where is era subject, as you know, Rasor is a big data protection issue. And this is something that we consider to be technical. Organizational measure, have relevant procedures in place for erasure. If you do not have that in place, the whole system will build will not be compliant for data protection reason.
Keep that always in mind, if you have a checking of an authority and they might find out, you will never raise information from there. And that's possibly not your issue as it in the first place. It's really people working with that information to ask you for it. And they will not ask you for it. In most cases, then this is something you should really bring up. We have a couple more things. This is really examples I brought up.
I think most of them are pretty obvious, but I try to give you some example on, on what you can really do in order to work against it and be prepared for a better organization. You really need to be fine on the transmission. For example, I've, I'm having a hard time finding institutions that will have a proper authorization method doing, doing the email carrier situation. So this is really missing.
I think we're not that far as information, society and organizations really do have troubles to go on the market and work with a good, at nice email encryption, for example, and like this have the authorization in place during transmission phases. And this is something that I think will have a big booth. That's what I see companies are preparing for that. And that's a very technical organization measure because if you don't have that at the end, your information is not validly transported.
And we all know that you can always point that all the other organizations who haven't got it in place, but authorities in these cases don't care for that. And it should be you making the difference here. That's what I just heard last week discussing with our local authorities here as just to give you an insight on how they see that the controller has also to notify the personal data breach to the supervisory authority.
According to the data bro, breach notification regulation in article 30, one of the new director of the new legislation, and this needs to be taken place not later than 24 hours after having become aware of it. That's a very clear rule in most of the countries. We don't have the 24 hours rule. We have a rule, meaning as soon as you may be able to organize it, which is a bit of a blurry rule. So now we have the 24 hour rule and you need to be the one explaining why, why you will not have, why you haven't become aware of it earlier. So it's not that you are fine unless somebody else proves you.
You have become earlier aware of a breach. No, it's you having to explain. And there again, we are in the question of being transparent in what you do. This hits that as well. So this is something for an escalation plan, and I'm always surprised to see also big organizations with no escalation plan for a data breach in place. We all seem to be expecting that there will be no accident. There will be no breach. And let me tell you, I see a lot of breaches and in most cases there's no escalation plan.
And from the data protection legal perspective, we consider this the second breach, and this is exactly what the legislator has called it now. And this is why we have this rule. So if you have a breach and you don't, you don't name it in the according time as you don't bring it to the authorities, then you will have a second breach and the fines will go up accordingly and all the troubles that you might experience and that we will discuss in another flight upcoming will become more serious.
So it's very important to have an escalation plan and start with with a yes, we expect to breach to happen. Whatever happens, we want to not have it. But if a breach happens, we are prepared and you review this plan, at least a certain after a certain period of time, of course you can discuss. Now when this should take place, authorities to my understanding expect at least an annual revision of this according to quality measurements.
And if you are in the telecommunication branch or in any of the banking branches or insurance branches, I would believe that have a year would be something that you could possibly live with, but not less. After the detailed escalation plan, you need to have a first step plan after detection. What can we do against the breach? It's not only who needs to know in order to escalate.
It's also, what can we do about it? Be prepared to close everything down, of course, and have this in your policy. So I wrote really believe that this is part of it. Business continuity of course is a case for it. That's what you look on upon naturally. But also we lawyers look on it because without a business continuity procedure that has fair to comply, the authority may seize the data flow. So possibly business continuity for you is something very it driven for us. This is beyond that. It's a legal perspective.
Business continuity can be stopped by the data authority because if they are not sure of what you are doing and how the breach has occurred. And if they're not sure that you're doing a good job in calming things down and taking the appropriate measures, then they have the good right to make a full step in order to investigate. What's the situation like? So if you haven't had that on your bill, it business continuity is not about money and enough storage and whatever you might have in mind here. It's about being prepared that a third party explained to you.
You might not be the one going on here. You need to ensure that no other issue has been arising.
Of course, maybe a breach is very complicated to investigate, but this needs to be part of the escalation plan, because this is expected by authorities. Don't be satisfied with the existing breach. Find more is something is a bit ironic, but you should do it. Test the escalation plan, test it all the time, be prepared. This is something that's very important for your liability. For the liability of everyone who is in charge. Then we have the communication to the data subject that's had to, has to be exercised. We have had some telecommunication companies in Germany having some data loss here.
Most of you will have read it throughout Europe in the newspapers or in the net. And then you can calculate how expensive this was not only for the image harm that started to come across, but also just for all the other things that had to be done, that does cost a lot of money. If you have to get in touch with your data subject, that's one letter, you usually have to write to them, or you have to call them just that just the, the, the mail could be million of, of dollars or euros. As we have seen it with that breach in the telecommunication company.
If you calculate together how many people were involved here, that's pretty easy. That's a couple of million euros already. Then you have to have people who do that. And of course, so that, that adds all on the CR must be current.
Of course, you need to get in touch with your people. If you can't manage to explain data subject, what has happened, you have another breach with that. You have to really be able to address the breach to people that are subject to the breach. Then you need to be clear of which communication channel will be used, who will take care of it. Will you need external support and so on. We do see a lot of gaps here in preparation. Then again, how do you handle off all of that? If you have external service providers for handing the breach, what do you may show to them?
Will they have slim access rights for the purposes of breach? Because it's not that easy to give according rights. If the rights are too big on the CRM, for example, they have access to the full CRM and they could see all your customer data, but they will never be able to call all the people involved, all the data subjects. Then this will be another data breach. So be prepared for groups taking care of it with restricted access rights. Then we have the liability and rider compensation that has to be provisioned as well. According to article seven seven, that means you have a direct cost.
In addition to the fines, you have to, you have unforeseeable costs here, depending on the actual damage. This is something that's very hard to provision, and you have the cost for insurances beforehand. And of course costs for legal fees. That adds up a lot and it's expected from you to have they help necessary. So you can't just say, okay, we're taking our time. And we are doing this with, with existing media. So persons who have suffered damage as a result of the data breach, they may require compensation.
And there is a thought on possibly go away from the very European tradition on having a single case issue here, but also possibly allow we haven't seen that written yet, but that's what I hear from Brussels. We have an idea of mass claims here. So that is something we all should mentally prepare of. If that ever comes. I think we can be prepared of some yeah, really heavy claims. The loss of reputation of course always is an issue. And the erosion of trust must be taken into account. That's nothing new, but it's something that has some legal impact. Then organization precautions must be taken.
And this is something that is expected from you. Infusion testings, for example, pen tests, things like that. You need to carry out and also never forget to write it down that you have done have done it and to document it and to hold results against each other.
If you, if you are continuously working on that, of course your intrusion testing should be getting better and better. You have some pressure here and you should have a gap free analysis of your intrus intrusion period and intrusion history. Excuse me. So this is something you should really take into account for, for preparation, for a breach. This really shows us here. It's not that that important to only focus on the fact not to have a breach, but it's only, it's very important to be prepared. And we consider many lacks of preparation as own data breaches.
So it's the full horror isn't or isn't already there. By the time you experience the breach, the full horror is there. By the time you experience that you haven't been prepared accordingly and organizational measures have been expected from you from authorities or other third parties, and you haven't prepared for that. And intrusion is one of the big missing links here that we see in practice. Then we have the risk of violation of the provisions on unfair competition. Please do not forget. By the time you have a data protection issue, you de do mostly have an unfair competition issue.
So this really pushes things up. The less you comply with data security, data protection, the less you comply with the legal frameworks against unfair competition, all negative impacts are bundled here. If you have a data protection issue coming up, the risk is not especially focused on technical measures, of course, but it plays a key role.
However, we have other provisions within the world of unfair competitions that do play a role. So check that with your privacy department, with your privacy lawyers, that you have a strategy that doesn't only keep the idea of it security in place and it data protection, but also the unfair competition, the way you collect information that you shared with others, that's the two most important times where you can easily without even having a, a mean will contradict against the unfair competition idea. So check on where you have your data from.
We, we are, we have all grown up in the environment of, we can buy data, for example, to, to think in marketing terms, for example, but we of course may buy information. However, we have had seen have seen a switch in the last years in European legislation and expectation against companies on how clear they have a look on where they buy this information from. So wherever you receive information, and however you work with your customer information, where you by by all means not free, but you have to of course, have a look on what you're exactly doing.
What's the purpose on, on the use of the information, make sure that you have this in line because this is something we have a strong focus seen on in the last years. It's your responsibility. Even if you have a third party provider selling your information, doing your it, supporting you in anything, it's really the point that you are in the driver's seat. If the information is used in under your name and you are wearing the hat, so please don't trust in your it providers check on them.
That's part of the preparation that's part of the technical organization or measures that you have to do regularly. Go there and check on your, on your teams, on your external teams that you work together with. The knowledge is necessary. Internal system should be our entered through privacy by design that's something that's finally has arrived into legislation. So make sure to buy intelligence systems, make sure to, to, to sketch systems intelligently because privacy is something more and more expected to be part of the product and less part of policies, things like that.
Of course, we can always do a policy, but we are really switching to privacy by the design. And it's the aim of the European union to have a more narrow impact of policies in the corporate structures and more of technique, meaning privacy by design already implemented into all the systems that we are using. Please don't forget the director's liability. That's always to be calculated. Evidently we have the wrongful trading, for example, in UK and in all of the countries, we have similar regulations.
So if you happen to be director of it or in the driver's seat for whatever label this goes under, please make sure that it's your responsibility. All the points that I have been bringing up so far are explicitly stressed by the legislation that this is not only the head of the company. This is already also director of it who has to take care of it. And certainly you will not have the budget for all of it.
Certainly you will have not all the personal loan to do of all of it, but make sure that you have a list with all the, to dos and then start off with what's most important, have your list for security reasons with you. And I'm not talking about data security, I'm talking about li liability security, just be able for the future to show that you have thought on various aspects of your position and various aspects of things to do that we are mentioning here today.
And even if you don't manage to handle all of it, which I perfectly understand for, for most organizations that this is really a big task, make sure that you have found a positive attitude tolerated that you have had it on your desk. And you have decided that you have focused on those three measures and not on those other seven measures and put down why you have done that. That's really important for a personal liability here.
That's something that I would've said before the legislation, but I say, especially after the new legislation coming up, the cost of locating the safety gap has to be taken to consideration as those might be obligatory in some cases, according to the authorities. So always be prepared to have enough people on board to find the safety gap they usually ask you to do so it's not okay. We're shutting down the system. We let it not run for a while.
We take our time as mentioned before, no, they really expect you that you have the researchers on board and you have people that you pretty much can call. Remember what I told you about be prepared and have a plan, have an escalation plan. That's part of it. Possibly you have a shut to expect of your products and services. Explain this to your management of the, of the legal entities. They really need to know that this is something data protection authorities may do. However they in practice.
Usually don't do that if you're well prepared, if you show them, yes, we have a breach here, or we have something not so well prepared, but we know how we want to really work on it. They will hardly ever shut you down unless you're constantly losing information and they have to expect a bad image in the public letting you run further. So also here, it's not also the ultimate reaction in the situation where you have a breach. Also the preparation of finding the real gap, even though that make take may take a while. You should really be able to name what has gone wrong in detail.
Then of course you have the hardly comfortable cost for resetting all systems and service. And usually authorities expect you to have at least 10, 15% fluid for that. So if you have certain systems and you expect them just for a scenario to go down and then you have a reset and all of that take 10% of that, and you should be able to, to have that present.
If you haven't, you undercovered in the, the perspective of the authorities in many cases, and they possibly will more likely go into a shutdown of the systems and let you explain for us how you think of having an adequate security environment in the future. In the case of data loss, due to unsuitable information, security measures we have of course, contractual penalties.
Next, next to the fine that we were discussing right in the beginning, we also have damages and loss of orders. Of course, that form probably the biggest piece of the negative outcomes of data breach. If data is processed on commission, especially. So if you are a service provider, or if you work together with service providers that are supporting you, then this always is a very contractual issue. If you are the leader and you have an it provider, then you will, of course have contractual penalties, hopefully in place. If you haven't, please keep in mind that you shall have that.
Also, this is expected from you. This is why I mentioned at Towas it professionals. This is expected from you as an organization to have in place.
And you, as it services. So expertise in your companies and organizations, you are requested to have the contract management, at least halfway in, in your, in your scope. Talk to the people involved because this is considered to be an it subject, even though it's it's legal.
Of course, you really need to talk to them because you are understood to be the center of the organization when it comes to data flow here. So the contract contract need to be in place. So if you gave data away and here I haven't got contracts in place, this is the first problem. If you have contracts in place, but no penalties, then you'd be happy if you are the one providing those services, but make sure that after risk, evolution and risk risk calculation, that you still have the adequate contractual penalty in place. Usually that's what we do a lot.
We discuss that with our clients and we go into that and we raise contractual penalties to at least 200%. Mostly. That is something where companies basically in Europe seem to be undercovered a lot, then define liability cases. What happens really, if this happens, is this more that provider, or is this more, this one, of course, this is part of the escalation process. Needless to say, then the last one from my side would be, we have a seal of data protection, security that is in place has been in place for many years.
You all know companies and organizations who have done that for security issues in your countries. We are now entering into a time where data protection issues become more important and part of such seals and that also narrow stone liability. So if you decide for organizational reasons and for risk evaluation reasons to join into such seal program, be aware of the fact that, of course, that does cost money, but the investments can be worthwhile here because you have a clear advantage when it comes to liability cases. So just on a, at a glance, we have a lot of risk.
We of course have the science. We have the liability within the contract. We've loss of reputation. And all of this is covered by the new guideline, by the new directive that's coming up. This is nothing that we just tell you like that because it's common sense. This is really requested to have kept in mind by law. So you really need to prepare in order to, to be in line with our compliance issues here. Erosional trust director's liability were two important points. I think director's liability is really the head of it.
Then expenses for research and reparation needs to be provisioned in order to prepared well and not suffer a shutdown of your systems. Then contractual penalties is well going hand in hand with contractual liability above. So I would check technical organization measures, measures, get in touch with all the departments that work with the information because the lawmakers understand the it professionals to be responsible and less all the others.
So get them on board and explain what's the issue and have a task force for finding how you will react on your hopefully first data breach or hopefully never to come data breach. So this is really something I think that's really a high priority. Seeing this legislation coming up here as a result, you would have a good documentation and processes or processes and documentation even better. And that's really what they expect. The documentation is all, all you really need to have in your hands to find a good strategic defense defense line.
The integrity of system is something that's nothing new for you. The first steps, escalation and prevention is something I mentioned before. And what I really I'm a real fan of is the data protection seal. Because there, all of that, what I mentioned is done for you, you can, you can bring it into people's heads and you have a first evaluation of what you could do. And then you can see what's the budget and what can we do of it. And you can also lean back as an it professional and expert in your legal entity and state while we've had this all gone through.
And it's not only been data security, it's data protection, because this is on the right. So thank you very much so far. If there is any questions, please give them to me. Now I'd like to answer on that right now. I do not see any, so no question at the moment I would like to thank you all for your attention. Hopefully see you at one of the coping or call events, maybe the IRS, where we go all deeper into that. Thank you very much for your attention. And if you have further questions, don't hesitate to get in touch with us. Thank you.