Computer and Data Security Laws and Regulations --short most basic version--

1
Computer and Data Security Laws and Regulations
--short most basic version--

• Nicolas T. Courtois -
  University College of London

2
Is Privacy Universal?

• A Western concept, not easy to translate into a
  foreign language. Italian la privacy.
• Yet, the right to privacy has been enacted by the
  United Nations in 1948
• no one voted against, but the Soviet BlockSouth
  AfricaSaudi Arabia abstained.
• Article 12 of Universal Declaration of Human
  Rights
• No one should be subjected to arbitrary
  interference with his privacy, family, home or
  correspondence, nor to attacks on his honour or
  reputation.
• Everyone has the right to the protection of the
  law against such interferences or attacks.

3
Concept of Privacy UK

• The Calcutt Committee in the United Kingdom was
  satisfied that it would be possible to define it
  legally and adopted this definition
• The right of the individual to be protected
  against intrusion into his personal life or
  affairs, or those of his family, by direct
  physical means or by publication of information
• This brings us to two types of Privacy
• Physical
• human body/intimate life
• personal belongings free from intrusion/searches/
  seizures.
• Informational Privacy.
• about collection and sharing of data about
  ourselves
• about us religion, sexual orientation, political
  affiliations, personal activities, etc
• about our actions location data, what we buy,
  what we do, say, write, who we voted for, what
  search for with Google, etc.

4
EU and Data Privacy

• 1950 European Convention on Human Rights ECHR
• Article 8 provides a right to respect for one's
  "private and family life, his home and his
  correspondence",

5

• Data Privacy and Confidentiality

6
EU and Data Protection

• 95/46/EU 1995 to allow the free flow of
  personal data (only) between member states by
  harmonizing minimal information protection.
• An organization must implement appropriate
  technical and organizational measures to protect
  personal data against
• accidental or unlawful destruction
• accidental loss, alteration,
• unauthorized disclosure or access, (includes
  interception/eavesdropping over a network).

7
EU Data Protection Directive

• 95/46/EU 1995
• Enforced by
• Laws of each EU country
• Local Data Protection Commissioner in each
  country.
• Example UK
• Data Protection Act 1998
• Information Commissioners Office

8
UK Data Protection Act

• 8 Principles All data must be
• - processed fairly and lawfully
• - obtained used only for specified and lawful
  purposes
• - adequate, relevant and not excessive
• - accurate, and where necessary, kept up to date
• - kept for no longer than necessary
• - processed in accordance with the data subjects
  rights
• - kept secure
• - transferred only to countries that offer
  adequate data protection
• More details http//www.ico.gov.uk/home/for_organ
  isations/data_protection_guide.aspx

9

• Legal Safeguards and Deterrents

10
UK Law

• The Fraud Act 2006 came into force in early
  2007.
• The Fraud Act introduces a general offence of
  fraud which can be committed by
• false representation (e.g. phishing)
• failing to disclose information e.g. on an
  ad/prospectus
• abuse of position employee access, carer 4
  elderly..
• One previous loophole possession of software or
  data designed or adapted for use in connection
  with fraud.
• Possession up to 5 years. possession
  intention to be somewhat used to fraud/cheat,
  even if used by sb. else
• Writing software up to 10 years.

Maximum sentence 10 years.
11

• Data Non-Privacy

12
Correspondence

• The content good legal protection in most
  countries.
• In contrast, and less protection since Sept 11th
• Communications
• lawful interception implemented
• and technology makes it easier and easier to
  intercept data illegally..
• Even less protection
• traffic data, who talks to whom?

13

• Telecommunications and Data Retention

14
Data Retention

• EU Directive 2006/04/EC.
• Obligatory to keep for 6-24 months
• trace and identify the source of a communication
• same for the destination of a communication
• to identify the date, time and duration of a
  communication
• identify the type of communication
• identify the communication device
• identify the geographical location of mobile
  communication equipment.

15

• E-mail Retention

16
US Publicly Traded Companies

• E-mail retention obligations
• must retain their email and Instant Messaging
  (IM) that should be produced in lawsuit or/and a
  regulatory or financial audit...

17
UK Your Employer

• E-mail retention? Regulation of Investigatory
  Powers Act 2000 (RIPA) allows employers to log,
  intercept and/or record all forms of
  communications - for instance telephone calls as
  well as emails and the use of internet sites in
  certain circumstances regardless of whether the
  parties to the communication have consented to
  the interception or not. Only business
  communications, not personal.

18
All Good Reasons to Log/Record

• establish the existence of facts relevant to the
  business (which might include establishing the
  disputed facts of a conversation or email
  exchange)
• ascertain compliance with regulatory or
  self-regulatory practices or procedures relevant
  to the business
• ascertain or demonstrate standards which are, or
  ought to be, achieved by the person using the
  system (which could include quality control or
  staff training)
• prevent or detect crime
• investigate or detect the unauthorized use of
  telecommunications systems
• ensure the effective operation of the system.
• Example given right to open an employee email
  account to access relevant business
  communications when a member of staff is off sick
  or away.
• Caveat Only business communications, not
  personal.
• Monitoring - but not recording - is also
  authorized for the purpose of determining whether
  or not communications are relevant to the
  business.

19
Code of Practice

• Code of practice
• http//www.privacydataprotection.co.uk/pdf/employm
  ent_code_of_practice.pdf
• it will usually be intrusive to monitor workers
• workers have legitimate expectations of privacy
  for their private lives, and also should expect
  some degree of privacy in the Workplace
• if employers wish to monitor their workers they
  should be clear about the purpose and satisfied
  that the particular monitoring arrangement is
  justified by the real benefits that will be
  delivered
• workers should be aware of the nature, extent and
  reasons for any monitoring, unless
  (exceptionally) covert monitoring is justified
• in any event, workers' awareness will influence
  their expectations

20

• Types of Data

21
2 Types of Data

• Regulators and companies frequently make
  distinction between
• Personal Data (name, address, family details
  etc)
• More related to privacy
• Financial Data account number, credit history,
  etc
• More related to security and fraud

22
Personal Data - Underestimated Risk

• Both types of data are used by criminals.

23
EU Data Protection Directive

• 95/46/EU 1995
• Gives a definition of personal data
• Article 2A
• any information relating to an identified or
  identifiable natural person ('data subject')
• an identifiable person is one who can be
  identified, directly or indirectly, in particular
  by reference to an identification number or to
  one or more factors specific to his physical,
  physiological, mental, economic, cultural or
  social identity

24
Scope of  Personal Data ?

• any information relating to an identified or
  identifiable natural person ('data subject')
• Seems every data is personal data???
• A more precise notion is as appears in US
  standards, e.g. NIST
• Personally Identifiable Information (PII) def
• Information that can be used to uniquely
  identify, contact, or locate a single person or
  can be used with other sources to uniquely
  identify a single individual.

25
EU Directive - Protection

• 95/46/EU 1995
• must implement measures
• to protect personal data against
• unauthorized disclosure or access,