Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB20] Privacy protection and Data breach incident response regulation in East Asia and Europe by Joy Ho and Vic Huang

In the era of big data and privacy protection, there are many discussions on personal data, privacy protection, and information autonomy around the whole world. In addition, personal data is a part of information assets, and it also falls within the protection scope of information security. The overall information security is built on interlocking security management measures. According to the barrel theory, information security is essentially free of 100%, drip-proof protection, except that the weaknesses that may be attacked must be continuously strengthened and related accident prevention, response and handling mechanism is an important part of management measures.
Therefore, this paper tried to start from the position of transnational enterprise and describe how to ensure legal compliance while the company need to follow different data protection laws in different jurisdiction, especially in East Asia and Europe. The countries include Japan, Taiwan, European and Thailand. This paper would direct readers to know the basic regulation and legal definition in the first part. In the second part, we would introduce the legal requirements for how to handling an event of personal data/information breach. In the third part, this paper would show you multiple data breach cases in the four countries and let you see how do other enterprises handle the crisis of data breach. Do all the incident responses comply to the applicable data protection law? How could a transnational enterprise handle the crisis legally to ensure compliance? This paper would provide advices to all the companies.

  • Be the first to comment

  • Be the first to like this

[CB20] Privacy protection and Data breach incident response regulation in East Asia and Europe by Joy Ho and Vic Huang

  1. 1. Privacy protection and Data breach incident response regulation in East Asia and Europe - Joy Ho & Vic Huang-
  2. 2. 2 Whoami Vic Huang LINE Corporation / Application Security Engineer Web Security Blockchain Security Joy Ho LINE Corporation / Privacy Counsel Information Security Data protection
  3. 3.  Introduction of personal data/information definition in East Asia and Europe  Comparison of Data breach incident response regulation  Data breach incidents in Real world  Suggestions of Data breach incident response Agenda From : Dadiani Fine Art
  4. 4. 4 Issues 1. 2. 3. 4. What shall a transnational enterprise do while the personal data breach has happened? How could the company interact with the data subjects? Does the company has legal obligation to report the data breach to governmental authorities or any other stakeholders? What is the international trends of the accident response mechanism?
  5. 5. 5 Definition of Personal Data in East Asia and Europe • Taiwan • Japan Art. 2(1) of PDPA: “…any other information that may be used to directly or indirectly identify a natural person” "Information about the living individual, are sufficient to distinguish specific individuals based on the name and birth month contained in the information descriptions (including the personal information which could be used to identify individuals by mapping different information)''
  6. 6. 6 Definition of Personal Data in East Asia and Europe • EU • Thailand Art. 4 of GDPR: any information relating to an identified or identifiable natural person (‘data subject’). "any information relating to a Person, which enables the identification of a Person, whether directly or indirectly, but does not include the information of deceased Persons.''
  7. 7. 7 Regulation of Personal Data Breach any personal data is stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA by a government or non-government agency N/A Categories of Personal Data breach - Confidentiality Breach - Availability Breach - Integrity Breach In the event of a data breach, Data Controllers must report the breach to the Regulator without undue delay, and in any event within 72 hours of becoming aware of it. Taiwan Japan EU Thailand
  8. 8. 8 Comparison of Data breach incident response regulation: Taiwan Related Articles Who need to notify When to notify To whom The Content of notification Exceptional situations: Do not need to notify Art. 12 of TW PDPA Art. 22 of Enforcement Rules of the Personal Data Protection Act The institutions which collect personal data after the relevant facts of data breach have been clarified Data subject 1. the facts pertaining to the data breach 2. the response measures already adopted. N/A
  9. 9. 9 Comparison of Data breach incident response regulation: Japan Related Articles Who need to notify When to notify To whom The Content of notification Exceptional situations: Do not need to notify N/A N/A N/A N/A N/A N/A • It is not legally required to report a data breach incident to the Personal Information Protection Commission (the PPC) or to notify the relevant data subjects. • However, the PPC issued guideline recommending that this notification be made and it is the market standard practice to report data breach incidents in Japan.
  10. 10. 10 Comparison of Data breach incident response regulation: EU Related Articles Who need to notify When to notify To whom The Content of notification Exceptional situations: Do not need to notify Art. 33 & 34 of GDPR Data controller [Art. 33(1)] Data processor [Art. 28(3)(f)] not later than 72 hours after having become aware of the data breach Art. 33 Supervisory authority Art. 34 Data subject 1. the nature of the personal data breach including the categories and approximate number of data subjects concerned 2. the name and contact details of the data protection officer or other contact point 3. the likely consequences of the breach; 4. the measures taken or proposed to be taken the personal data breach is unlikely to result in a risk to the rights and freedoms of natural person
  11. 11. 11 Comparison of Data breach incident response regulation: Thailand Related Articles Who need to notify When to notify To whom The Content of notification Exceptional situations: Do not need to notify Art. 37 of Thailand PDPA Data controller not later than 72 hours after having become aware of the data breach The Office of Data Protection Committee Data subject(with high risk to damage rights and freedom data subjects) N/A N/A
  12. 12. 12 Data breach incidents in Real world - TW Company Date Scope Local law ln effect Response Ministry of Civil Service (Government) 2019.06.22 240,000 government employee from 2005 -2012 promotion list contained military , NSB … • Name • Personal Identification • Address • Position √ • Announcement said the government will improve the protection of personal data protection regards to the law 1111 Job Bank 2019.07.18 0.2 million job seekers' data • Name , address , phone , email • Personal Identification • Birth date • Company √ • Announcement on Official Facebook page • Victims can contact 1111 Job bank through phone number or email Lion Travel 2017.05 0.36 million customers' data X • Announced on press conference • Send notifications to
  13. 13. 13 Data breach incidents in Real world - JP Company Date Scope Local law ln effect Response Mitsubishi 2019.06.28 (2020.01.20 disclosed) Multiple personal data & Internal data • 1,987 candidates data • 4,566 employees survey results • 1,569 retired employees data • Internal data √ • Mitsubishi announced that they will start to notice victims. They would assign a window for victims to deal all the thing • https://www.mitsubishiele ctric.co.jp/news/2020/012 0-b.pdf Uniqlo 2019.05.10 0.46 million personal data • Name , address , phone , email • Buying records • Birth date • Part of credit card number √ • FastRetailing announced the incident and provided windows for victims
  14. 14. 14 Data breach incidents in Real world - TH Company Date Scope Local law ln effect Response Toyota 2019.3 3.1 million customers' data • Name • Birthdate • Job information X • Related to JP Toyota attacks. Attack is probably from Vietnam APT32 (“ OceanLotus” or “ Cobalt Kitty”) .No other information for Incident response TrueMove itruemart 2018.04.14 A lot of user personal data is on a misconfiguration AWS s3 bucket owned by TrueMove • Name • Personal Identification • Photo • Phone X • Claimed the s3 bucket is owned by hacker (but close immediately) • Announcement said they have already notified victims after they solved the problem
  15. 15. 15 Data breach incidents in Real world - EU Company Date Scope Local law ln effect Response British Airways 2018.06 ~ 2018.09 0.43 million customers • Name • Booking records • Payment (credit card number) • Address √ • Announcement said they will notification victims as soon as possible as email • The fine is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019. • 228.75 million -> 25.85 million USD
  16. 16. 16 Check the regulations and define the process • Risk-driven type • For example in the GDPR and Thailand PDPA, the notification obligation is based on the risk assessment. If a company could check and ensure there is low risk and would not affect rights and freedom of data subjects. • Regulation-driven type • For example, Taiwan PDPA belongs to this type. The article 12 of TW PDPA ruled that the company need to notify data subjects while there are any so-called data breach. There is no exemption or no consideration about risks.
  17. 17. 17 Notification timing in Incident Response NIST Preparation Detection Analysis Containment Eradication Recovery Post-Incident Activity SANS Preparation Lessons Learned Recovery Eradication Containment Identification Notification to Data subjects Incident happened
  18. 18. 18 Positive attitude for positive branding • Almost all the data protection laws require data controllers and data processors must provide appropriate security measures in order to prevent the loss, access, use, change, revision, or disclosure of personal data without authorization. • An incident response plan would be an important part of “appropriate security measures" to manage data protection and legal compliance.
  19. 19. 19 Positive attitude for positive branding Win the TRUST of public Reference: https://rankingdigitalrights.org/index2019/report/privacy/

×