Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Data Breach in the Era of Internet of Things

Published byCurtis Cook Modified over 6 years ago

Similar presentations

Presentation on theme: "Personal Data Breach in the Era of Internet of Things"— Presentation transcript:

1 Personal Data Breach in the Era of Internet of Things
Frantisek Kasl IRIS 2018 Instite of Law and Technology Faculty of Law Masaryk University in Brno

2 Contents Limits to the definition of personal data
Objective vs. relative criterion GDPR – risk-based approach to personal data breach Personal data breach as a specific form of cyber incident Concept of cyber incident in cybersecurity Concept of personal data breach according to WP 29 Measuring the impact of incidents Specific challenges brought by IoT environment Definition of IoT IoT as personal data breach threat enhancer Towards recognisition of personal data breach in IoT context

3 Limits to the definition of personal data Objective vs
Limits to the definition of personal data Objective vs. relative criterion Directive 95/46/EC Article 2(a) – „any information relating to an identified or identifiable natural person“ Recital 26 – „account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person“ WP 29 – Opinion on concept of personal data (2007) „any information“ + „relating to“ + „identified or identifiable“ + „natural person“ CJEU – Google Spain and Google, C-131/12 (2014) „ensure a high level of protection“ CJEU – Breyer, C‑582/14 (2016) Advocate General Opinion - point 68 – „identification of the data subject prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant“ Judgement – point 48 – „[...] (controller) has the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons“

4 Limits to the definition of personal data GDPR – risk-based approach to personal data breach
Article 4(1) – „'personal data‚ means any information relating to an identified or identifiable natural person ( ‘ data subject ’ ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier [...]“ => Breyer interpretation applicable? Article 4(12) – „'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“ Article 33(1) – „In the case of a personal data breach, the controller shall [...], notify the personal data breach [...], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.“

5 Personal data breach as a specific form of cyber incident Concept of cyber incident in cybersecurity
„Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.“ Glossary of Key Information Security Terms, eds. Richard Kissel, NIST, US Department of Commerce, NISTIR 7298, Revision 2 (2015) „Cyber security incident means information security breach in information systems or security of services breach or breach of integrity of electronic communication networks resulting from cyber security event.“ § 7(2) Czech Act No. 181/2014 on Cyber Security „‘incident’ means any event having an actual adverse effect on the security of network and information systems“ Article 4(7) NIS Directive 2016/1148

6 Personal data breach as a specific form of cyber incident Concept of personal data breach according to WP 29 WP 29 - Guidelines on Personal data breach notification (2017) “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data. “Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data. “Integrity breach” - where there is an unauthorised or accidental alteration of personal data. X “unlikely to result in a risk to the rights and freedoms of natural persons” already publically available + disclosure not a likely a risk to the individual essentially unintelligible to unauthorised parties + a copy or a backup exists X may change over time

7 Personal data breach as a specific form of cyber incident Measuring the impact of incidents
Severity of a personal data breach (ENISA) “estimation of the magnitude of potential impact on the individuals derived from the data breach” Data Processing Context x Ease of Identification + Circumstances of breach ENISA, Recommendations for a methodology of the assessment of severity of personal data breaches (2013) Personal data breach notification tool < Breach Level Index (SafeNet/Gemalto & IT Harvest – 2013) categories (1-5) on logaritmic scale (index 1-10) Log10 (number of records x type of data x source of breach x detected misuse) <

8 Specific challenges brought by IoT environment Definition of IoT
small environment with low complexity scenario “[a]n IoT is a network that connects uniquely identifiable 'Things' to the Internet. The 'Things' have sensing/actuation and potential programmability capabilities. Through the exploitation of unique identification and sensing, information about the 'Thing' can be collected and the state of the 'Things' can be changed from anywhere, anytime, by anything." large environment with high complexity scenario "Internet of Things envisions a self-configuring, adaptive, complex network that interconnects 'things' to the Internet through the use of standard communication protocols. The interconnected things have physical or virtual representation in the digital world, sensing/actuation capability, a programmability feature and are uniquely identifiable. The representation contains information including the thing's identity, status, location or any other business, social or privately relevant information. The things offer services, with or without human intervention, through the exploitation of unique identification, data capture and communication, and actuation capability. The service is exploited through the use of intelligent interfaces and is made available anywhere, anytime, and for anything taking security into consideration." IEEE, eds. MINERVA, Roberto; BIRU, Abyi; ROTONDI, Domenico. Towards a definition of the Internet of Things (IoT), p. 74.

9 Source: Beecham Research, available at: http://www. beechamresearch
Source: Beecham Research, available at: (seen )

10 Specific challenges brought by IoT environment IoT as personal data breach threat enhancer
Features: ubiquitous profiling, big data mining, machine learning, M2M communication, possible omnipresence, mesh connectivity... increased data flow complexity ‘weaponized IoT devices’ for DDoS attacks or other illicit activities increased attack surface - variety creates in combination new vulnerabilities limited security features and posibilities for advanced security countermeasures => higher likelyhood, frequency and severity of cyber incidents data that these devices collect and process omnipresence of IoT sensors and increased detail of all aspects of documented activities new forms of data, metadata and derived data (by combination of the collected data) => new forms of data breaches, increased frequency, severity and volume

11 Source: Beecham Research, available at: http://www. beechamresearch
Source: Beecham Research, available at: (seen )

12 Towards recognisition of personal data breach in IoT context
new factors cyberphysical; indirect interconnection... increased frequency, scope, variety need for automated reporting and monitoring adjustment of risk scales broad adoption of adequate methodology challenges for unified or comprehensive classification of risk ambiguous terms and fluctuant environment => legal uncertainty about data breach notification obligation personal data scope unclear cyber incident scope wide and developing with technology data breach concept broad and ambiguous risk-based approach missing adequade guidance in measures and indicators X general guidance available => need for flexible adaptation to IoT environment adequate identification of relevant factors crucial for achieving the purpose of data breach notification X overall ambiguity may lead to either too low (overreporting, lack of informative value) or too high threshold (notification omitted, empty norm)

13 Thank you for your attention!

Download ppt "Personal Data Breach in the Era of Internet of Things"

Similar presentations

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Ch. 1. The Third ICT Wave The Third ICT Wave.

Ch. 1. The Third ICT Wave The Third ICT Wave.
Switch off your Mobiles Phones or Change Profile to Silent Mode.

Switch off your Mobiles Phones or Change Profile to Silent Mode.
SECTION IV: GENERAL DESCRIPTION OF STEPS TAKEN OR ENVISAGED BY NON-ANNEX I PARTY TO IMPLEMENT THE CONVENTION Workshop on the Use of the Guidelines for.

SECTION IV: GENERAL DESCRIPTION OF STEPS TAKEN OR ENVISAGED BY NON-ANNEX I PARTY TO IMPLEMENT THE CONVENTION Workshop on the Use of the Guidelines for.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Ali Alhamdan, PhD National Information Center Ministry of Interior

Ali Alhamdan, PhD National Information Center Ministry of Interior
Academic Year 2014 Spring Academic Year 2014 Spring.

Academic Year 2014 Spring Academic Year 2014 Spring.
Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.

Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Smart Law in Digital India - Legal, Regulatory & Governance Challenges July 24, 2016 Sajai Singh Partner J. Sagar Associates advocates & solicitors Ahmedabad.

Smart Law in Digital India - Legal, Regulatory & Governance Challenges July 24, 2016 Sajai Singh Partner J. Sagar Associates advocates & solicitors Ahmedabad.
Data Protection and Enabling Psi Re-use EVPSI & LAPSI Final Meeting

Data Protection and Enabling Psi Re-use EVPSI & LAPSI Final Meeting
Introduction to Machine Learning, its potential usage in network area,

Introduction to Machine Learning, its potential usage in network area,
Security and resilience for Smart Hospitals Key findings

Security and resilience for Smart Hospitals Key findings
Principles Identified - UK DfT -

Principles Identified - UK DfT -
Remarks by Dr Mawaki Chango Kara University DigiLexis Consulting

Remarks by Dr Mawaki Chango Kara University DigiLexis Consulting
Security in Internet of Things Begins with the Data

Security in Internet of Things Begins with the Data

Similar presentations

Ads by Google