Category: GDPR

Incentive Policy for Coordinated Vulnerability Disclosure


For the past ten years or so, organizations have been trying to implement operational policies to avoid “Full Disclosure” reports or “Open Bug Bounty” whose methods are not that good in terms of honesty and responsibility.

Speaking of responsibility, you may be familiar with the notion of “Responsible Disclosure” and you wonder how it differs from the concept of Coordinated Vulnerability Disclosure?

The concept of responsible disclosure has too often been at the root of endless discussions:

On the one hand the vendors denounce “Disclosing a vulnerability without providing patches is not responsible”.
and the other, “Don’t fix this vulnerability as quickly as possible is not responsible”, say security researchers.

During this precious time when both sides argue, the system concerned is at the opponent’s mercy.

In order to move towards greater efficiency and to get out of sterile debates, it is therefore important to avoid speaking of “responsible disclosure”. This is why many organizations advocate the concept of “Coordinated Vulnerability Disclosure” (CVD) in order to promote and strengthen cooperation between the various actors in cybersecurity, all of whom have a common goal: Make the Internet safer.

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

Read More

European Regulation for the Protection of Personal Data and Data Security


Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice

The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

Read More

Powered by WordPress & Theme by Anders Norén