Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.
Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Malta has not enacted dedicated cybersecurity legislation; however, as a member of the European Union and the Council of Europe, it must fully conform to its obligations resulting therefrom. To this end, in 2001, a subtitle was added to the Criminal Code entitled ‘Of Computer Misuse’, which largely incorporates the provisions of the Council of Europe Cybercrime Convention, which itself was fully ratified by Malta in 2012.
Under the Criminal Code, article 337C criminalises unlawful access to, or use of, information. Among the offences criminalised under this article is the unlawful use of a computer or other device or equipment to (i) access any data, software of supporting documentation held in that computer or on any other computer, or (ii) copy or modify any such data, software or supporting documentation held in that computer or on any other computer. This article also criminalises unauthorised activities that hinder access to any data, and also covers the unlawful disclosure of data or passwords. The following article, 337D, then criminalises the misuse of hardware. One of the most striking features of the Computer Misuse subtitle in the Criminal Code is the evident technological neutrality, which will allow these criminal laws to cater for a host of unlawful activities, irrespective of the technological complexities at issue.
The Data Protection Act 2018, together with subsidiary legislation enacted under it, forms a legislative framework that implements EU directives, regulations and recommendations relating to privacy, including privacy in the electronic communications sector. This law imposes security obligations upon processors of personal data, whether it is collected, processed and stored via automated means or otherwise, and creates rights for the data subject with regard to personal and sensitive personal information held by data controllers. This act essentially implements and further specified the relevant provisions of the General Data Protection Regulation (GDPR).
The Electronic Communications Networks and Services (General) Regulations (SL 399.28) impose requirements on providers of electronic communications services to ensure the security and integrity of networks from incidents, threats or vulnerabilities. An undertaking providing publicly available electronic communications services over public communications networks must take all necessary measures to ensure the fullest possible availability of these services in the event of a catastrophic network breakdown.
The Subsidiary Legislation 460.35, Measures for high common level of security of network and information systems order, transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union. This Directive ensures the necessary measures to guarantee the protection of the essential interests of its security, to safeguard public policy and public security, and to allow for the investigation, detection and prosecution of criminal offences.
In certain sectors, such as financial services and remote gaming, information security requirements are imposed by way of sector-specific rules and supervision by licensing authorities.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
The main sectors affected by cybersecurity laws and regulations are electronic (including mobile), banking, payments, telecommunications, e-government services, web-service providers and co-location centres, and remote gaming. Other sectors lag behind. Overall, it is the regulated industries and e-government itself that lead the way in the field of cybersecurity. The fields that have experienced both heightened growth via the web and mobile channels and are also involved in handling high volumes of sensitive data are the industries that have responded to cybersecurity challenges most.
Has your jurisdiction adopted any international standards related to cybersecurity?
The chief international standard adopted in Malta is the ISO 27001, adopted by a number of organisations and governmental bodies in Malta to govern their information security management operations. Other organisations choose to implement the provisions of this standard without obtaining the corresponding certification. This standard is adopted, however, on a voluntary basis and, where an obligation to maintain certain levels of cybersecurity exists, adoption of this standard acts as a presumption that sufficient measures have been taken. The Government of Malta ICT Policies, Directives and Standards (GMICT) policy framework has been set up by the Malta Information Technology Agency and this encapsulates a number of policies, directives and standards. This framework focuses on a set of principles, processes and stakeholders related to the ICT policy management life cycle for the government of Malta.
The GMICT Information Security Policy came into force on the 10 December 2017. This policy enables the public administration to uphold information security and the policy is aligned with the ISO 27001:2013 requirements.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Generally, a company’s affairs are managed by the board of directors, who are responsible for the company’s performance of its obligations.
From a data protection legislation perspective, the data controller is obliged under the Data Protection Act and the GDPR to implement appropriate technical and organisational measures to protect the personal data processed against accidental destruction or loss, or unlawful forms or processing. The security measures to be implemented must give regard to the technical possibilities available, the cost of such measures, the special risks relating to the processing of the data and the sensitivity of the data being processed.
Data controllers may be held responsible for inadequate cybersecurity by the Information and Data Protection Commissioner, who may order rectification of breach, institute civil legal proceedings where provisions of the Act have been or are about to be violated, and refer any criminal offences encountered by reason of his or her functions to the competent public authority. Criminal penalties may be applicable to breaches of information security under this Act. Under the GDPR, fines for non-compliance could be as high as €20 million or 4 per cent of the global annual turnover. The GDPR also leaves it to each member state to lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that member state. Thus, according to the Data Protection Act, after giving due regard to the circumstances of the case, the Data Protection Commissioner may impose an administrative fine, provided that such fine should not exceed €50,000 for each violation.
In regulated sectors such as financial services and remote gaming, service providers undergo certification and supervisory checks where they have to show and justify that the security measures taken are proportionate and adequate to the risks. In the event that the supervisory body is not satisfied, the providers may either be refused a licence, or face fines or suspension of their licence, or both.
In addition, in the financial services sector, licence holders are increasingly required to set up an internal audit function that is independent from the operational activities. The principal purpose of such audit would be to assess the appropriateness of the service provider’s internal policies and procedures, including information security and risk management policies, and would review the compliance by the organisation with the same. Findings are reported to the board of directors of the organisation.
How does your jurisdiction define cybersecurity and cybercrime?
At present, specific definitions of cybersecurity and cybercrime do not exist in Malta’s statutes or case law. One may, however, find guidance to these terms in the Criminal Code subtitle relating to Computer Misuse, which defines a ‘computer’ as an electronic device that performs logical arithmetic and memory functions by manipulating electronic or magnetic impulses, and includes all input, output, processing, storage, software and communication facilities that are connected or related to a computer in a computer system or computer network. ‘Computer data’ here is defined as any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function. These definitions thus allow for broad scope to be afforded to the computer-related crimes of unauthorised access, use or modification of computing systems, software, hardware and data foreseen in this subtitle.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
There are only generic requirements under applicable legislation relating to cybersecurity, which state that the security of systems must be adequate in relation to the sensitivity of information and repercussions that may arise as a result of information security breaches. There are no explicit or specific legislative requirements in addition to the above. However, companies that are obliged to maintain adequate security in their business (such as financial services, telecoms, remote gaming) and normally have to undergo supervisory checks by their licensing authorities normally adopt ISO 27001 standard. Moreover, financial service providers having to undergo PCI compliance generally follow the applicable rules as well with regard to the storing of data and its encryption.
In the financial services sector, applicable financial service legislation does not contain any mandatory requirements concerning certification of data centres or software applications to be used by financial businesses. During the application phase, however, the supervisory authority will consider the proposed IT structure case by case and will expect the applicant to identify reputable data centres and software providers that will enhance its ability to ensure continuous and regular provision of the licensed financial activities and adequate protection of customer data.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
Malta does not, at present, have any laws or regulations that cater for cyberthreats to intellectual property. For the purposes of data security, unauthorised access to or misuse of data, data protected by intellectual property rights is treated in the same way as any other data.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
Subsidiary Legislation 460.24, Critical Infrastructure and European Critical Infrastructures (Identification, Designation and Protection) Order (the Order), transposes the European Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. The Order defines critical infrastructure as an asset, system or part thereof, located in Malta, that is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people and the disruption or destruction of which would have a significant impact in a member state as a result of the failure to maintain those functions.
Furthermore, the Criminal Code provisions in relation to computer misuse are made applicable to ‘computer networks’, ‘software’, ‘hardware’ and ‘computer systems’, which are defined widely and with enough technological neutrality to incorporate all conceivable cyberthreats to any technological infrastructure.
The National Cyber Security Strategy was issued in 2016 with the aim of aligning the specific EU legal requirements and Digital Malta strategy presented in March 2014, entitled ‘the National Digital Strategy for 2014-2020’. The purpose of the National Cyber Security Strategy is to provide an overall high level of direction with respect to cybersecurity across all levels of the economy and society, and to bring together the various stakeholders involved to protect the national interest.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
In addition to the provisions of the Data Protection Act and subsidiary legislation, the Electronic Communications Networks and Services (General) Regulations (SL 399.28) address data protection issues arising from the use of electronic communications networks and services, whether these are public or non-public.
These regulations impose requirements on providers and communications and services to ensure the security and integrity of networks from incidents, threats or vulnerabilities, including personal data breaches. An undertaking providing publicly available electronic communications services over public communications networks must take all the necessary measures to ensure the fullest possible availability of such services in the event of a catastrophic network breakdown.
Under Maltese law, private communications can only be intercepted by the Maltese Security Service upon obtaining a warrant signed by the Minister under the circumstances related to national security delineated in the Security Service Act.
Under the Order, the Malta Critical Infrastructure Protection Unit is responsible for building partnerships with operators of critical infrastructure for information-sharing purposes.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
The principal cyberactivities criminalised under article 337C of the Criminal Code are the unauthorised:
- use of a computer or other device to access, use, copy or modify data or other information held;
- output of data or other information from the computer where it is held in any manner whatsoever;
- copying of data or other information to a storage medium or other location other than that in which it is held;
- prevention or hindering of access to such data;
- hindering or impairing the functioning or operation of a computer system, software or the integrity or reliability of any data;
- hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible;
- possession of or use of data;
- installation, alternation, movement, damage, deletion, deterioration, suppression, destruction, variation or addition of any data or other information or rendering such data inaccessible;
- disclosure of a password or other form of access to an unauthorised person;
- use of another person’s access code, password, username, electronic mail address or other means of accessor identification information in a computer or any infringement of any security measure to gain access without authorisation to the whole or to any part of an information system;
- interception by technical means of data transmissions; or
- production or any other form of procurement of a device, including a computer program, which is designed or adapted for the committing of the above-mentioned acts or a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.
Breaches of the obligations and duties under the Data Protection Act, the Electronic Communications Act and the Subsidiary Legislation 460.35 Measure for high common level of security of network and Information Systems Order may also result in criminal sanctions.
How has your jurisdiction addressed information security challenges associated with cloud computing?
With the introduction of the Subsidiary Legislation 460.35 the security challenges associated with cloud computing have been addressed. The latter defines cloud computing as a digital service that enables access to scalable and elastic pool of shareable computing resources. This is then further considered to be a digital service. This subsidiary legislation also establishes a critical information infrastructure protection unit (CIIP). This CIIP unit shall have a number of responsibilities, most importantly establishing the criteria for the identification and designation of operators of essential service and digital service providers; ensuring that a risk assessment is carried out by operators of essential services and digital service providers; and monitoring security measures taken by operators of essential services. Current policy frameworks also seek to mitigate risks, while at the same time seizing the full benefits of cloud computing. This can be seen, for instance, in the licensing approach carried out at present by the Maltese Gaming Authority, Malta’s public regulatory body responsible for all forms of gaming, where requests for use of the public or private cloud are dealt with case by case during the licensing process of a remote gaming operator. The same approach is to be seen with respect to financial services licence applications before the Malta Financial Services Authority (the single regulator of financial services in Malta).
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Malta’s current cybersecurity laws largely transpose European directives and standards, and must comply with standards and rules contained in directly applicable European Union regulations. As a result of this, foreign jurisdictions would not be prejudiced by local rules when choosing to carry out their business in Malta.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
The chief international standards relating to information security are ISO 27001 and 27002 security standards. Several organisations choose to implement the provisions of these standards to reduce risks to their computers and networks, without obtaining the corresponding certification. According to Part 5 of the Subsidiary Legislation 460.35, Measures for high common level of security of network and information systems order, digital service providers shall take appropriate and proportionate technical and organisational measures to manage the risk posed to the security of network and information systems which they use in the context of offering services within Malta.
How does the government incentivise organisations to improve their cybersecurity?
Capital investments made in relation to an organisation’s information technology infrastructure may be eligible for tax credits on the expenditure incurred under the Micro Invest Scheme, promoted by the Maltese government agency, Malta Enterprise, which is responsible for providing fiscal and other incentives to business.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
In the local telecommunications industry, one such code of conduct exists, signed by the major industry players promoting cybersecurity in accordance with the European Framework for Safer Mobile Use by Young Teenagers and Children, to which they are signatories. This code of conduct relates to the content provided by the communications providers, and not to internet content in general. This code of conduct is publicly available and may be accessed on the telecommunications providers’ websites.
Are there generally recommended best practices and procedures for responding to breaches?
In the remote gaming business, the best practices currently in place are the safekeeping of all data related to the cyberthreat, the setting up of a dedicated team to identify the source of the threat and ensure proper steps are taken to avoid recurrence of such incident, and the education of the employees to ensure that all employees are aware of the threats and the importance of following the company’s procedures and policies. Where necessary, third-party firms are engaged to perform penetration tests to ensure that the systems used are adequately secure. According to Subsidiary Legislation 460.35, Measures for high common level of security of network and information systems order, any security breach affecting a designated operator of a digital service provider should be notified to the Malta Communications Authority by the computer security incident response team.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
At present, no legal or policy incentives exist as such that target the voluntary sharing of information relating to cyberthreats.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The process of enacting legislation and regulations applicable to the cybersecurity and ICT field is one that involves detailed discussions and consultation briefings involving key industry players, stakeholders in the field, and the general public to pool ideas with governmental bodies. This helps to ensure that regulations created for this field in which newer and more complex risks are constantly emerging are efficiently targeted in the creation of cybersecurity standards and procedures.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Insurance coverage for cybersecurity threats is increasing in popularity in Malta at the same time as information technology companies continue to set up their businesses here. As cybersecurity breaches are becoming a major risk for modern data-centric organisations, it is beneficial to cover this risk in an appropriate insurance policy that can cover data loss incidents, business interruptions and network outages. However, though an insurance policy can cover the financial risks associated with security breaches, including the damage caused to third parties, no policy can ever bring back lost data or recall leaked sensitive information or erase potential reputational damage. Accordingly, insurance policies are not a substitute for, and should always work in conjunction with, data security policies and processes that minimise the risk in the first place.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The Information and Data Protection Commissioner is the person authorised by the Data Protection Act to ensure and enforce compliance with the provisions of the Data Protection Act. Through the transposition of the GDPR into national legislation, the fines that can be imposed have drastically increased, which will be a deterrent against non-compliance with cybersecurity obligations emanating from the Regulation.
The Maltese Police Force set up a dedicated Cyber Crime Unit in 2003, whose main function is to provide technical assistance in the detection, investigation and prosecution of crime wherein the computer is the target or the means used. The Cyber Crime Unit is made up of police officers who are trained in the investigation of crimes that take place over the internet or through the use of a computer.
In addition, sectoral regulatory bodies may initiate and carry out enforcement through licensing and fine mechanisms.
The CIIP is also established as being the national authority that will oversee and monitor digital services such as online marketing, online search engines and cloud computing.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
Sectoral authorities, in general, have powers of requesting documentation, making site visits, conducting investigations and reporting to other competent bodies (such as the police) on their findings.
For example, in exercising his or her functions, the Information and Data Protection Commissioner is empowered to enter and search any premises under the powers that are vested in executive police by any law. Similar powers are afforded to the Maltese Financial Services Authority. In particular, the Financial Services Authority requires applicants for a financial services licence to implement an IT and operational setup where the master data is located in Malta (or where this is not so, where replicated, backup data is located in Malta). The Authority will require applicants to ensure that it will, at all times, have unrestricted control and direct and immediate access to the data in Malta so that the Authority’s inspectors can at any time access such data to enable it to exercise its supervisory powers. Similarly, the Maltese Gaming Authority requires applicants for remote gaming licences to have in place an information security policy whose aim is to safeguard data, applications, equipment and network, as well as a strict system access control policy to ensure that access is limited to the system as well as physical access being limited to on a need-to-know basis. Without the implementation of such policies, among other required policies, remote gaming applicants will not be granted a licence to operate in the remote gaming business from Malta. Audits are performed by appointed technical auditors to ensure that these policies are being followed.
The Maltese Police Cyber Crime Unit is charged with the investigation of criminal acts commonly associated with technology, as well as the investigation of more traditional offences such as fraud and threats perpetrated by cyber means. It is charged with the analysis and seizure of digital evidence collected in connection with investigations, as well as in identifying persons committing crimes over the internet.
The CIIP is granted the power impose administrative fines and order the cessation of any or omission that is in breach of this order, and therefore this authority is entitled to prosecute infringements.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Criminal enforcement of breaches of cybersecurity against perpetrators is extremely low, because crimes are often perpetrated from outside Malta and there is great difficulty in enforcement in such cases. The inability to prosecute is the most acute problem arising in enforcement of criminal cases relating to breaches of cybersecurity. Authorities will have to collaborate with foreign counterparts to be able to identify and arraign perpetrators. Companies located in Malta generally fully cooperate with police and provide information and access to their data and networks to assist in the investigation of crimes.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
The penalties applicable under the Data Protection Act may vary from fines ranging between €1,250 and €50,000 and imprisonment of up to six months. The criminal penalties vary depending on the provisions of the Act being breached. On encountering a breach of the Act, which could lead to criminal proceedings, the Commissioner is to refer the situation to the competent authorities, who in turn would need to take action in the criminal courts.
Other breaches of the Act may result in administrative fines, which can vary from one-time fines of up to €25,000 and daily fines of up to €50, for each day during which such violation persists.
Now that the GDPR has been transposed into Maltese law, fines for non-compliance could be as high as €20 million or 4 per cent of the global annual turnover.
In the remote gaming sector, should operators be found not in compliance with their information security policy and system access control policy, the Gaming Authority would request that the operators take adequate actions to ensure compliance. Should this not be done to the satisfaction of the authority, fines may be imposed.
In the financial sector, the Maltese Financial Services Authority reserves the right to impose certain sanctions where the entity no longer fulfils the conditions required for the granting of the licence generally. Such sanctions include the revocation or restriction of a licence and the imposition of administrative penalties where there is a breach of applicable financial services legislation.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Article 3A of the Processing of Personal Data (Electronic Communications Sector) Regulations requires providers of publicly available electronic communication services to notify a personal data breach to the Information and Data Protection Commissioner, and, where the personal data breach is likely to adversely affect the personal data of privacy of a subscriber or individual, such subscriber or individual, do so without undue delay. Contravention of or non-compliance with the provisions of these Regulations may lead to fines. This fine is of an administrative nature, and shall be determined by the Information and Data Protection Commissioner. The Information and Data Protection Commissioner would also be required to impose administrative fines under the GDPR for such a failure to comply.
Regulations 55 and 56 of the Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) require undertakings providing network elements or service to inform the Maltese Communications Authority, inter alia, of any significant risk of a breach, or any actual, significant breach of the security or integrity of the services or network or failure or serious degradation of international connectivity. Any person suffering loss or damage because of any contravention of these Regulations shall be entitled to take action before the competent court or tribunal, seeking compensation from the person who caused the loss or damage.
Finally, data controllers operating in certain sectors, such as in the financial services sector, may be required by the relevant authority to disclose any personal data or security breach.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
Private parties may seek private redress under the provisions of the Civil Code.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
The Data Protection Act provides that the carrying out of data processing by way of a processor is to be governed by a contract or other legally binding instrument, which must stipulate that the processor shall act only upon instructions from the data controller and shall implement all the necessary technical and organisational measures to ensure the protection of the data, by providing sufficient security.
The Electronic Communications Networks and Services (General) Regulations impose an obligation on undertakings providing connection to public communications networks or other publicly available electronic communications services to ensure the implementation of a security policy with respect to the processing of personal data. Appropriate security measures must be taken to prevent and minimise the impact of security incidents on users and interconnected networks. International gateway operators must additionally, at all times, adopt appropriate measures to safeguard the integrity and resilience of the network elements utilised to provide international connectivity, and to secure the availability of capacity or have alternative measures in place to ensure an adequate level of uninterrupted international connectivity.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
Electronic communications providers are bound to retain categories of data pertaining to call and SMS logs, and internet data such as IP addresses; however, no content records may be collected or stored. The GDPR will impose a requirement to document any breach affecting personal data. Civil legal proceedings brought under the provisions of the Civil Code and the Code of Civil Procedure may be brought within a prescriptive period of five years. For this reason, it is advisable that records are kept for a period of five years from the date of the cyberthreat or attack in question.
The Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01) may have cybersecurity implications. Under these Regulations, records of threats, identity information, and records of all business transactions must be kept for a minimum period of five years from the date on which the relevant transaction or financial business was completed.
Further, in the remote gaming sector, the Gaming Authority requires operators to report situations of attacks on their system. These reports need to be prepared and submitted to the Authority within 24 hours of the incident and a copy of the report must be kept at the company’s registered address.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
European Commission Regulation (EU) No. 611/2013 provides for measures relating to the notification of personal data breaches under Directive 2002/58/EC to electronic communications providers. This Regulation applies to providers of publicly available electronic communications services, who are obliged to notify the competent national authority of a personal data breach. Information that must be notified to the competent national authority in an initial report of a personal data breach comprises the date and time of the incident, the circumstances of the personal data breach, the nature and content of the personal data, compromised, the technical and organisational measures applied by the provider to the affected personal data and the relevant use of other providers. Further technical information that must be provided pertaining to the personal data breach includes a summary of the incident, the number of subscribers or individuals concerned, the potential consequences, and the technical and organisational measures taken by the provider to mitigate potential adverse effects. Similar information must be provided to the subscriber or individual. The GDPR will also impose reporting requirements to the Information and Data Protection Commissioner in case of a personal data breach. The requirement envisages that a controller shall, without delay and, where feasible, not later than 72 hours, notify the Information and Data Protection Commissioner of a breach.
The Electronic Communications Networks and Services (General) Regulations (SL 399.28) provide that, where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately and without undue delay notify the Malta Communications Authority (MCA) and any users concerned at the least of the risk and remedies possible, as well as contact points for more information. Serious and significant breaches or failures of international connectivity must be notified to the MCA and, where appropriate, the MCA shall inform regulatory authorities in other member states and the European Network Information Security Agency.
According to Subsidiary Legislation 460.35 any security breach affecting a designated operator of a digital service provider should be notified to the MCA by the CRIST.
Additionally, reporting obligations arise under the Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01). Persons subject under these Regulations and the enabling Act are bound to report any transaction that they know, suspect or have reasonable grounds to suspect may be related to money laundering or terrorist financing, and must examine with special attention any complex or large transactions or any other behaviour that appears to be suspicious and these findings must be reported to the Financial Intelligence Analysis Unit.
What is the timeline for reporting to the authorities?
Under the Commission Regulation (EU) No. 611/2013, all personal data breaches must be reported to the competent national authority no later than 24 hours after the detection of the breach. Providers may give further details of the breach within three days of the initial notification in the event that full details cannot be provided at the time of initial notification. Under the GDPR, reporting should be done, where feasible, within 72 hours.
Digital service providers shall without undue delay notify the CIIP unit of any incident having a substantial impact on their digital service, as is established in the Subsidiary Legislation 460.35.
Reporting obligations under the Prevention of Money Laundering and Funding of Terrorism Reports must be submitted to the Financial Intelligence Analysis Unit (FIAU) as soon as is reasonably practicable, but not later than five working days from when facts are discovered or information is obtained. This time frame may only be waived if the subject person makes representations to the FIAU justifying the reasons why the information cannot be submitted within the said time, and the FIAU may, at its discretion, extend such time as is reasonably necessary to obtain and submit the information requested.
The reporting obligation in the remote gaming sector is within 24 hours of the incident.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
The European Commission (EU) Regulation No. 611/2013 imposes an obligation upon electronic communications providers to make a notification of a personal data breach to the subscriber or individual concerned. This notification must be made when the breach is likely to adversely affect the personal data or privacy of the person involved; this notification is made in addition to the notification that must be made to the national competent authority. The notification obligation to the subscriber or individual may only be waived if the technological implementations rendering the data concerned unintelligible to an unauthorised person are to the satisfaction of the competent national authority.
The Electronic Communications Networks and Services (General) Regulations (SL 399.28) provide that, where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately and without undue delay notify any users concerned, at the least, of the risk and remedies possible, as well as contact points for more information. Where the MCA determines that the network security breach is in the public interest, it may inform the public of this or require the undertaking concerned to do so accordingly.
The GDPR imposes an obligation to make a communication with regard to the breach to the affected data subjects without undue delay if it is deemed that the breach is likely to result in a high risk to the rights and freedoms of natural persons.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Undoubtedly, keeping cybersecurity regulations up-to-date is a challenge. In our opinion, such a challenge can only be properly approached if the stakeholders of the relevant industries are kept constantly consulted. Otherwise, any regulations would be out of touch with reality and the needs of the various industries it affects.
New industries and technologies such as blockchain will be one of the main factors affecting cybersecurity laws and policies. Governments need to be proactive where it comes to such new industries and be the first to understand the potentials and risks that these create to properly legislate without diminishing the prospects that such a technology or industry would pose.