Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

The Data Protection Act provides that the carrying out of data processing by way of a processor is to be governed by a contract or other legally binding instrument, which must stipulate that the processor shall act only upon instructions from the data controller and shall implement all the necessary technical and organisational measures to ensure the protection of the data, by providing sufficient security.

The Electronic Communications Networks and Services (General) Regulations impose an obligation on undertakings providing connection to public communications networks or other publicly available electronic communications services to ensure the implementation of a security policy with respect to the processing of personal data. Appropriate security measures must be taken to prevent and minimise the impact of security incidents on users and interconnected networks. International gateway operators must additionally, at all times, adopt appropriate measures to safeguard the integrity and resilience of the network elements utilised to provide international connectivity, and to secure the availability of capacity or have alternative measures in place to ensure an adequate level of uninterrupted international connectivity.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Electronic communications providers are bound to retain categories of data pertaining to call and SMS logs, and internet data such as IP addresses; however, no content records may be collected or stored. The GDPR will impose a requirement to document any breach affecting personal data. Civil legal proceedings brought under the provisions of the Civil Code and the Code of Civil Procedure may be brought within a prescriptive period of five years. For this reason, it is advisable that records are kept for a period of five years from the date of the cyberthreat or attack in question.

The Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01) may have cybersecurity implications. Under these Regulations, records of threats, identity information, and records of all business transactions must be kept for a minimum period of five years from the date on which the relevant transaction or financial business was completed.

Further, in the remote gaming sector, the Gaming Authority requires operators to report situations of attacks on their system. These reports need to be prepared and submitted to the Authority within 24 hours of the incident and a copy of the report must be kept at the company’s registered address.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

European Commission Regulation (EU) No. 611/2013 provides for measures relating to the notification of personal data breaches under Directive 2002/58/EC to electronic communications providers. This Regulation applies to providers of publicly available electronic communications services, who are obliged to notify the competent national authority of a personal data breach. Information that must be notified to the competent national authority in an initial report of a personal data breach comprises the date and time of the incident, the circumstances of the personal data breach, the nature and content of the personal data, compromised, the technical and organisational measures applied by the provider to the affected personal data and the relevant use of other providers. Further technical information that must be provided pertaining to the personal data breach includes a summary of the incident, the number of subscribers or individuals concerned, the potential consequences, and the technical and organisational measures taken by the provider to mitigate potential adverse effects. Similar information must be provided to the subscriber or individual. The GDPR will also impose reporting requirements to the Information and Data Protection Commissioner in case of a personal data breach. The requirement envisages that a controller shall, without delay and, where feasible, not later than 72 hours, notify the Information and Data Protection Commissioner of a breach.

The Electronic Communications Networks and Services (General) Regulations (SL 399.28) provide that, where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately and without undue delay notify the Malta Communications Authority (MCA) and any users concerned at the least of the risk and remedies possible, as well as contact points for more information. Serious and significant breaches or failures of international connectivity must be notified to the MCA and, where appropriate, the MCA shall inform regulatory authorities in other member states and the European Network Information Security Agency.

According to Subsidiary Legislation 460.35 any security breach affecting a designated operator of a digital service provider should be notified to the MCA by the CRIST.

Additionally, reporting obligations arise under the Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01). Persons subject under these Regulations and the enabling Act are bound to report any transaction that they know, suspect or have reasonable grounds to suspect may be related to money laundering or terrorist financing, and must examine with special attention any complex or large transactions or any other behaviour that appears to be suspicious and these findings must be reported to the Financial Intelligence Analysis Unit.

Timeframes

What is the timeline for reporting to the authorities?

Under the Commission Regulation (EU) No. 611/2013, all personal data breaches must be reported to the competent national authority no later than 24 hours after the detection of the breach. Providers may give further details of the breach within three days of the initial notification in the event that full details cannot be provided at the time of initial notification. Under the GDPR, reporting should be done, where feasible, within 72 hours.

Digital service providers shall without undue delay notify the CIIP unit of any incident having a substantial impact on their digital service, as is established in the Subsidiary Legislation 460.35.

Reporting obligations under the Prevention of Money Laundering and Funding of Terrorism Reports must be submitted to the Financial Intelligence Analysis Unit (FIAU) as soon as is reasonably practicable, but not later than five working days from when facts are discovered or information is obtained. This time frame may only be waived if the subject person makes representations to the FIAU justifying the reasons why the information cannot be submitted within the said time, and the FIAU may, at its discretion, extend such time as is reasonably necessary to obtain and submit the information requested.

The reporting obligation in the remote gaming sector is within 24 hours of the incident.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

The European Commission (EU) Regulation No. 611/2013 imposes an obligation upon electronic communications providers to make a notification of a personal data breach to the subscriber or individual concerned. This notification must be made when the breach is likely to adversely affect the personal data or privacy of the person involved; this notification is made in addition to the notification that must be made to the national competent authority. The notification obligation to the subscriber or individual may only be waived if the technological implementations rendering the data concerned unintelligible to an unauthorised person are to the satisfaction of the competent national authority.

The Electronic Communications Networks and Services (General) Regulations (SL 399.28) provide that, where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately and without undue delay notify any users concerned, at the least, of the risk and remedies possible, as well as contact points for more information. Where the MCA determines that the network security breach is in the public interest, it may inform the public of this or require the undertaking concerned to do so accordingly.

The GDPR imposes an obligation to make a communication with regard to the breach to the affected data subjects without undue delay if it is deemed that the breach is likely to result in a high risk to the rights and freedoms of natural persons.