Скачать книгу

       Intention: Whether the infringement is intentional or negligent

       Mitigation: Actions taken to mitigate damage to data subjects

       Preventative measures: How much technical and organizational preparation the firm had previously implemented to prevent noncompliance

       History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines

       Cooperation: How cooperative the firm has been with the supervisory authority to remedy the infringement

       Data type: What types of data the infringement impacts; see special categories of personal data

       Notification: Whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party

       Certification: Whether the firm had qualified under-approved certifications or adhered to approved codes of conduct

       Other: Other aggravating or mitigating factors, including financial impact on the firm from the infringement

      Lower Level

      Up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

       Controllers and processors under Articles 8, 11, 25–39, 42, 43

       Certification body under Articles 42, 43

       Monitoring body under Article 41(4)

      Upper Level

      Up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

       The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9

       The data subjects' rights under Articles 12–22

       The transfer of personal data to a recipient in a third country or an international organization under Articles 44–49

       Any obligations pursuant to member state law adopted under Chapter IX

       Any noncompliance with an order by a supervisory authority

      In this section, we compare and contrast different investigation types, including administrative, criminal, civil, and regulatory investigations. For each investigation type, we discuss who performs the investigation, the standard for collecting and presenting evidence, and the general differences between the types.

      Burden of proof is the requirement that the criminal prosecutor or civil plaintiff/claimant prove the claims they are making against the accused, or defendant. The party making a claim must demonstrate the truth of that claim, with compelling evidence; the entity defending against the claim, in most modern societies, is presumed innocent or without fault — that is, the court will not recognize the validity of a claim against anyone until that claim is substantiated and the defendant is proven guilty. The amount and strength of proof required to sway the judgment away from this presumption of innocence differs depending on which kind of claim is being made; for instance, whether the claim is being made by one private party against another or whether the claim is being made by the government against a person or organization (more on this distinction in just a moment). In the U.S. legal system, the two predominant standards of proof that must be met are called preponderance of the evidence and beyond a reasonable doubt.

      Preponderance of the evidence is the lower standard of the two and is used primarily in civil actions. It essentially means that the evidence shows that the defendant is more likely to have caused the damage than not. In other words, the evidence convinced the judge, jury, or ruling body that there was at least a 51 percent chance that the defendant caused the damage.

      The second standard, beyond a reasonable doubt, is much harder to prove and is used primarily in criminal actions. It is insufficient for the evidence to merely make the judge or jury lean more toward guilt than not. In this case, the evidence has to be so clear and compelling that a “reasonable” person has no doubt or reservation about the defendant's guilt after seeing it.

      Administrative

      When discussing investigations, for (ISC)2 purposes, the term administrative will refer to actions constrained to those conducted within a single organization — that is, the organization performs an administrative investigation of itself. Internal investigations are typically performed when the matter involves some violation of organizational policy and does not involve any external entities such as law enforcement, investors, third-party suppliers, or attackers.

      NOTE To avoid confusion, it is important to distinguish how the term administrative is used in a variety of ways to avoid confusion. For (ISC)2, it means an internal investigation. In the United States, administrative law refers to a set of laws made by regulatory bodies (such as the Drug Enforcement Agency, the Food and Drug Administration, and the like). For the purposes of the CISSP Body of Knowledge, an administrative investigation will only refer to an internal investigation.

      The burden of proof for administrative investigations is the lowest of all investigation types. Management can use whatever criteria they choose to believe evidence.

      Punitive measures that may result from administrative investigations include employee termination, loss of privilege, reassignment, and so forth. Management might also choose to change the type of investigation as a result of findings made during the administrative investigation; if the administrative investigation reveals that the parties involved engaged in intentional/malicious or criminal activity, management may escalate to civil actions (lawsuits) or filing criminal charges, both of which would require investigatory actions relevant to those situations.

      Despite the low burden of proof required for management to act in an administrative investigation, care should still be taken during the process. Occasionally, evidence gathered during an administrative investigation may lead to or be used in a civil or criminal investigation, as stated earlier. If evidence is mishandled during an administrative investigation, it may compromise the ability to use that evidence in later proceedings. If there is any uncertainty about whether an administrative investigation may ultimately escalate, a discussion of this concern with management or in-house or outside counsel is prudent.

      Consider this example of an investigation: The IT department contacts the security office to make a report of an employee misusing the organization's internet connection to engage in unauthorized file sharing, in direct violation of the organization's