Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Law 46/2018 applies specifically to:
- public authorities;
- critical infrastructure operators;
-
essential services providers, including suppliers in the following sectors:
-
- energy;
- transportation;
- financial services;
- health;
- water supply; and
- digital infrastructure;
- digital service providers; and
- any other entities using networks and information systems.
In the financial services sector, Banco de Portugal – the Portuguese central bank – recently published Notice 21/2019, regulating the reporting of cybersecurity incidents by financial sector entities under its supervision. ‘Cybersecurity incidents’ are defined as any security or information event with a high probability of compromising business operations or endangering information security. Provided that they carry out activities in Portugal, banks and credit entities, investment companies, payment and digital currency services providers must report all significant or severe cybersecurity incidents to Banco de Portugal within two hours of detection of the incident. Incidents are classified as significant or severe in relation to a set of criteria which includes:
- the number or proportion of affected users;
- the economic impact;
- the reputational impact;
- the activation of crisis management mechanisms;
- internal hierarchical referral;
- any legal or regulatory infringements;
- formal notification of national or international authorities;
- systemic risk; and
- expert assessment.
Incidents must be reported through an online portal made available by Banco de Portugal at www.bportugal.net. This notice follows the earlier Notice 1/2019, which regulates the reporting of safety or operational (severe) incidents by payment service providers in the event of severe incidents, in line with the Second Payment Services Directive.
In the electronic communications sector, under Regulation 303/2019 approved by the regulatory authority (ANACOM), network and service providers must notify the regulator of information security breaches or loss of integrity that causes a serious disturbance to the operation of networks and services and has a significant impact on the continuity of those operations. Significant impact is assessed in light of criteria relating to:
- the duration of the event; and
- the number of users affected (or, exceptionally, the geographic area affected).
An initial notice must be sent to ANACOM within the shortest possible timeframe (assuming that the company is in a position to anticipate a significant impact) and in any event within one hour of occurrence of the relevant security or integrity breach. The incident must also be disclosed to the public within four hours of this initial notification. Notice must also be given within four hours of cessation of the significant impact and a final report sent to ANACOM within 20 business days thereafter. Article 3-A of Law 41/2004 also imposes an obligation to notify data breaches specifically involving personal data to the Portuguese Data Protection Authority without undue delay.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data and health information are essentially covered by the GDPR and the relevant Portuguese implementing legislation; and financial information falls under the specific regulatory rules covered in question 1.3(a).
Classified information falls under a more fragmented system of rules. The government, through Council of Ministers resolutions, has historically approved instructions on national security (SEGNAC) within the broad scope of industrial, technological, administrative and research activities which include instructions pertaining to information security on classified data and documents (SEGNAC 4, approved by Council of Ministers Resolution 5/90). In addition, the Law on State Secrets (Organic Law 2/2014 of 6 August, as amended) states that all documents and information that receive this classification must be adequately protected against sabotage, espionage, leaks or any form of unauthorised disclosure. Classification as a state secret results in access restrictions, both to the relevant information and to the physical locations where it may be stored; and to a general prohibition on storing any classified information or document except in authorised premises or equipment.
The abundance of statutes on data protection has led to multiple and sometimes incoherent definitions – for instance, of ‘traffic data’ – which may result in some legal uncertainty regarding this specific type of information.