Mind Your Business: Why Privacy Matters to the Successful Enterprise

Post on 15-Apr-2017

72 views 1 download


Grab some coffee and enjoy the pre-show banter

before the top of the

hour! !

The Briefing Room

Mind Your Business: Why Privacy Matters to the Successful Enterprise


Host: Eric Kavanagh

eric.kavanagh@bloorgroup.com @eric_kavanagh

u Reveal the essential characteristics of enterprise software, good and bad

u Provide a forum for detailed analysis of today’s innovative technologies

u Give vendors a chance to explain their product to savvy analysts

u Allow audience members to pose serious questions... and get answers!


Quis Custodiet Ipsos Custodes?

u  Who watches the watchers?

u  Privacy is a principle and a practice

u  Security matters, as does customer X

u  No rest for the weary!


Robin Bloor is Chief Analyst at The Bloor Group

robin.bloor@bloorgroup.com @robinbloor

HPE & Teradata

u  HPE offers comprehensive data security and privacy solutions for big data, the cloud and the Internet of Things

u  Its solution features data encryption, tokenization and key management

u  HPE SecureData integrates with Teradata to provide native data encryption and key management capabilities for customers looking to address compliance or regulatory requirements such as PCI, HIPAA or GLBA


Jay Irwin, JD Director Teradata Center for Enterprise Security

Carole Murphy Global Product Marketing HPE Security – Data Security

Security & Privacy

Robin Bloor, PhD

Questions About Data

Who owns data, and how is ownership conferred?

Who has a right to see it?

Who has a right to change it?

Who has a duty of care for managing it?

A Very Brief History of Data Security

u  Data theft is nothing new – data that is valuable is targeted

u  Cyber-theft was born with the Internet. It exploded around 2005

u  There are many players: governments, businesses, hacker groups, individuals

u  The technologies of attack and defense evolve

u  Businesses have a duty of care over their data, whether they own it or not

Compliance and Regulations

u Aside from sector initiatives there are many official regulations: HIPAA, SOX, FISMA, FERPA, GLBA (mainly US legislation)

u  Standards (Global): PCI-DSS, ISO/IEC 17799 (data should be owned)

u National regulations differ from country to country (even in Europe)

Data Protection!

A particular point of focus is the individual right to privacy.

This has resulted in an attempt to normalize regulations between



Schrems v. Irish Data Protection Commissioner

•  Max Schrems

•  Austrian citizen & Facebook user

•  Post-Snowden privacy concerns over his personal data

•  Complaint rejected by the Irish DPC

•  Appealed to the Irish High Court

•  Case delayed pending EU Court of Justice referral


Schrems v. Irish Data Protection Commissioner

•  Aug. 6, 2015 – US EU Safe Harbor Program invalidated by EU Court of Justice (CJEU) •  Insufficient legal remediation

channels •  Inadequate restrictions on

government interference •  Interfered with national authority

exercise of data enforcement


“The Privacy Shield”

•  Safe Harbor Self-certification Replacement

•  Intended framework for transatlantic data flows

•  Aims to regulate handling EU citizen data transferred to & stored by US firms

•  Privacy shield self-certification begins August 2016


EU – US Privacy Shield Provisions

•  Accountability concerns addressed

•  Codifies more robust violation resolution process

•  Clarifies legal rights/obligations for businesses relying on transatlantic data transfers

•  Creates privacy shield ombudsman


EU – U.S. Privacy Shield Provisions

•  The privacy shield includes rules –

•  To ensure EU citizen consent to data processing & sharing

•  Ensuring that third parties are validated before data can be shared with them

•  Mandating avenues available for dispute resolution

•  Enforcing strict breach notification


EU – U.S. Privacy Shield Critics

•  Privacy International criticizes the weakness of control against unlawful surveillance

•  Max Schrems & EU Parliament member Jan-Phillipp Albrecht criticize the agreement

•  Allows data sharing for broad & generic purposes, undermining a crucial privacy protection


EU – U.S. Privacy Shield Proponents

•  The U.S. Department of Commerce & State Department strongly support Privacy Shield

•  Private-sector U.S. tech firms support the agreement to root out regulatory uncertainty

•  The law aims to restore trust in trans- Atlantic data flows between EU & U.S.


Directive 95/46/EC

•  Directive 95/46/EC, aka DPD or The Data Protection Directive

•  Created in 1995 to regulate personal data processing in the EU

•  Implemented in 1998

•  DPD was a model for EU member state & local data protection laws


Directive 95/46/EC

•  Member states implemented local regulations per DPD

•  Member state local laws differed significantly from each other

•  The Dusseldorf Round-Table Resolution

•  ‘s between member state laws frustrated multi-national firms regulated in multiple jurisdictions

Data Protection

The need for General Data Protection Regulation (GDPR) is recognized. Multinationals in

particular need direction, and the cloud complicates matters...


General Data Protection Regulation

•  GDPR draft published by the EU Commission in 2012

•  Intended to replace the Data Protection Directive of 1995

•  DPD implementations differed greatly among EU member states

•  Intended to eliminate interstate discrepancies between local EU member laws


General Data Protection Regulation

Dec. 2015

Agreement Reached

May 2016

GDPR Adopted

May 2018

Compliance Due


Consent, Design, Appoint & Fix

•  Art. § 7 requires explicit individual consent for data processing & collection

•  Privacy-by-design • Data protection must be designed into

a large variety of services (overly broad?)

•  Art. § 37 requires appointment of data protection officers • For organizations & public authorities in

EU member states • Who must be trained per Art. § 43

•  EU citizens have the right to have incorrect data corrected or removed from databases


Articles § 5 & 32 – Security of Processing

Suggests security actions that may be “appropriate to risk”

•  Pseudonymization and/or encryption of personal data

•  Ability to ensure ongoing confidentiality, integrity, availability & resilience of processing systems & services

•  Ability to timely restore availability & access to personal data in the event of a physical or technical incident

•  A process to regularly test, assess & evaluate effectiveness of technical & organizational measures for ensuring data processing security

•  Controllers & processors adhering to an approved code of conduct or certification mechanism listed in Art. §§ 40, 42 may use them to demonstrate compliance

The Obstacles to Encryption

u The major (perceived) obstacles are:

u Convenience

u  Performance

u Cost

u C-level support

u Also, access control and encryption need to thoroughly integrate

The Changing Nature of Data…

u  In time, “data in motion” may dwarf “data at rest.” Data is rarely stationary

u  Encryption is the only security solution that provides coherence in such an IT environment

u Data moves and processes move, so security must follow

Data Encryption

It’s not a question of whether to do it – it’s more about how to do it



Format-Preserving Encryption (FPE)

•  Supports virtually any data types in any format: name, address, dates, numbers, etc.

•  Provides Unicode Latin 1 for format and character set preserving encryption in languages such as German, Spanish, French and more

•  Preserves referential integrity

•  Only applications that need the original value need change

•  Used for production protection and data masking

•  NIST-standard using FF1 AES Encryption


AES-FPE First Name: Uywjlqo Last Name: Muwruwwbp SSN: 253- 67- 2356 DOB: 01-02-1972

Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW Oiuqwriuweuwr%oIUOw1@

First Name: Gunther Last Name: Robertson SSN: 934-72-2356 DOB: 08-07-1966

First Name: K×ýAçy Last Name: ĎwlämÜqßr Chequing Acct #: 122105278 827572346


First Name: Jürgen Last Name: Klinsmann Chequing Acct: 122105278 674301068


Article § 33 – Breach Notification

•  Art. § 33 Supervisory Authority Notification Requirements for Personal Data Breaches

•  Data controllers must notify supervisory data authority “without undue delay” (where feasible, within 72 hours)

•  Notification periods over 72 hours must be accompanied with an explanation for the delay

•  Notification not required if breach is unlikely to result in a risk to rights & freedoms of natural persons

•  Data processors must notify data controllers without undue delay

•  Data controllers must document personal data breaches, noting

•  Likely breach effects & remedial actions taken


Article § 34 – Notification Requirements

•  Data controllers must notify data subjects when a breach is likely to result in a high risk to the rights and freedoms of a natural person

•  Data subject notification must include a clear & plain language explanation

•  Name and contact information for the DPO

•  Describe likely consequences

•  Describe measures or proposed measures to be taken to address the breach

•  Document personal data breaches including effects of the breach & remedial action taken


When Notification is Not Required

• Notification not required under Article § 34 •  Data controller has implemented protection

measures on personal data that render the personal data unintelligible

•  Data controller has taken measures to ensure that no high risk to the rights and freedoms to data subjects exists

•  Data Subject Notification would require a disproportionate effort *

* Public notification is required for this exemption


Article § 79 - Penalties

•  GDPR violators may face severe fines

•  Fines for severe violations can be the greater of 4% annual global turnover or €20 million

•  Less severe violators are subject to fines up to 2% annual global turnover or €10 million

•  Compensation to aggrieved parties

•  Data subjects can claim compensation for damages suffered

•  Data subjects can sue data controllers or processors


Achieving GDPR Compliance

•  Know where personal data is stored & accessed in your environment

•  Plan for and execute regular risk assessments

•  Implement appropriate security controls

•  Audit third parties receiving personal data from your organization to ensure they practice compliant data protection


Questions / Comments

•  Carole Murphy, Global Product

Marketing, HPE Security •  Email: carole.murphy@hpe.com

•  Jay Irwin, JD, Director, Center for Enterprise Security, Teradata

•  Email: jay.Irwin@Teradata.com

Thank you HPE Security – Data Security www.hpe.com/software/datasecurity www.voltage.com

Teradata www.Teradata.com

Analytics and data unleash the potential of great companies

Protecting the World’s Most Sensitive Data

THANK YOU for your


Some images provided courtesy of Wikimedia Commons and https://en.wikipedia.org/wiki/Et_tu,_Brute%3F