� Accenture Senior Manager in the Technology Consulting – Security practice in Melbourne
� Over 13 years Security & Privacy experience
� Leads Accenture’s Data Protection & Privacy line of business in SEAAK
� One of the founding members of the Australian IT Security Expert Advisory Group (ITSEAG) providing IT Security advice to the Critical Infrastructure Advisory Council onAustralia’s National Critical Infrastructure – a program led by the Attorney General’sDepartment.
� Quoted in online and press articles about the impacts of data privacy legislation toAustralian Business
Organizations today are extremely vulnerable to security breaches and
misuse of sensitive data
The volume of sensitive data being collected and shared by organizations today is growing exponentially due to technology advances, lower data storage costs and the rise of the Internet. As more information goes online, the risk the organization faces of losing data and experiencing security breaches increases.
Substantial financial costs to respond to and remedy
the breach
The Ponemon Institute found that the average cost of dealing with the consequences of a breach is $6.6 million in 2009—up from $6.3 million in 2007 and $4.7 million in 2006.
Indeed, in the United States alone, more than 345 million records containing sensitive personal information have been involved in security breaches since January 2005. Such breaches can have serious implications.
Fines, regulatory enforcement and
lawsuits
A number of organizations around the world have suffered serious fines and lawsuits as a result of data breaches they experienced.
Erosion of shareholder value:
Public held companies experiencing breaches of confidential information typically suffer a 5 percent drop in stock price when such a breach is made public.
Inability to conduct business or, in the most extreme case, a collapse
of economic stability
Today’s computing infrastructures are inextricably linked to the successful functioning of government, society and the economy. Given the interconnected nature of commerce and geopolitics, if these infrastructures are compromised, daily operations will grind to a halt, creating a ripple effect across the globe.
Data breaches can do irreparable damage to balance sheets, brands and customer relationships. 4
Χ TOTAL number of records containing sensitive person al information involved in security breaches in the U.S. since Jan uary 2005 is 345,013,397*
Χ TOTAL number of records containing sensitive person al information involved in security breaches in the U.S. since Jan uary 1, 2010 is 2,752,989*
Reminder: These statistics only highlight notified breaches. Many more incidents occur that are not notified or reported, particularly in countries such as Australia with no mandatory legislation
* Source: Privacy Rights Clearinghouse/UCAN (05/02/10)http://www.privacyrights.org/ar/ChronDataBreaches.htm
** Trends: Calculating the Cost of a Security Breach. Forrester Research, Inc. April 10, 2007.*** http://www.cio.com.au/article/332524/alrc_renews_data_loss_financial_penalty_call
Data Breach Incidents
Direct CostsΧ Forrester Research estimates that the average data leak results in USD$1.5 million in economic damage, while the Ponem on Institute pegs the amount at USD$4.8 million**
Χ Authorities in the UK recently amended the Data Pro tection Act to allow the Information Commissioner to issue fines for dat a breaches of up to £500,000. The Australian Law Reform Commission (ALR C) has renewed its call for fines for failing to notify the privacy co mmissioner of data breaches.***
Research primary objectives: Understand how data privacy perceptions and practices around the globe inform and influence data-protection strategies and provide concrete recommendations to improve the integrity, confidentiality and availability of data as part of a high-performance security agenda
Methodology : the survey was a joint effort between Accenture and Ponemon Institute, a pre-eminent research center dedicated to privacy, data protection and information security policy. The survey harvested responses from 5512 cross-industry business and 15,732 individual respondents from 19 countries.
1 There is a notable difference between organizations’ intentions regarding data privacy and how they actually protect it, creating an uneven trust landscape.
2 A majority of organizations have lost sensitive personal information, and among these organizations, the biggest causes are internal and therefore something they potentially could control.
3 Compliance complacency is prevalent throughout the world.
2009 Key findings
4 Understanding the perspective on and approach to data protection and privacy of business partners is crucial.
5 Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to experience security breaches
1. There is a notable difference between organizatio ns’ intentions regarding data privacy and how they actually protec t it, creating an uneven trust landscape .
• 40-50% of the organizations surveyed:– Were unsure about or actively disagreed with
customers having rights to controlling what type of personal information is collected and how it is used
– Did not believe it was important or very important to:
• Limit the collection and sharing of sensitive personal information
• Protect consumer privacy rights
• Prevent cross-border transfers of personal information to countries with insufficient privacy laws
• Prevent cyber crimes against consumers and data loss or theft
• Organizations and consumers differ on privacy concerns.
Inconsistencies may be explained by cultural differ ences, lack of clear definition around security’s responsibilities and industry dif ferences
2. A majority of organizations have lost sensitive p ersonal information, and among these organizations, the big gest causes are internal and therefore something they potentially c ould control.
• 58% have lost sensitive personal information and for nearly 60% such breaches are a recurring problem.
• Employees (48%) and business or system failure (57%)—were cited most often as the source of the breaches.
• 42% of consumers said they either are not sure or do not believe that companies and government agencies are adequately protecting personally identifiable data they have shared with these organizations.
Q. What are the causes of your breaches?
Lack of adequate controls, adequate policies and tr aining programs and full understanding of where the data resides are potenti al causes for the internal incidents
3. Compliance complacency is prevalent throughout th e world.
• 57% of the organizations said that avoiding regulatory and compliance violations is a top privacy priority. However, 58% of the organizations also indicated they have lost sensitive personal information.
• Just under 70% said that they regularly monitor privacy and data protection regulatory compliance requirements—however breaches have occurred in 58% of organizations polled.
• More than 66% of respondents were in Europe, where privacy regulations are most stringent, admit having had data breach incidents in the last 24 months, and more than 48% had two or more data breach incidents.
Compliance should be one part of a much larger and comprehensive data privacy and protection capability
Q. Did your organization ever lose sensitive personal information – such as data about consumers, customers, employees or others?
4. Understanding the perspective on and approach to data protection and privacy of business partners is cruc ial.
• 55% outsource data to 3rd parties
• 56% of Indian businesses said they don’t regularly monitor compliance
• Only 53% said that it is important to prevent cross-border transfers of personal information to countries with insufficient privacy laws
Country perspectives
Low privacy orientation
High privacy orientation
High data security & compliance
Low data security & compliance
Companies must conduct a thorough assessment not on ly of the provider’s own data protection and privacy program to ensure it meets ( or better yet, even exceeds their own efforts), but also of its knowledge of and expe rience with managing data within and across national boundaries.
5. Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to exper ience security breaches.
Companies with fewer breaches tend to view themselv es as stewards, not owners, of personal data and take actions to protect data entr usted to them.
Company attitudes Company policies
Companies with no breaches are more likely than those with two or more to take a stricter line in terms of what they think are appropriate uses of personal information. They believe it is not acceptable to use such information for targeted marketing and promotions and to sell personal information for profit.
Country highlights – Business Findings – Australia
• 78 percent of companies surveyed in Australia admit to losing personal information, such as data aboutconsumers, customers or employees. This is the second highest percentage of all countries surveyed.
•
• 82 percent of Australian companies surveyed believe they have an obligation to take reasonable steps tosecure consumer’s personal information. This is well above the global average of 71 percent.
• Sixty-four percent of businesses surveyed in Australia believe that the accuracy of information collectedon its customers or consumers was important or very important, higher than the global average of 62percent.
• Of the companies who have lost data in Australia, 28 percent admit to losing sensitive personalinformation on three or more separate occurrences in the last two years
Country highlights – Consumer Findings – Australia
Consumer Findings
29 percent of Australians rank identity theft, followed by stolen assets with 23 percent, as their primary privacy concerns. Globally, the revelation of secrets and government surveillance and censorship are the highest ranking privacy issues among consumers, each with 34 percent.
21 percent of consumers in Australia believe the responsibility for ensuring personal informationprotection to be governmental, while 40 percent place responsibility with individuals, and 29 percent the corporations. Globally, 41 percent believe government is responsible, 19 percent the individual and 21 percent the companies.
85 percent of consumers in Australia indicate personal information privacy important or very important (IMP –see chart) compared with 70 percent globally. 69 percent believe personally identifiable information shared with organizations is adequately protected (PRO – see chart) (compared to 58 percent globally).
Proposed Changes to Australian Privacy Act of 1988
• A lot has changed since the introduction of the Privacy Act in 1988– Paperless Workplace, Global Economy, Social Networking, Blogs, Emails,
Changing nature of the Internet, Smart Phones and so on ...– All this is now easily available, becoming more convenient to use and at lower and
lower costs.
• There is complexity of law and confusion around application of privacy laws
– Federal, State and Territory level– Public sector (Information Privacy Principles (IPPs))– Private sector (National Privacy Principles (NPPs)).
• As a resultThe Australian Law Reform Commission made 295 recommendations for changes to the Australian Privacy Act in a report published in August 2008. The full ALRC report can be found at: http://www.alrc.gov.au/media/2008/mr11108.html
• The Australian Federal Government has committed to respond to the changes in 2 stages:
• Stage 1 (Delivered in October 2009)– Responds to 197 of the Australian Law Reform Commission’s 295
recommendations.– Focuses on establishing foundations to outline a clear and simple framework for
privacy rights and obligations.
• Of the 197 Recommendations considered in this stage:– 141 are accepted, in full or in principle– 34 are accepted with qualification– 20 are not accepted– 2 are noted
• Stage 2 (In Development – Timeframe TBC)– Will address the remaining 98 recommendations.
Accenture’s Experience –Common Weaknesses in Data Protection & Privacy Init iatives
People
Process
Technology
� Lack of a Change Management and communication plan to supportdeployment of new policies and procedures
� Lack of continuous improvement and adaptation of the Data Protection &Privacy Program in an ever-changing regulatory, contractual and technologicalenvironment
� Lack of depth in security and Data Protection & Privacy awareness trainingthat incorporates data classification and sensitive data handling guidance
� Lack of on-going monitoring of people compliance with implemented policiesand procedures
� Lack of up front investment to understand the types of sensitive data, where itlies and how to protect it
� Out-dated processes and procedures with minimal or no metrics in place toassess their effectiveness in supporting the business
� Core business processes continue to collect sensitive business informationwithout legitimate business requirements
� Instead of focusing the initiative on fixing the root problems that causeinformation leakage, too much effort is spent on tracking down sensitiveinformation that is stored in unstructured forms
� Viewing technology as a panacea in tackling Data Protection & Privacychallenges – putting entire focus on tools implementations
� Selecting Data Protection & Privacy technologies based on “wow” factors� Incomplete requirements for the Data Protection & Privacy technology
Policies and procedures (e.g. IT Security Policies,
Sensitive information handling Procedure)
Tracking user compliance with established
information security policies and procedures
End user information security awareness
Conduct regular user security awareness
campaign to encourage user behavior
Regular physical security walkthrough to monitor
user behavior
Users with access to sensitive information are the first line of defense when it comes to data loss prevention. Increased user awareness and encouraging appropriate behavior are critical.
� Identify and take stock of sensitive data in the information lifecycle,understand how the information is collected, where the informationis stored, who has access to the information , and if the collectionof the information is absolutely required for the business process;
� Establish data classification standards to support the informationprotection goals and objectives. Only collect, store and retainsensitive business information when there are legitimate businessneeds;
� Establish data ownership and accountability for sensitiveinformation protection including third party or business partners;
� Mapping of published privacy policy or statements againstexisting data protection and privacy controls to ensure thecompliance of those requirements;
� Establish access policies and procedures that are based on the“least privilege” concept;
� The organization monitors changes in external requirements forlegal, regulatory or other external requirements related toinformation protection controls; and
� Conduct regular risk assessments to ensure controls implementedremain effective and identify information security postureimprovement opportunities.
High performing DPP initiatives typically instill institutional practices that weave sensitive information management into the culture of the organization and core business processes.
Endpoint Security � Endpoint protection solutions (antivirus/antispyware, personal firewall, IPS, removable media/USB drive encryption) should be leveraged for all computing devices such as PCs, PDAs, and laptops to safeguard sensitive data
� Sensitive data should be rendered unreadable both at-rest and in-transit
� Access and monitoring controls should be leveraged to secure data commonly shared through repositories such as shared drives and SharePoint sites
Robust Technical/Data Architecture
� Technical architecture should be designed to support data protection requirements (e.g. Secured network zoning, IDS etc.)
� Remote access to sensitive data should be restricted and require strong authentication (e.g. VPN with two-factor authentication)
Data Integrity and Availability
� Access to and modification of sensitive data should be restricted and monitored� Implement a strategy for cyclical backup of data and programs
DLP Technologies � DLP technology is a great enabler for data protection controls; however, the technology should only be implemented after the manual controls are mature and the scale of the implementation is the right size for the organization
Investing resources at the early stages of the Data Protection and Privacy initiative enables organizations to select effective technology solutions that support their business processes and address their data protection and privacy requirements.
