Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
1
2009 Global Data Privacy Study Briefing
ISACA Melbourne – February 2010
Troy Braban – Accenture AustraliaCopyright © 2010 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Who am I – Troy Braban
� Accenture Senior Manager in the Technology Consulting – Security practice in Melbourne
� Over 13 years Security & Privacy experience
� Leads Accenture’s Data Protection & Privacy line of business in SEAAK
� One of the founding members of the Australian IT Security Expert Advisory Group (ITSEAG) providing IT Security advice to the Critical Infrastructure Advisory Council onAustralia’s National Critical Infrastructure – a program led by the Attorney General’sDepartment.
� Quoted in online and press articles about the impacts of data privacy legislation toAustralian Business
2
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
2
Agenda
3
Data Breach BackgroundData Breach Background
Update on Proposed Privacy Legislation Change in AustraliaUpdate on Proposed Privacy Legislation Change in Australia
Common Weaknesses in Data Protection & Privacy InitiativesCommon Weaknesses in Data Protection & Privacy Initiatives
What can be done? Effective Data Protection MethodsWhat can be done? Effective Data Protection Methods
Accenture / Ponemon Institute Global DPP Survey 2009Accenture / Ponemon Institute Global DPP Survey 2009
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Data Privacy and Protection at the tipping point
Organizations today are extremely vulnerable to security breaches and
misuse of sensitive data
The volume of sensitive data being collected and shared by organizations today is growing exponentially due to technology advances, lower data storage costs and the rise of the Internet. As more information goes online, the risk the organization faces of losing data and experiencing security breaches increases.
Substantial financial costs to respond to and remedy
the breach
The Ponemon Institute found that the average cost of dealing with the consequences of a breach is $6.6 million in 2009—up from $6.3 million in 2007 and $4.7 million in 2006.
Indeed, in the United States alone, more than 345 million records containing sensitive personal information have been involved in security breaches since January 2005. Such breaches can have serious implications.
Fines, regulatory enforcement and
lawsuits
A number of organizations around the world have suffered serious fines and lawsuits as a result of data breaches they experienced.
Erosion of shareholder value:
Public held companies experiencing breaches of confidential information typically suffer a 5 percent drop in stock price when such a breach is made public.
Inability to conduct business or, in the most extreme case, a collapse
of economic stability
Today’s computing infrastructures are inextricably linked to the successful functioning of government, society and the economy. Given the interconnected nature of commerce and geopolitics, if these infrastructures are compromised, daily operations will grind to a halt, creating a ripple effect across the globe.
Data breaches can do irreparable damage to balance sheets, brands and customer relationships. 4
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
3
Background - Data Breach Facts by the Numbers
Χ TOTAL number of records containing sensitive person al information involved in security breaches in the U.S. since Jan uary 2005 is 345,013,397*
Χ TOTAL number of records containing sensitive person al information involved in security breaches in the U.S. since Jan uary 1, 2010 is 2,752,989*
Reminder: These statistics only highlight notified breaches. Many more incidents occur that are not notified or reported, particularly in countries such as Australia with no mandatory legislation
* Source: Privacy Rights Clearinghouse/UCAN (05/02/10)http://www.privacyrights.org/ar/ChronDataBreaches.htm
** Trends: Calculating the Cost of a Security Breach. Forrester Research, Inc. April 10, 2007.*** http://www.cio.com.au/article/332524/alrc_renews_data_loss_financial_penalty_call
Data Breach Incidents
Direct CostsΧ Forrester Research estimates that the average data leak results in USD$1.5 million in economic damage, while the Ponem on Institute pegs the amount at USD$4.8 million**
Χ Authorities in the UK recently amended the Data Pro tection Act to allow the Information Commissioner to issue fines for dat a breaches of up to £500,000. The Australian Law Reform Commission (ALR C) has renewed its call for fines for failing to notify the privacy co mmissioner of data breaches.***
5
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
6
Why Are We Here?
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
4
And in Australia?
Source: FinExtra.com: http://www.finextra.com/fullstory.asp?id=16564Computerworld: http://www.computerworld.com.au/article/179967/hsbc_australia_exposes_sensitive_customer_data/
7
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Survey Approach and Methodology
Research primary objectives: Understand how data privacy perceptions and practices around the globe inform and influence data-protection strategies and provide concrete recommendations to improve the integrity, confidentiality and availability of data as part of a high-performance security agenda
Methodology : the survey was a joint effort between Accenture and Ponemon Institute, a pre-eminent research center dedicated to privacy, data protection and information security policy. The survey harvested responses from 5512 cross-industry business and 15,732 individual respondents from 19 countries.
Brazil
USA
France
Netherlands
UK
Singapore
IndiaHong Kong
Korea
Japan
Germany
Switzerland
Argentina
Australia
Mexico
Italy
Canada
Russia
Belgium
8
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
5
Survey Demographics
Key Survey Statistics• 51% of the business
respondents are in management positions within their business
• 50% of the business respondents have direct responsibilities for data protection and privacy
• 25% of business respondents are from companies with annual revenue exceeding $5B USD
• 47% of the individual respondents are full time employees
• 41% of the individual respondents have a college degree or higher
9
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Background - Data breach incidents by the numbers – The survey says….
Lost or Stolen Devices 15%
Third-Party Flubs 12%
Missing Backup Data 8%
Lost Paper Documents 16%
Hackers 19%
Reason Unknown 30%10
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
6
1 There is a notable difference between organizations’ intentions regarding data privacy and how they actually protect it, creating an uneven trust landscape.
2 A majority of organizations have lost sensitive personal information, and among these organizations, the biggest causes are internal and therefore something they potentially could control.
3 Compliance complacency is prevalent throughout the world.
2009 Key findings
4 Understanding the perspective on and approach to data protection and privacy of business partners is crucial.
5 Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to experience security breaches
11
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
1. There is a notable difference between organizatio ns’ intentions regarding data privacy and how they actually protec t it, creating an uneven trust landscape .
• 40-50% of the organizations surveyed:– Were unsure about or actively disagreed with
customers having rights to controlling what type of personal information is collected and how it is used
– Did not believe it was important or very important to:
• Limit the collection and sharing of sensitive personal information
• Protect consumer privacy rights
• Prevent cross-border transfers of personal information to countries with insufficient privacy laws
• Prevent cyber crimes against consumers and data loss or theft
• Organizations and consumers differ on privacy concerns.
Inconsistencies may be explained by cultural differ ences, lack of clear definition around security’s responsibilities and industry dif ferences
Q.What are your Top-three privacy concerns
12
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
7
2. A majority of organizations have lost sensitive p ersonal information, and among these organizations, the big gest causes are internal and therefore something they potentially c ould control.
• 58% have lost sensitive personal information and for nearly 60% such breaches are a recurring problem.
• Employees (48%) and business or system failure (57%)—were cited most often as the source of the breaches.
• 42% of consumers said they either are not sure or do not believe that companies and government agencies are adequately protecting personally identifiable data they have shared with these organizations.
Q. What are the causes of your breaches?
Lack of adequate controls, adequate policies and tr aining programs and full understanding of where the data resides are potenti al causes for the internal incidents
13
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
3. Compliance complacency is prevalent throughout th e world.
• 57% of the organizations said that avoiding regulatory and compliance violations is a top privacy priority. However, 58% of the organizations also indicated they have lost sensitive personal information.
• Just under 70% said that they regularly monitor privacy and data protection regulatory compliance requirements—however breaches have occurred in 58% of organizations polled.
• More than 66% of respondents were in Europe, where privacy regulations are most stringent, admit having had data breach incidents in the last 24 months, and more than 48% had two or more data breach incidents.
Compliance should be one part of a much larger and comprehensive data privacy and protection capability
Q. Did your organization ever lose sensitive personal information – such as data about consumers, customers, employees or others?
14
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
8
4. Understanding the perspective on and approach to data protection and privacy of business partners is cruc ial.
• 55% outsource data to 3rd parties
• 56% of Indian businesses said they don’t regularly monitor compliance
• Only 53% said that it is important to prevent cross-border transfers of personal information to countries with insufficient privacy laws
Country perspectives
Low privacy orientation
High privacy orientation
High data security & compliance
Low data security & compliance
Companies must conduct a thorough assessment not on ly of the provider’s own data protection and privacy program to ensure it meets ( or better yet, even exceeds their own efforts), but also of its knowledge of and expe rience with managing data within and across national boundaries.
Japan, Hong Kong,Singapore, Korea
India
RussianFederation
USAustraliaUK
France
ItalyBrazilArgentina
Mexico
GermanySwitzerlandCanadaBelgiumNetherlands
15
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
5. Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to exper ience security breaches.
Companies with fewer breaches tend to view themselv es as stewards, not owners, of personal data and take actions to protect data entr usted to them.
Company attitudes Company policies
Companies with no breaches are more likely than those with two or more to take a stricter line in terms of what they think are appropriate uses of personal information. They believe it is not acceptable to use such information for targeted marketing and promotions and to sell personal information for profit.
16
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
9
Data Privacy and Protection research Briefing – Foc us on Australia
Research primary objectives: This portion of the report deals specifically with survey data collected in Australia
Methodology : In Australia, 263 businesses and 613 individuals were polled during the survey.
Key Survey Statistics
- 50% of the business respondents in Australia are in a management position
- 19% of business respondents in Australiaare from companies with annual revenue exceeding $5bil USD
- 49% of the individual respondents in Australia are full time employees
- 43% of the individual respondents in Australia have a college degree or higher
Belgium
Brazil
USA
France
Netherlands
UK
Singapore
IndiaHong Kong
Korea
Japan
Germany
Switzerland
Argentina
Australia
Mexico
Italy
Canada
Russia
Belgium
17
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Country highlights – Business Findings – Australia
• 78 percent of companies surveyed in Australia admit to losing personal information, such as data aboutconsumers, customers or employees. This is the second highest percentage of all countries surveyed.
•
• 82 percent of Australian companies surveyed believe they have an obligation to take reasonable steps tosecure consumer’s personal information. This is well above the global average of 71 percent.
• Sixty-four percent of businesses surveyed in Australia believe that the accuracy of information collectedon its customers or consumers was important or very important, higher than the global average of 62percent.
• Of the companies who have lost data in Australia, 28 percent admit to losing sensitive personalinformation on three or more separate occurrences in the last two years
18
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
10%
20%
30%
40%
50%
60%
70%
80%
90%
IN SG HK KO JP AR SW FR IT MX BL BZ DE RF CA NL UK AU US
Percentage of Organizations that Have Lost Data
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
10
Country highlights – Business Findings - Australia
19
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Country highlights – Business Findings - Australia
20
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
11
Country highlights – Consumer Findings – Australia
Consumer Findings
29 percent of Australians rank identity theft, followed by stolen assets with 23 percent, as their primary privacy concerns. Globally, the revelation of secrets and government surveillance and censorship are the highest ranking privacy issues among consumers, each with 34 percent.
21 percent of consumers in Australia believe the responsibility for ensuring personal informationprotection to be governmental, while 40 percent place responsibility with individuals, and 29 percent the corporations. Globally, 41 percent believe government is responsible, 19 percent the individual and 21 percent the companies.
85 percent of consumers in Australia indicate personal information privacy important or very important (IMP –see chart) compared with 70 percent globally. 69 percent believe personally identifiable information shared with organizations is adequately protected (PRO – see chart) (compared to 58 percent globally).
05
10
15
2 02 5
3 0
3 5
Pr imary Pr ivacyC o ncerns
ID T hef t - A US
St o len A sset s- A us
Secret s -Glo bal
Sur/ C en -Glo bal
0
5
10
15
20
25
30
35
40
45
AUS Global
GovernmentIndividualCompanies
010
2030
40
50
60
70
8090
IMP PRO
AUSGlobal
21
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Proposed Changes to Australian Privacy Act of 1988
• A lot has changed since the introduction of the Privacy Act in 1988– Paperless Workplace, Global Economy, Social Networking, Blogs, Emails,
Changing nature of the Internet, Smart Phones and so on ...– All this is now easily available, becoming more convenient to use and at lower and
lower costs.
• There is complexity of law and confusion around application of privacy laws
– Federal, State and Territory level– Public sector (Information Privacy Principles (IPPs))– Private sector (National Privacy Principles (NPPs)).
• As a resultThe Australian Law Reform Commission made 295 recommendations for changes to the Australian Privacy Act in a report published in August 2008. The full ALRC report can be found at: http://www.alrc.gov.au/media/2008/mr11108.html
22
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
12
Proposed Changes to Australian Privacy Act of 1988
• Australian Law Reforms Commission Report 108Recommendations were made to a range of areas including (but not limited to):
• Increasing the powers of the Office of the Privacy Commissioner (OPC)
• Protection of a Right to Personal Privacy
• Aligning existing privacy principles
• Data Security
• Collection
• Sensitive Information
• Notification
• Access and Correction• Telecommunications• Developing Technology• Health Services and Research• Children, Young People and Adults
Requiring Assistance• Direct Marketing• Cross-border Data Flows• Data Quality• Use and Disclosure
23
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Government’s Response to the Proposed Changes
• The Australian Federal Government has committed to respond to the changes in 2 stages:
• Stage 1 (Delivered in October 2009)– Responds to 197 of the Australian Law Reform Commission’s 295
recommendations.– Focuses on establishing foundations to outline a clear and simple framework for
privacy rights and obligations.
• Of the 197 Recommendations considered in this stage:– 141 are accepted, in full or in principle– 34 are accepted with qualification– 20 are not accepted– 2 are noted
• Stage 2 (In Development – Timeframe TBC)– Will address the remaining 98 recommendations.
24
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
13
Accenture’s Experience –Common Weaknesses in Data Protection & Privacy Init iatives
People
Process
Technology
� Lack of a Change Management and communication plan to supportdeployment of new policies and procedures
� Lack of continuous improvement and adaptation of the Data Protection &Privacy Program in an ever-changing regulatory, contractual and technologicalenvironment
� Lack of depth in security and Data Protection & Privacy awareness trainingthat incorporates data classification and sensitive data handling guidance
� Lack of on-going monitoring of people compliance with implemented policiesand procedures
� Lack of up front investment to understand the types of sensitive data, where itlies and how to protect it
� Out-dated processes and procedures with minimal or no metrics in place toassess their effectiveness in supporting the business
� Core business processes continue to collect sensitive business informationwithout legitimate business requirements
� Instead of focusing the initiative on fixing the root problems that causeinformation leakage, too much effort is spent on tracking down sensitiveinformation that is stored in unstructured forms
� Viewing technology as a panacea in tackling Data Protection & Privacychallenges – putting entire focus on tools implementations
� Selecting Data Protection & Privacy technologies based on “wow” factors� Incomplete requirements for the Data Protection & Privacy technology
implementations
25
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Effective Data Protection Methods – People
Policies and procedures (e.g. IT Security Policies,
Sensitive information handling Procedure)
Tracking user compliance with established
information security policies and procedures
End user information security awareness
Conduct regular user security awareness
campaign to encourage user behavior
Regular physical security walkthrough to monitor
user behavior
Users with access to sensitive information are the first line of defense when it comes to data loss prevention. Increased user awareness and encouraging appropriate behavior are critical.
26
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
14
� Identify and take stock of sensitive data in the information lifecycle,understand how the information is collected, where the informationis stored, who has access to the information , and if the collectionof the information is absolutely required for the business process;
� Establish data classification standards to support the informationprotection goals and objectives. Only collect, store and retainsensitive business information when there are legitimate businessneeds;
� Establish data ownership and accountability for sensitiveinformation protection including third party or business partners;
� Mapping of published privacy policy or statements againstexisting data protection and privacy controls to ensure thecompliance of those requirements;
� Establish access policies and procedures that are based on the“least privilege” concept;
� The organization monitors changes in external requirements forlegal, regulatory or other external requirements related toinformation protection controls; and
� Conduct regular risk assessments to ensure controls implementedremain effective and identify information security postureimprovement opportunities.
High performing DPP initiatives typically instill institutional practices that weave sensitive information management into the culture of the organization and core business processes.
Effective Data Protection Methods – Process
27
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Endpoint Security � Endpoint protection solutions (antivirus/antispyware, personal firewall, IPS, removable media/USB drive encryption) should be leveraged for all computing devices such as PCs, PDAs, and laptops to safeguard sensitive data
� Sensitive data should be rendered unreadable both at-rest and in-transit
� Access and monitoring controls should be leveraged to secure data commonly shared through repositories such as shared drives and SharePoint sites
Robust Technical/Data Architecture
� Technical architecture should be designed to support data protection requirements (e.g. Secured network zoning, IDS etc.)
� Remote access to sensitive data should be restricted and require strong authentication (e.g. VPN with two-factor authentication)
Data Integrity and Availability
� Access to and modification of sensitive data should be restricted and monitored� Implement a strategy for cyclical backup of data and programs
DLP Technologies � DLP technology is a great enabler for data protection controls; however, the technology should only be implemented after the manual controls are mature and the scale of the implementation is the right size for the organization
Investing resources at the early stages of the Data Protection and Privacy initiative enables organizations to select effective technology solutions that support their business processes and address their data protection and privacy requirements.
Effective Data Protection Methods – Technology
28
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.
Copyright © 2010 Accenture All Rights Reserved.
2/11/2010
15
Question & Answer
Accenture Security & Privacy Contacts Global Security Lead:
Alastair MacWillson - [email protected] Data Privacy and Protection Lead:
Paul O’Rourke - [email protected]
Geographic Data Privacy and Protection Lead:SEAAK – Troy Braban - [email protected]
Troy BrabanSenior Manager
180 Lonsdale St QVMelbourne VIC 3000Australia
Mobile: +61 409 386 [email protected]
29
Presented by Troy BrabanCopyright © 2010 Accenture All Rights Reserved.