2. Prologue http://www.youtube.com/watch?v=F7pYHN9iC9I 2 3. In the news 3 4. Brands in the Headlines FTC hits Google with $22.5 million fine for Safari tracking 4 5. Global Data Landscape - Data Creation More data from more places Integration of digital into everyday life leaves interaction data residue Better, cheaper, smaller sensors integrated into more things Internet of things combines continuous data collection and communication with machine-driven decision making Metadata (data about data) provides additional information and context 5 6. Global Data Landscape - Data Use 6 Mobile devices becoming increasingly relied upon Increasing Pressure for Bring Your Own Device (BYOD) Policies Data and services increasingly moving to the Cloud Access to the cloud is increasingly available through mobile devices Demand for data and services everywhere all the time Increased use of vendors and third parties for digital services Sourced from around the world Pressure growing to limit locations of vendors. 7. Global Data Landscape - Threats 7 Static defenses like anti-virus and firewalls seem to be losing ground "Antivirus is dead" - Brian Dye, Symantec SVP for Information Security http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578- lMyQjAxMTA0MDAwNTEwNDUyWj Advanced persistent threats are unique, targeted and sophisticated Threats are varied in motivation, technique, targets and geography Manipulation of employees social engineering and errors (or crimes) by employees is still the most common means for obtaining unauthorized access to data 8. Global Data Landscape Motivations Behind Attacks 8 Source: Hackmageddon.com 9. 9 Source: Hackmageddon.com Global Data Landscape Attack Techniques 10. Global Data Landscape Targets 10 Source: Hackmageddon.com 11. Global Data Landscape Location of Threats 11 Source: Hackmageddon.com 12. Keys to Protecting Company Data 12 Identify the relevant risks Risk Assessments (technical and legal) Data Classification Accept that security is not a destination, but rather a never-ending process of adapting to changing risks Appreciate that security is not just IT's job All stakeholders must commit to securing critical data and be accountable Understand that good governance is key to success Vendor management Incident response Continuous monitoring 13. What is the Relevance of Data Privacy? Personal data is all about people and underpins most business processes. It can directly impact the value of a business Data privacy compliance goes directly to: Brand reputation Commercial differentiation Share price and profit (e.g. Sony) Security is essential for privacy Difficult to talk about one without talking about the other Regulators are paying more attention to privacy and security EU and other supervisory authorities (such as Information Commissioners Office) US regulators at the federal and state level 13 14. Enforcement of Privacy Laws Is a Global Priority 14 Global enforcement is high priority Blackshades bust involved 19 countries and more than 90 arrests globally. http://www.fbi.gov/news/stories/2014/may/international-blackshades-malware- takedown/international-blackshades-malware-takedown But still difficult to enforce laws across borders Justice Department just indicted 5 members of the Chinese military on hacking charges. Same individuals from Unit 61398 identified in Mandiant APT-1 report China blasted charges. No extradition treaty with China so unlikely to get traction. http://www.washingtonpost.com/world/national-security/us-to-announce-first- criminal-charges-against-foreign-country-for- cyberspying/2014/05/19/586c9992-df45-11e3-810f-764fe508b82d_story.html 15. But Global Perspectives on Privacy Vary Greatly 15 US generally holds free speech above privacy and only specifically protects privacy in particular situations Results in patchwork solutions and no general privacy right Privacy based largely on reasonable expectations EU protects privacy as independent and fundamental human right equal to or greater than that of free speech Moral view of privacy Supports general, broad rights General privacy right that, from a US perspective, sometimes trumps common sense and practicality Highly regulatory approach to Privacy Data privacy regulation in Asia, Central America and South America generally is less mature, and the approaches to privacy are mixed 16. Society in the US, as Reflected in the Law, Has Traditionally Focused on Expectations of Privacy 16 17. US Traditions Have Heavily Influenced Our Views of the Appropriate Use of Technologies 17 18. The US Approach to Privacy The right to privacy was judicially created under other Constitutional rights No explicit right to privacy in Constitution Zones of Privacy under penumbra of 1st, 3rd, 4th, 5th and 9th Amendments Regulation reflects a selective sector-based approach Healthcare Finance Children Free speech almost always trumps privacy Emerging regulatory measures include the White House Consumer Bill of Rights, the FTC Multi-Stakeholder Process, and potential cyber security legislation 18 19. The European Approach to Privacy In the European Union, privacy is a fundamental human right Embodied in Article 8 of European Convention on Human Rights Comprehensive Approach Privacy Right Equal to Free Speech Considered a Moral Issue 19 20. The Canadian Approach to Privacy Privacy is not part of Constitution, but broad statutory approach is taken National Law (PIPEDA) governs collection, use, and disclosure of personal information. Similar provincial laws also apply Individuals have rights similar to those in Europe Accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; challenging compliance Sector-specific legislation such as the federal Bank Act further covers certain sensitive information 20 21. The Asia-Pacific Approach to Privacy Multiple International Frameworks APEC: Asia-Pacific Economic Cooperation ASEAN: Association of Southeast Asian Nations APPA: Asia Pacific Privacy Authorities National Legislation: Mix of broad EU-style and US-style approaches New Chinese regulations somewhere between US and EU Hong Kong, New Zealand, Japan and Australia have comprehensive privacy laws Koreas laws regulate only certain industries Taiwans law regulates computer-processed data 21 22. EU Data Protection Regulation The UK Example 22 23. UK Legal Background EU Data Protection Directive 1995 UK ICO: Christopher Graham www.ico.gov.uk Similar arrangements apply in each of the 28 member states in the EU. UK Data Protection Act 1998 23 24. When does the UK Data Protection Act Apply? The Data Protection Act (DPA) applies when there is: processing of personal data by a data controller established in the UK (in the context of that establishment) or (where the data controller is established outside of the EEA) using equipment in the UK. 24 25. Personal Data Personal data means data which relate to an identifiable living individual Personal data includes records stored electronically and in a physical filing system Examples: name, address, date of birth 25 26. Sensitive Personal Data Stricter rules apply for sensitive personal data Sensitive personal data includes health data, criminal charges and convictions, racial or ethnic origin, sexual life, trade union records, religious and political beliefs Possible sources: HR Data Background checks Casting questionnaires Contest entries (Tell us about yourself) Requirements: Explicit consent 26 27. Data Controllers and Data Processors Data Controller: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed Data Processor: Any person (other than an employee of the data controller) who processes data on behalf of the data controller Data Subject Data ProcessorData Controller 27 28. What Happens if the UK Data Protection Act Applies? Compliance with the 8 Data Protection Principles is mandatory The Rights of Data Subjects must be respected Take the consequences if you fail to comply 28 29. Data Protection Principles 1. Personal data must be processed transparently and lawfully 2. Personal data must only be used for specified purposes 3. Ensure that personal data is adequate, relevant and not excessive 4. Ensure that personal data is accurate and, where necessary, kept up to date 29 5. Personal data must not be retained for longer than necessary 6. Personal data must be processed in accordance with the data subjects rights 7. Personal data must be kept securely 8. Personal data must not be transferred to any other country without adequate protection 30. The Law: Principle 8 of the Data Protection Act 1998 says: Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of data protection Solutions include model contracts, Binding Corporate Rules and consent of users The Eighth Data Protection Principle 30 31. What happens if you get it wrong? Privacy and consumer watchdogs can fine you The Information Commissioner can: issue fines of up to 500,000 issue an information notice issue an enforcement notice seek to bring criminal proceedings Compensation Bad publicity and reputational harm Personal liability for individuals who violate the rules 31 32. Headline Changes Proposed for EU Data Regulation "One Stop Shop" for DP regulatory supervision (?) New extra-territorial scope: for non EU-based organisations Narrower gateway conditions: e.g. "legitimate interests" Privacy compliance program: policies, procedures, privacy impact assessments and audits Privacy by design, e.g. designing a new business process or procuring a new IT system with "privacy baked in". Breach Notification to be legal duty (24 hours?) Appointing a DPO New risk for data processors Fines (2%-5% of worldwide turnover) Deadline: Now end 2014 with 2 year transition period 32 33. Data Privacy and Security for Businesses Key points for businesses Protecting reputation and business interests Securing data transfers Managing personnel and employment issues Securing industrial systems Pragmatism and preparation are crucial The best plans are useless if business is unable or unwilling to implement or follow them Not a question of whether an attack or accident will happen, but rather a question of when 33 34. Business Risks Are as Important as Compliance The risk to reputation and business interests often outweighs the risk of regulatory fines This may change with proposed EU regulations A simplified global compliance plan can reduce costs, improve adoption of innovations Requires focused and strategic consideration of multinational compliance issues Development of flexible framework can address todays requirements and adapt to future changes 34 35. Business Risks Issue Spotting Make sure your privacy policies and disclosures to consumers and employees match actual practice Regulations are becoming more stringent Build new systems with forward-looking approach to privacy Avoid collection of unnecessary data Take data security seriously, including independent audits and continuous risk management Data security is not just a check-box Data privacy officers with independence and authority are critical to ensuring compliance obligations are met 35 36. Challenges to Harmonization of Approaches One size fits all approach may not be possible or desirable Example: UK requires detailed notice of how employees can be monitored that is not required in the US US locations formally adopting global policy but informally ignoring it could result in liability exposure Single framework adaptable to local circumstances Typically a simpler and more manageable strategy than piecemeal approaches 36 37. Business Risks Watch for PII Despite the fragmented regulatory approaches, most regulatory regimes focus on PII or personally identifiable information (but may use a different term) The Federal OMB has defined PII as Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mothers maiden name, etc. California has defined personal information as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. 37 38. Business Risks Data Transfers Many jurisdictions impose specific requirements before data from their jurisdiction can be transferred to another jurisdiction Check applicable restrictions before implementing cloud solutions or permitting data to be transferred from one country to a server in another country Take caution when transferring data to vendors or other third parties to ensure that you are not violating any restrictions imposed by law or contract, and that the transfer is consistent with your privacy policy Transferees must be bound by appropriate protections so that they do not cause you to violate any obligations by their actions 38 39. International Data Transfers Asia Pacific Europe USA 39 40. EU to US Data Sharing Choices EU/US safe harbors Self-certification that privacy protections are in place and adhered to Model clauses for data protection Contractual provisions that ensure processors and sub-processors maintain privacy protections Binding corporate rules Allow multinational companies to make intra-organizational transfers in compliance with EU law 40 41. EU-US Data Transfer Frameworks: Safe Harbor Certification 41 Safe Harbor Certification Company attestation that it follows certain privacy principles Requires internal or external assessment of governance and independent recourse mechanism (e.g., DPAs, TRUSTe) Requires annual re-certification Covers only receipt and processing of personal data; entities disclosed to must be independently permitted under EU framework Broader coverage of personal data - do not have to specifically designate what data is included 42. EU-US Data Transfer Frameworks: Model Contracts 42 Model Contracts Agreement between two defined parties Covers specific data designated at execution, additional types of data requires amendment Two types: Controller-controller and controller-processor. Can include disclosures and receipt as described in contract. No specific internal governance requirements, though compliance with contract terms implies certain governance 43. EU-US Data Transfer Frameworks: Binding Corporate Rules 43 Binding Corporate Rules Bigger process, more involved, more expensive Provides broader flexibility to use EU personal data 44. Data Privacy and Security Data Breaches in the US Notification requirements in at least 46 states Triggered when Personal Information compromised Personal information is generally a name combined with financial, health, or other nonpublic information Different definitions and triggers for each state Most states allow reasonable time to notify customers Some require prompt notification of state officials Critical takeaways Breach notification is complex Understand your data, what could trigger notification, and create a breach response plan 44 45. Managing Personnel and Employment Issues Employee Data Personal Information Health-Related Information Employee Monitoring Mixing of business/personal communications Policies/terms of employment Mobile Devices BYOD - Bring your own device Location tracking 45 46. Employee Vulnerability YOU ARE THE WEAKEST LINK Studies consistently show that majority of data breaches can be traced back to employees Lost or stolen laptop Credentials disclosed through phishing or social engineering attacks 46 47. What is phishing? A computing scam where the perpetrators try to get sensitive personal information by sending users to fake, but legitimate looking websites. Often starts with a legitimate looking email asking the recipient to re-enter his or her login credentials, banking information, home address and phone number, credit card numbers, or other information that can be used to access accounts or computer systems. 47 48. Employee Vulnerability - Phishing Target breach likely started with a phishing email to one of Targets contractors. 48 49. Phishing Email 49 No name or eBay username Is not clearly taking you to ebay.com 50. Phishing - Online 50 51. What is Social Engineering? Using human interaction (social skills) to manipulate individuals into performing actions or divulging confidential information Exploits human nature 51 52. Social Engineering Notorious hacker Kevin Mitnick Comments from his book The Art of Deception: people inherently want to be helpful and therefore are easily duped They assume a level of trust in order to avoid conflict In more than half of his successful network exploits he gained information through social engineering. 52 53. Employee Vulnerabilities Lost and Stolen Laptops One laptop is stolen every 53 seconds (Gartner) 97% of stolen laptops and computers are never recovered (FBI) Nearly 12,000 laptops are lost or go missing at U.S. airports every week (Dell, Ponemon Institute) 65-70% of lost laptops are never reclaimed (Dell, Ponemon Institute) 53% of business travelers carry sensitive corporate information in their laptops (Dell, Ponemon Institute) 53 54. Laptop Encryption 54 Under UK regulatory guidance and in many states in the US, a company that has encrypted all content on laptops and mobile devices would not be required to notify regulators or individuals whose data was stored on a stolen laptop or mobile devices. HOWEVER, management and employees must take responsibility ensuring the security of laptops and mobile devices, as well as the data residing on it. 55. Any Questions? 55 56. 2014 Dentons Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices. Thank you! Todd Daubert Dentons US LLP 1301 K Street, N.W. Suite 600, East Tower Washington, DC 20005
