1

SCCE Compliance and Ethics Institute

Breakout Session - October 15, 2017

Technology &Compliance

Ted Banks ���� Heidi Rudolph ���� Gene Stavrou

About Us

2

2

About You

Quick Survey

• Industry? Function/Department?

• Does your organization use social media to promote products or otherwise communicate with stakeholders?

• Is your organization preparing for/ready for the EU General Data Protection Regulation (GDPR)?

• Does your organization have a Bring Your Own Device program?

• Has your organization lost assets or revenue due to malicious software or phishing attacks?

3

What We’ll Cover in This Session

1. Current Events

2. Technologies

3. Scenarios

4. Business Landscape

5. Functions: Responsibilities, Incentives, Disincentives

4

3

1. Current Events

5

Uber

6

Was described as a “do whatever you have to do to get it done” environment.

Apple CEO Tim Cook threatened to have Uber’s iPhone app

removed from the App Store in 2015, when it learned that the

ride-sharing company had secretly found a way to identify

individual iPhones, even once the app was deleted from the

phone.

(The New York Times)

Uber is the subject of a United States Department of Justice

inquiry over a program that it used to deceive regulators who

were trying to shut down its ride-hailing service.

(The New York Times)

4

Google

7

Relationship between Google, Amazon Alexa, Siri, and law enforcement/records is unfolding

Google is permanently disabling a feature on its new

Home Mini smart speaker, which was announced last

week and starts shipping next Thursday, after a reviewer

discovered the device was quietly recording his

conversations without his knowledge or consent.

(Business Insider)

Facebook

8

Algorithms can be gamed.

The New York Post

5

Breaches

9

Number of Social

Security Numbers

revealed:

5mm

Kansas Dept.

of Commerce

2017

80mm

Anthem

2015

143mm

Equifax

2017

2. TechnologiesEmerging and pervasive technologies you should understand.

10

6

How Systems Work

Interface

Logic

Data11

Encryption

Interface

Logic

Data

Vulnerability of messages in transit and data at rest

12

7

EncryptionPublic key cryptography using secure sockets layer (“https”)

corporatecompliance.orgYour browser Certificate

Authority

Is corporatecompliance.org legit?

Yes, this site can be trusted

I would like to receive a document from you. Here is a lockbox and my public key

Here is the document you requested locked in the lockbox using your public key

Your browser unlocks (decrypts)

the document using its private key

In public key cryptography, the lockboxes and keys are all mathematical constructs.13

Ransomware

Cost to victims:

•All of 2015: $24 million

•Q1 2016 alone: $209 Million

14

WannaCry Ransomeware Attack

• Infected Windows beginning

on May 12, 2017

• Within a day, infected 230

computers in 150 countries

• Demanded payment in Bitcoin

• Many victims, including the

UK’s National Health Service

• Many later victims had not

run Microsoft’s patch

• The NSA knew about the

vulnerability but did not

report it to Microsoft

Where data is encrypted maliciously for ransom

8

Blockchain (Bitcoin example)

No Central Intermediary

Distributed Ledger

L

L

L

LL

L

• A way to conduct verified transactions without a central intermediary, such as a bank

• Distributed ledger verified by thousands of independent checkers (“miners”)

• The first miner to verify the transaction and crack a cryptographic “proof of work” puzzle gets to update the ledger, which is then propagated to other ledgers

• The miner who cracks the puzzle also gets paid in Bitcoin for the work.

• The approach relies heavily on cryptography and distributed verification to ensure that no one needs to trust anyone

• It is possible to remain anonymousL

15

Internet of Things (“IoT”)

• Home Automation

• Environmental Monitoring

• Infrastructure Management

• Manufacturing

• Energy Management

• Healthcare

• Transportation

The internetworking of physical devices + -A world where you get safe,

continually monitored

infrastructure, the best

deals, and the most

efficient, environmentally

friendly processes.

Everything from your car to

your refrigerator to your

home heating system can be

susceptible to hacking (or at

least they might tell the

world that you’re not home)

• In August 2016, a strain of malicious software detected 380,000 IoT devices

still using unchanged, factory-set usernames and passwords.

• It used the devices to stage a Distributed Denial of Service attack, where

certain servers were bombarded with requests from these devices,

overburdening the servers and taking them down.

Machines will negotiate and conduct transactions on your

behalf, possibly using blockchain-based verification systems.

-McKinsey

16

9

Web Beacons

http://www.[domainname].com/images/productimage.png?id=OEPCI-90rDDIVS884739

[You]

17

SALE!Lorem ipsum dolor sit

amet, consectetur

adipiscing elit. Integer

tristique dui non ante

eleifend, faucibus

congue nisi porta. Sed semper, ex ac

efficitur tincidunt, sapien purus pulvinar

nunc, vel ultrices nulla magna vitae risus.

Ut ac consectetur massa. Maecenas

faucibus consectetur leo, nec faucibus velit

viverra a. Nam vitae nulla sit amet metus

gravida bibendum non in lorem. Proin a

magna ac dui sodales porta et maximus

neque. Ut eu feugiat nisi, ac aliquam eros.

Generated marketing emails

contain links and image names

that identify the recipient in

web logs and analytics.

Artificial Intelligence1. If a school bus is in the path of an oncoming train, are we obligated to pull the

railroad switch lever, resulting in the death of a pedestrian on the other track?

2. If we’re driving a truck loaded with pipes, are we obligated to stop short and

impale ourselves in order to keep from demolishing the car in front of us?

• No truck driver, so no risk of impalement.

• The autonomous truck, programmed to keep a safe distance and

learning from millions of scenarios, could foresee the bad

situation and act accordingly.

• A communications-linked sensor might alert the oncoming autonomous

train in enough time to stop.

• Equally vigilant sensors could warn the person to get off the track in time,

not to mention that a human track worker might be less likely anyway.

18

10

3. Technology Scenarios

19

Is it okay to use the WIFI at Starbucks?

websiteYour browser

Data in transit is vulnerable to “Man in the middle” and other attack types

A virtual private network encrypts your transactions over the public network

and does not expose interaction to your service provider

(except that you are connecting to the VPN server)

websiteYour browser VPN

20

11

It wasn’t me, it was the AI!

21

How should a traffic algorithm calculate ETA? If it aggregates trips along a stretch of highway where a majority

of drivers routinely go 5MPH over the speed limit, should it

suggest a time estimate based on a disregard of the law?

How should a news algorithm determine

popular news stories? When should humans intervene and take a blatantly false story

out of the mix?

Ransomware – to pay or not to pay

“Paying a ransom doesn’t guarantee an

organization that it will get its data back—we’ve

seen cases where organizations never got a

decryption key after having paid the ransom.

Paying a ransom not only emboldens current

cyber criminals to target more organizations, it

also offers an incentive for other criminals to get

involved in this type of illegal activity. And finally,

by paying a ransom, an organization might

inadvertently be funding other illicit activity

associated with criminals.”

James Trainor

FBI Cybercrime Division Assistant Director

22

12

Third party computing: a cloud can be cloudy

• Where is your PII? Inventory?

• What does your contract say?

• Saving money, but is it secure? Where is your data?

• Privacy? Records Management? eDiscovery?

23

Employees on social media

• Good employees can accidentally divulge material non public information

• How about a disgruntled employee?

• Is your IP protected?

• How does your organization enforce and monitor social media use?

24

13

Education: are employees the weakest link?

Q: According to a 2016 PwC survey, in what percentage of data breaches are employees the source of the breach?

25

34%A Code of Conduct and Privacy Policy

must be continually updated to reflect relevant

risks and a changing regulatory environment.

4. Business Landscape

26

14

Business Landscape

• Expertise is leaving the company,

• Expanding use of third parties, even outside of IT

• Disjointed systems affecting records compliance

• Social media/expectation of connectivity

• The coming of GDPR

27

15

What is GDPR?

• Regulation

• Who is impacted?

• Enforcement

• Cybersecurity

• Trends• New York – Part 500

• Others to come?

• Compliance conflicts – monitoring can be useful but GDPR limits the scope by which monitoring can be used

Data Subject – Data Controller – Data Processor

There are three key terms: data subjects, data controllers, and data processors.

For example, a company is a data controller with respect to the customers or employees about whom it has personal information.

The customers and employees are the data subjects in this context: natural persons whose personal data is being processed by the data controller.

An example of a data processor would be a company to whom payroll operations are outsourced by the employer in its capacity as a data controller.)

30

16

1.Question: Which of the following represent potential consequences if a company does

not adequately protect personal information?

□ a. Fines

□ b. Loss of consumer confidence

□ c. Disruption of operations

□ d. All of the above

□ e. None of the above – protecting personal information is not very important

Quiz

Answer: d – All of the above.

2.Question: Company contracts a third party consumer rewards agency based in South

Africa to create and launch a new online consumer rewards program. The agency’s

system is hacked and personal information of our consumers from all over the world is

stolen. Can we be held liable for the theft?

□ a. Yes

□ b. No

Quiz

Answer: Yes. Even though it was the third party’s systems were

hacked, we are the first one who is liable and is ultimately held

accountable for the data breach.

17

3.Question: We discover a batch file of personal data derived from a 2007 online survey.

We have not used the data since 2007 and do not at this time have a specific need for

the data. Can we retain the data in the event it may need it at some point in the future?

□ a. Yes

□ b. No

Quiz

Answer: No. The idea that personal data should not be retained

for longer than necessary in relation to the purposes for which

they were collected, or for which they are further processed, is

key to ensuring fair processing.

4.Question: True of false. Storing personal information is a form of processing.

□ a. True

□ b. False

Quiz

Answer: True. Storing personal information is a form of process.

Processing represents any action that takes place during the life

cycle of personal information.

18

What is at stake?

What are the potential consequences for

companies who mishandle personal

information?

• Loss of consumer confidence and reputation

• Diminished brand value

• Payment of fines, potentially in the millions

• Disruption of operations

• Personal liability for employees

1. Data Privacy and its current importance in the world

a) Greater public interest, laws and enforcement globally

b) Issues – loss of data; hacking / ransomware

c) Regulators are requiring companies to create and maintain a corporate culture that emphasizes data privacy and security by establishing reliable data protection governance

2. Impact to organizations

a) Reputational damage

b) Regulatory entanglements

c) Fines – this is where to mention 2/4% of global turnover

3. Embracing and integrating good data privacy practice

a) Consistent with Codes of Conduct

b) Connects us with the desires/beliefs of employees and consumers

c) Is the law in most of the places where we operate (plus extraterritorial reach of EU law)

Use security measures such as passwords on

files and encryption.

When Handling Personal Information

Don’t share the information with anyone

unless they have a legitimate need to

access.

Make sure all of your devices are password

protected, and report any loss / theft of

devices immediately.

What can I do?

19

Have a formal access protocol and limit

access to the repository to “need to know.”

With A Repository (e.g. Sharepoint) That Contains

Personal Information.

What can I do?

Ensure that the repository is aligned with

our security standards.

Ensure that the repository does not collect

more information than is necessary or

retain any personal information longer than

required.

Ensure that the 3rd party is under contract

with us, and the contract includes our

minimum privacy terms.

If I Work With A 3rd Party That Processes Personal Information

Ensure that the 3rd party meets our security

standards.

Only share the personal information with

the 3rd party in secure format.

What can I do?

20

From employees – Ensure that the

collection is consistent with our Global Data

Privacy Policy.

Collecting Personal Information

From Consumers - Ensure that they

understand exactly how their information

will be used and that their consent is

collected and stored.

What can I do?

Complete and submit a Privacy Impact

Assessment form.

When Developing / Purchasing A System That Will Hold

Personal Information

Ensure that the system’s security is

reviewed and meets our Information

Security standards.

If it is a 3rd party system, there must be a

contract, and the contract must have our

minimum privacy and security terms.

What can I do?

21

If birthdays are celebrated in the

office, collect the birthday

information directly from employees,

not from our HR systems, and make

participation voluntary.

Always Keep Privacy And Security of

Personal Information Top of Mind What can I do?

Celebrating

Birthdays

EXAMPLES

Always include a detailed description

of the purpose of the survey. Collect

and store the consent of all survey

participants. Delete survey data

after purpose has been met.

Using Surveys

Privacy extends to job applicants and

recruits. Never check the social

media accounts of job applicants

unless you say you are going to do

that in the job advertisement.

Job Applicants

Immediately escalate any suspicion

of a data breach or cyber attack, or

of lost or stolen computers or

devices. You can contact the Privacy

Team at WeRPrivacy.com.

Breaches

Which of these could be considered personal information?

• Birthdate / Age

• Internet Protocol (IP) Address

• Gender

• Salary

• Shoe size

• Job title

• Tattoos

• Favorite hobbies

22

5. FunctionsResponsibilities, Incentives, Disincentives

43

The Compliance Function

• We’re an outwardly facing department—we need to know who knows what and how things work.

• We must sometimes be the politician, working with people as a trusted resource

• We work hard to understand the business and where it makes money

• We manage risk

• We are educators

44

23

Information Technology

45

• Tell me what we need to do—technology is nothing if it doesn’t address valid requirements

• Our use of third parties sometimes means that our systems are more rigid than some in the business would like

• System rules are explicit and enforced. We need to capture your requirements in that spirit

Marketing

46

• We can’t get bogged down in process

• We’ll take care of growing the business, you take care of the back end stuff

• That being said, we can capture a wealth of data. Let’s use it!

24

Privacy

47

• These aren’t just numbers and segments and sales—they represent individuals with certain rights to privacy

• We need to grow the business but protect those rights

Outside Experts

48

• Outside counsel

• Privacy experts

• IT experts

• Project management

• Here’s what we’ve seen…

25

Thank You!Enjoy the rest of the conference!

tbanks@scharfbanks.com heidi.rudolph@moraeglobal.com gene.stavrou@treebase.com

11 Key GDPR Tenets

1. Increases the individual’s expectation of data privacy and the organization’s obligation to follow established cybersecurity practices.

2. Establishes hefty fines for non-compliance. An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars (there are two tiers of violations and the higher tier is subject to fines of over 20 million euros or 4% of the company’s net income).

3. Imposes detailed and demanding breach notification requirements. Both the authorities and affected customers need to be notified “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach]”. Affected companies in America that are accustomed to US state data breach reporting may need to adjust their breach notification policies and procedures to avoid violating GDPR.

4. Requires many organizations to appoint a data protection officer (DPO). You will need to designate a DPO if your core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.” For firms who already have a chief privacy officer, making that person DPO would make sense, but if there is no CPO or similar position in the organization, then a DPO role will need to be created.

5. Tightens the definition of consent. Data subjects must confirm their consent to your use of their personal data through a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-ticked boxes, or inactivity no longer constitute consent.

6. Takes a broad view of what constitutes personal data, potentially encompassing cookies, IP addresses, and other tracking data.

7. Codifies a right to be forgotten so individuals can ask your organization to delete their personal data. Organizations that do not yet have a process for accommodating such requests will need to work on that.

8. Gives data subjects the right to receive data in a common format and to ask that their data be transferred to another controller. Organizations that do not yet have a process for accommodating such requests will need to work on that.

9. Makes it clear that data controllers are liable for the actions of the data processors they choose. (The controller-processor relationship should be governed by a contract that details the type of data involved, its purpose, use, retention, disposal, and protective security measures. For US companies, think Covered Entities and Business Associates under HIPAA.)

10. Increases parental consent requirements for children under 16.

11. Enshrines “privacy-by-design” as a required standard practice for all activities involving protected personal data. For example, in the area of app development, GDPR implies that “security and privacy experts should sit with the marketing team to build the business requirements and development plan for any new app to make sure it complies with the new regulation”.

50