• No results found

Implementing Privacy Compliant Hybrid Cloud Solutions

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Implementing Privacy Compliant Hybrid Cloud Solutions"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

SESSION ID:

Implementing Privacy Compliant Hybrid

Cloud Solutions

DSP-T07A

Peter J Reid

Privacy Officer, Enterprise Business Hewlett-Packard Company

(2)

#RSAC

2

2014 – Compliance requirements – very complex; global scope

2014 – Outsourcing/Cloud are global operations with resources deployed globally; multiple laws and regulations apply

Historical IT Outsourcing Perspective

1960 1970 1980 1990 2000

Cloud Web 2.0

1962 - Ross Perot Founds EDS; Creates the Outsourcing Industry; Mainframe batch with limited online processing; all local

1962 – Compliance

(3)

#RSAC

Significant Privacy Legislation Exists Outside US

In Europe, the European Data Protection Directive & its supporting country legislation considers privacy (data protection) a human right

Legislation, similar to European Data Protection Directive, has been & continues to be enacted in many other

countries Argentina * Australia Canada * Hong Kong Israel * Japan New Zealand * Most International Privacy Laws Place Restrictions on Trans-Border

Data Flow

(4)

#RSAC

• Fair Credit Reporting Act • Privacy Act

• Family Educational Rights and Privacy Act • Right to Financial Privacy Act

• Cable Communications Privacy Act • Electronic Communications Privacy Act • Video Privacy Protection Act

• FCC TCPA & CPNI Rules • Driver’s Privacy Protection Act • Telecommunications Act

• Children’s Online Privacy Protection Act

• Wireless Communications and Public Safety Act • Gramm Leach Bliley Act

• Health Insurance Portability & Accountability Act (HIPAA) • FTC Do Not Call Registry & Telemarketing Rules

• CAN-SPAM Act

• Fair & Accurate Credit Transactions Act (FACTA) • HITECH Act

No current U.S. Privacy Laws place any restrictions on Trans-Border Data Flow

U.S. Approach To Privacy Legislation, Historically

Sector-Based, Has Been Growing

(5)

#RSAC

Other Privacy Regulatory Considerations

FTC Act - 1914 (section 5 “unfair & deceptive practices”)

46 U.S. states now have Identity Theft Notification laws (aka

Data Breach laws); HITECH Act has similar requirements as

do several EU countries. Similar laws now being considered

in other geographies

Payment Card Industry Data Security Standards (PCI DSS)

Online Behavioral Advertising (OBA) laws in place and

proliferating

(6)

#RSAC

6

Privacy Restrictions On Trans-Border Data Flow

Privacy & Data Protection regulations restrict transfer of “personal information” across national borders

a. Transfers from all countries with comprehensive national legislation are restricted

i. EU/EEA, Switzerland, Argentina, Australia, Canada, Japan, Korea, Mexico, etc.

b. From EU/EEA countries, personal information can be transferred to countries that have “adequate protection”

i. All other EU/EEA member states are deemed to be adequate

ii. Switzerland, Canada, Argentina, Israel, New Zealand, Uruguay all have

regulations deemed adequate by the EU

iii.No other countries (e.g. US, Brazil, China, India, Malaysia, Philippines, Costa

Rica) are deemed adequate by the EU, so transfers are restricted

  

(7)

#RSAC

Overcoming Privacy Restrictions

Mechanisms to overcome transfer restrictions

a. Information can be transferred from a company in an EU/EEA country or Switzerland to it’s U.S. entity if that entity has joined U.S. DoC Safe Harbor

i. Safe Harbor applies only to transfers of PI from the EU to the U.S.

ii. Safe Harbor also allows “onward transfers” to other jurisdictions

b. Personal information can also be transferred from any EU/EEA country to any

non-EU/EEA country, other than “approved adequate countries”, if:

i. A model contract has been signed & in many instances approved by the country regulator, or

ii. Binding Corporate Rules (BCR) /Binding Corporate Rules for Processors (BCR-P) have been approved, or

iii. The individual has “freely given” consent

c. Transfers from other countries with national privacy legislation also require

contractual agreement. APEC has introduced Cross Border Processing Rules (CBPR, CBPR-P)

(8)

#RSAC

8

Summary of Laws & Regulations Impacting Cloud

Privacy & Data Protection Laws • EU Data Protection Directive

• Canada’s PIPEDA, Provincial laws • US Sectoral Laws (e.g. GLBA,

HIPAA/HITECH) Export Control Laws

• ITAR, Global Trade Laws Corporate Governance Laws

• SOX

Data Breach Laws • 46 U.S. States

• HITECH

• EU Data Protection Regulation

Implications

• Trans Border Data Flow • Security

• Security

• Trans Border Data Flow • Security

• Security • Security • Security

(9)

#RSAC

Enterprises shifting to a hybrid cloud model

Service Level Agreements (SLAs)

Availability, Security, Performance, Compliance, Cost

Build & Operate

Consume

Private

Cloud Managed Cloud Public Cloud

Traditional IT

(10)

#RSAC

Open source software for building private and public clouds

(11)

#RSAC

Openstack Contributors

 Unaffiliated individuals

 Commercial entities

 Nonprofit organizations

 National and local governments

 Number, quality, and area of

(12)

#RSAC

12

Biggest Cloud Compliance Challenges

Data mapping and data flow analysis

• Knowing where your personal and other confidential information

is and where it is stored and from where it can be accessed is a key factor in compliance.

• In the “Public/Hybrid Cloud” space, this becomes a critical issue

as it determines compliance requirements when your data is being stored and processed by a third party

(13)

#RSAC

13

Privacy & Outsourcing – Do you have the answers?

First ask yourselves:

• What types of information, subject to regulations, is stored in your company’s systems? (e.g. personal information, financial information, sensitive corporate information, export controlled information)

• Do you know exactly where that information is stored?

• Have you documented all the data flows, including all sources and destinations?

• Which regulations are you subject to?

• Does your IT organization understand the implications of all the regulations you are subject to?

• What is your compliance organization structure? Where does it reside?

(14)

#RSAC

14

Privacy Considerations – Do you have the answers?

Then ask your providers:

• Where will my data be stored and from where can it be accessed? • What are your privacy and data protection programs and policies? Do

you have approved BCR or BCR-P in the EU? Do you have approved CBPR or CBPR-P in APEC member countries?

• What are your security programs and policies? Do they meet the security requirements of HIPAA, PCI DSS, etc?

• Are all of your sub-contractors obligated to meet your internal and contractual Privacy and Security requirements?

• How will you help us meet our regulatory and corporate compliance obligations?

(15)

#RSAC

15

Summary

• The contract

• Clarify roles and obligations of parties

• Technical and organizational measures

• Processing risk and nature of data are key to what is ‘appropriate’

• Ask for evidence of

• Privacy and security policies; Implementation of security controls; Training of personnel

• Be prepared to conduct site visits

• If transfers of PI out of the EU/EEA will occur

• Establish the requirements under which transfers may take place (e.g. Model Contracts, BCR, BCR-P, etc)

• If EU Model Contracts are required, start work on them as soon as possible to avoid delays in delivery of service

• Always remember, you cannot “outsource” your compliance obligations

(16)

References

Download now ( PDF - 16 Page - 1.17 MB )

Related documents

Wireless Data Logger – A Joint Use of Frequency Converter and Wireless Sensor Network

The Communication Node receives data from the frequency converter and operates data processing functions, but it will not send the data to the Gateway Node until it receives the

Online Commerce Unnecessary Luxury or Efficiency Shift?

Fact is you should be leveraging your ecommerce platform to deliver a world of useful tools, applications and capabilities to the sales teams – everything from analytics and

INSURANCE. Home Insurance. Travel Insurance. Product Disclosure Statement and Policy document

The most we will pay is the amount set out in the section in the ‘Table of benefits’ on page 4, which relates to the travel plan you have chosen, unless you are claiming

JPEG XT: A Compression Standard for HDR and WCG Images [Standards in a Nutshell]

JPEG XT image coding system is organized into nine parts that hierarchically define the baseline coding architecture, known from the legacy JPEG standard, an extensible file

9880: Details of the System z Infrastructure and Support for Oracle Solutions, Including Oracle Database, E-Business Suite, PeopleSoft and Siebel

ASMlib available for Red Hat 5.6 – refer to My Oracle Support Note: Oracle ASMLIB - Support for RedHat Enterprise Linux 5 AS on IBM zSeries [ID 821652.1] Library and tools from

Identification of risk factors associated with highway fatalities occurring to law enforcement professionals

To effectively accomplish these charges, LESSS has established three working focus groups with defined missions, as described below: “Vehicle Working Group: Study the