Data Protection and Information Security: The top 5 risks for 2013
1 November 2012
Robert Bond
Head of Data Protection &
Information Law Group
Our team
• Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors
• We have offices in Luxembourg and Zurich
• Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches
• We are listed in Chambers 2012 as a leading law firm for Data Protection and have advised on this area of law since 1983
“Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU
regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in
establishing our privacy policies and procedures.”
Robert specialises in intellectual property, technology and commercial law and his particular areas of specialist knowledge include legal issues for the computer games and digital media sectors as well as data protection and information security.
A Certified Compliance & Ethics Professional, Robert has specialised in data protection since 1983 and is listed in the top 20 Best Privacy Advisers in a recent survey published in Computer World.
He was recently appointed an Ambassador for Privacy by Design by Commissioner Ann Cavoukian of Ontario.
He has advised many multinationals on trans border data flows and global data protection compliance since 1997, and co-authored the ICC BCR Report in 2006 and the ICC Guidelines on Basel II and Data Protection in 2007. Robert is the author of many books, including most recently for Sweet & Maxwell who publish his book Negotiating International Software Licenses and Data Transfer Agreements. Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Study and in 1994 was a researcher in Information Security and Data Protection at the University of Leicester. He is chairman of the ICC (UK) E-Business, IT & Telecoms Committee and Chairman of the IT &
E-Commerce Committee of the Licensing Executives Society.
Robert is listed in Legal Experts 2011 and The Who’s Who of International Internet & E-Commerce Lawyers and is also recognised as a Legal Expert by Euromoney’s Guide to the World’s Leading Technology Telecommunications Lawyers.
He is also a frequent speaker at industry events and conferences.
Robert is listed as Tier 1 for Data Protection in Chambers UK 2012 to 2010 describing him as” an esteemed figure in the field. He has an impressive reputation for his work on cross-border data compliance and cutting-edge IT data privacy issues within the digital, online and social media spheres.” He is listed as a data protection expert in Chambers (2009) and in Chambers (2008) where clients describe him as “a brilliant lecturer, a meticulous lawyer” and “responsive – if you contact him, you know he’ll get back to you within the hour” and “authoritative – he really knows his stuff, and he has so many contacts within the EC he can predict trends and what’s coming further down the line, which is very useful for forward planning.”
[email protected] Tel +44 (0)20 7427 6660
Robert Bond
“From regulatory compliance to practical advice on data security issues, Robert’s expertise in this field and the creativity of the advice that he provides has ensured that he stands head and shoulders above the competition.”
Freedom of Information
• Public Sector
• Private Sector
• Prejudice test and public interest analysis
Surveillance, Interception and Monitoring
• RIPA
• Lawful business regulations
• Security
• Tracking and location data
Data Protection
• Privacy
• Confidentiality
• International transfers
• Employment laws
• CCTV
• Direct marketing
• Cloud computing
• Outsourcing
Compliance
• Sarbanes Oxley
• Ethical hotlines
• FCPA/OFAC/Bribery
• E-Discovery Rules
• Data retention
• Data destruction
• Records management
Data Protection and
Information Law
Data Protection and Information Law
Assessing data risks, challenges and priorities
• Recent news
• Legal landscape
• Facts & Figures
• Policies & Controls
• Threats
– Cloud computing – Social networking – Monitoring
– Internal threats – External threats
• When it goes wrong!
• Breach procedures
• Questions
Data at the tipping point
• Finding 1
There is a notable difference between organizations’ intentions regarding data privacy and how they actually protect it, creating an uneven trust landscape.
• Finding 2
A majority of organizations have lost sensitive personal information, and among these organizations, the biggest causes are internal and therefore something they potentially could control.
• Finding 3
Compliance complacency is prevalent throughout the world.
• Finding 4
Understanding the perspective on and approach to data privacy and protection of business partners is crucial.
• Finding 5
Organizations that exhibit a “culture of caring” with respect to data privacy and protection are far less likely to experience security breaches.
Accenture 2012
The Numbers according to Chartis
• Nine billion connected devices worldwide, predicted to rise to 24 billion by 2020
• More than 50% of the world’s population is aged under 30
• If Facebook was a country it would be the third largest in the world
• 77 million customers were threatened by the Sony data breach
• Global cyber security spending was expected to reach $60bn in 2011
• It is forecast to grow 10%
every
year during the next three to five years
• Up to 600,000 Facebook
accounts are blocked every day after hacking attempts
• More than 6.7 million distinct bot-infected computers were detected in 2009.
Memorable security breaches
• Heartland
• TJX
• Sony
• HMRC
• T-Mobile
• Bank of New York
The starting point!
• “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to,
personal data”
Art. 17 EU DP Directive
• According to PIPEDA, personal information must be protected by security safeguards appropriate to the sensitivity of the
information. The security safeguards must protect personal
information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
Corporate governance
• Corporate governance
– Responsibilities of publicly traded or listed companies – Industry specific rules
– Risk management approach – Best practice
• Standards
– ISO 27001:2005 Information Security – BSI 10012:2009 Data Protection
– FSA SYSC – PCI DSS
The end point?
• Preparation for policy and procedure
• Security policy content
– scope and explanation – IT security procedures – organisational procedures – back-up
– measuring compliance – incident procedures – personnel issues
Related Data Privacy Issues
• Registration
• Notification
• Vendor management
• International data transfer
• Subject Access Requests
Threats: The Cloud
• Determination:
– data controller?
– data processor?
• Agreed terms: Seventh Data Principle
• Off-shoring: Eighth Data Principle – adequacy solutions
– Safe Harbor
– model clauses – sub-processor/contractor
• Change the law or change the product?
Threats: Social Media
• In the workplace
• Blurring the distinction – work into home life
– home life into workplace
• Is there a risk?
– corporate message – corporate information – IT estate
• Policies
– people risk
– information risk
Threats: Monitoring
• It is regulated
• Privacy impact
• Means justify the goal?
• Privacy Impact Assessment
• Cross border investigations
Threats: Internal Threats
• Employee
• Rogue
• BYOD
• Dropbox and Sharepoint
• Lack of controls
• Liability
– employee?
– employer?
• Question: did the controls match risks?
Threats: External Threats
• Risk assessment
• Information security expertise
• Core legal requirements
• Controller or processor?
• Question: did the controls match risks?
When it goes wrong!
Containment and Recovery
Surviving a
data breach Assessment of Risk
Notification Evaluation &
Remedy
Containment and recovery
• Decide on who should take the lead on investigating the breach and ensure they have the appropriate resources
• Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise.
This could be isolating or closing a compromised section of the network, finding a lost piece of equipment or simply changing the access codes at the front door.
• Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of back up tapes to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts
• Where appropriate, inform the police
Assessing the risks
• What type of data is involved?
• How sensitive is it? Remember that some data is sensitive because of its very personal nature (health records) while other data types are sensitive because of what might happen if it is misused (bank
account details)
• If data has been lost or stolen, are there any protections in place such as encryption?
• What has happened to the data? If data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk
• Regardless of what has happened to the data, what could the data tell a third party about the individual? Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently
trivial snippets of information could help a determined fraudster build up a detailed picture of other people
Assessing the risks
• How many individuals’ personal data are affected by the breach? It is not necessarily the case that the bigger risks will accrue from the loss of large amounts of data but is certainly an important
determining factor in the overall risk assessment
• Who are the individuals whose data has been breached? Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks
• What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and
other aspects of their life?
• Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?
• If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use.
Notification of breaches
• Are there any legal or contractual requirements?
• Some laws expressly require you to notify a breach and sector specific rules may lead you towards issuing a notification
• Can notification help you meet your security obligations with regard to applicable laws?
• Can notification help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information you provide to mitigate risks, for example by cancelling a credit card or changing a password?
• If a large number of people are affected, or there are very serious consequences, you should inform the appropriate regulator.
• Consider how notification can be made appropriate for particular groups of individuals, for example, if you are notifying children or vulnerable adults.
Notification of breaches
• Make sure you notify the appropriate regulatory body. A sector specific regulator may require you to notify them of any type of
breach but the DPA in the EU should only be notified when the breach involves personal data
• There are a number of different ways to notify those affected so consider using the most appropriate one. Always bear in mind the security of the medium as well as the urgency of the situation
• Your notification should at the very least include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to respond to the risks posed by the breach
• When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them
• Provide a way in which they can contact you for further information or to ask you questions about what has occurred – this could be a helpline number or a web page, for example.
Evaluation and response
• Identify weak points in your existing security measures such as the use of portable storage devices or access to public networks
• Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice
• Consider whether you need to establish a group of technical and non- technical staff who discuss ‘what if’ scenarios – this would highlight risks and weaknesses as well as giving staff at different levels the opportunity to suggest solutions
• If your organisation already has a Business Continuity Plan for
dealing with serious incidents, consider implementing a similar plan for data security breaches
• It is recommended that at the very least you identify a group of people responsible for reacting to reported breaches of security
The cost of a data breach
• Sony: share prices dropped 9% in Tokyo (on 13 May 2011) following Playstation hacks, where the personal information of around 100 million users was stolen. Sony has spent $170 million rectifying the breach to date.
• Heartland Payment’s data breach in 2009 impacted 175,000
merchants and millions of payment card transactions each month.
Heartland saw its share price drop 33%.
• Epsilon: total cost of the breach including forensic audits and monitoring, fines, litigation and lost business for provider and customers could eventually run as high as $3 to $4billion.
• In reporting its fourth-quarter and year-end earnings Global Payments said that the March 201 2breach had cost it $84.4m before tax.
• It is estimated that the average data breach costs a company £2 million, or £71 per record violated.
•Construction & Engineering
•1 November 2006
For more information on our services, please contact:
Robert Bond
+44 (0)20 7427 6660
