Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1/1/2021
1
Data Protection and Breaches in
the Internet of Things
Sanjeev Gathani, Group Compliance and HR Officer of RV Healthcare Pte Ltd
Food for Thought
DigitalisedvsDigitised
1
2
1/1/2021
2
Digitised
to convert from a physical to a digitalformat so that it can be processed by acomputer(example : printed text, music,pictures)
Digitalised
to make use of digital technology to create new value, new business models and new ways of thinking, making decisions and doing business
3
4
1/1/2021
3
Past, Present and Future
Table of Content
Definitions
Privacy & security - IOT
Data breaches
Responses and Strategy
Questions and Answers
5
6
1/1/2021
4
Privacy
Encompasses the rights and obligations of individuals and organizations with respect to the COLLECTION, USE, RETENTION, DISCLOSURE AND DISPOSAL of personal information – The American Institute of Certified Public Accountants (AICPA)
Privacy Classes+ Collect+ Use + Dispose+ Store
7
8
1/1/2021
5
Data Protection Rules
Data Protection Authority Data Controller
Data Processor Data Subject
Security
the quality or state of being secure: such as. a freedom from danger : safety b freedom from fear or anxiety c freedom from the prospect of being laid off job security
9
10
1/1/2021
6
Security is not Privacy
Privacy Big Themes
Notifying individuals about what’s happening with their data
Compliance requirements for processors
Breach notification
Lawful processing must be ‘provable’ before you process
Geographic reach
Principles
Legal rights of individuals
DPO (data protection officer)
Fines – potential for litigation and criminal penalties
Data transfers
Stricter rules for obtaining consent
Increased compliance requirements for controllers
Subject matter(data categories)
Privacy
11
12
1/1/2021
7
Integrity and confidentiality (security)
Principle 6
Purpose limitation
Principle 2
Lawfulness, fairness and transparency
Principle1
Principle 3
Data minimisation
Principle 4
Accuracy
Principle 5
Storage limitation
Accountability
Principles For Organisations To Consider
obligationsenterprise-wide
programour duty
oversee effectiveness appropriately
confidentmajor transactions
risk
sustained compliancediscipline
responsibleconflicts
processing lawfullyshow compliance prior
sufficient resourcestrained
show lawful evidence
regulators and the courts
THE BOARD MANAGEMENT
13
14
1/1/2021
8
+You’re in control, (panic?), it’s the LAW, not just for Christmas
No plan? = oh dear = unhappy Courts and Supervisors and litigious individuals
You MUST prove lawfulness before you process (required in some jurisdictions)
Clarity of vision Accountability Compliance is specific to you organisation Get the basics right first
Get the basics right first Get the basics right first Get the basics right first Get the basics right first Get the basics right first
Deliberation Time
15
16
1/1/2021
9
Privacy and Security - IOT
+ Concerns have been raised regarding security and privacy challenges posed by the IOT ecosystem
Data Breaches
Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property
Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information
17
18
1/1/2021
10
“A Data Breach is generally taken to be a suspected breach of data security of personal data held by a data user, exposing these data to the risk of loss, unauthorized or accidental access, processing, erasure or use” - PCPD, HK
What is a Data Breach?ExamplesLoss of personal data kept in storage e.g. laptop computers, tablets, USB flash drives
Improper handling of personal data – e.g. disposal, sending to wrong party, authorized access by employee, etc.
Database containing personal info being hacked or access by outsiders without authorization
19
20
1/1/2021
11
What are the 15 of the Biggest Data Breaches in the Last 15 Years
15 of the Biggest Data Breaches in the Last 15 Years
https://hostingtribunal.com/blog/biggest-data-breach-statistics
21
22
1/1/2021
12
Game Time
Instructions
Discuss the assigned scenario within your team and answer the following questions:
+As a DPO, how would you handle this situation?+How would you demonstrate to PDPC that you have implemented
appropriate data protection policies and practices?+What are your recommendations for preventing this incident from
occurring in future?+Be prepared to present your findings and recommendations to
the PDPC investigators
23
24
1/1/2021
13
Case Study One
+The offsite store, where archived documents were stored, had a break in. Boxes of documents and were found strewn all over. Some thumb drives were lying around as well. There were also boxes missing.
+ It was difficult to ascertain if all the contents in the boxes were accounted for as everything was in a mess. Thus, the extent of the risk of exposure of the confidential documents was difficult to assess.
+A whistle blower reported the break to the Regulator. It was not known if there is a retention policy for the documents at the offsite store nor if the thumb drives were encrypted.
Case Study Two
+You were informed by your boss that PDPC has sent a letter to the HR department. The background is that an anonymous email was sent (presumably from a disgruntle employee) to the HR director copying the Regulator accusing the company of negligence in handling employees' personal data. The individual cited cases where old resumes were found (with salary expectations written on it) as well as P-files left unintended.
25
26
1/1/2021
14
Incident / Response Management& Demonstrating Accountability
Importance of Response Management
Breaches
Complaints
Issues, Concerns, Clarification
Requests for Information
Access & Correction Requests
27
28
1/1/2021
15
Defining Accountability
Ownership Responsibility Evidence
Need to demonstrate accountability to regulators
AccountabilityAccountability to a regulator follows a poorly handled event.
WhoWhat
When
Demonstrate Evidence of Accountability
• Existence of privacy awareness program
• Compliance Manual• Dedicated privacy team, • Breach protocols, • Internal communication –
training & awareness• Enforcement (warnings,
counseling, termination)
29
30
1/1/2021
16
Accountability
Ensure Accountability
Monitor Compliance
Address Incidents
Respond to Inquiries
Resolve Complaints
Settle Disputes
Basic Principles
+Allow an affected person the opportunity to protect himself from identity theft or other harm(e.g. financial loss, reputation damage, embarrassment)
+Primary focus when managing any privacy incident is harm prevention and/or minimisation
Data Breach – Preventing Harm
31
32
1/1/2021
17
1. Discovery of an incident2. Containment & Analysis3. Notification4. Eradication & Prevention
How should a data breach be handled?
Essential Information to Gather• When did the breach occur?• Where did the breach take
place?• How was the breach
detected and by whom?• What was the cause of the
breach?• What kind and extent of
personal data were involved?• How many data subjects
(Individuals) were affected?
Privacy Incidents
Who’s Involved
IS
Legal
HR
Marketing
Business Devt
PR
Union Reps
Finance
CEO
Customer Care
Effective incident response requires systematic, well-conceived planning before a breach. Many organisationsinclude incident response planning into their broader business continuity plan.
33
34
1/1/2021
18
Data Breach Response & Notification
To notify or not
to notify
Ability to mitigate
Nature of data
Number of individuals
Accessibility of
information
Harmfulness of breach
CARE GuidelinesAction to takeC containing the BreachA assessing Risks and ImpactR reporting the IncidentE evaluating the Response & Recovery to Prevent Future BreachesEssential Information to Gather• When did the breach occur?• Where did the breach take place?• How was the breach detected and by
whom?• What was the cause of the breach?• What kind and extent of personal data
were involved?• How many data subjects (Individuals)
ff t d?35
36
1/1/2021
19
Future Direction
Has the board evaluated whether Business Continuity Plans worked? Were there gaps? Were there failures, e.g. Phone Systems, Printing services?
Has the company reacted well?Did the company Implement work from home arrangement and provide necessary digital and technology tools & enablers (e.g. laptop pool, BYOD, video conference facilities, file sharing etc.)
Were there any Scape goats?
Were new guidelines introduced to adapt to these new arrangement? Employee monitoring guidelines? To Managers?
The Current Crisis
37
38
1/1/2021
20
Digital Leadership counts during this crisis and during the enforced Digital Transformation Process
e.g. Did the board have meetings on speakers or
earpiece?e.g. Did the board securely
transfer files?e.g. Did the board use Virtual
backgrounds in meeting or lock meetings?
Did The Board/Management Lead By Example?
Are we going to embrace this enforced digital transformation and amend our workflows and permanently adopt new technologies and SECURELY use them to enhance the business?
How are we going to now plan our Secure Digital Transformation to ensure it positively affects and enhance security?
What is happening to demand, has it gone
digital, can we secure it?
How have customers’ ability to pay in this
environment changed? CUSTOMERS
EMPLOYEES
How are employees doing in the new normal? Are they
working at home or elsewhere? How are we
helping ensure they are productive yet secure? How is
their virtual well being different to their physical well
being?
What is the state of the supply chain? Were they able to adapt during this
crisis, did they grow digitally?
Can we enforce secure protocols on them? Can their systems integrate
with ours?
SUPPLIERS
What are the implications of new government rules
and push to the new normal?
Do we have regulations such as PDPA and others
to adapt to?
GOVERNMENT
What other risks might increase while focus is on
the Pandemic and recovery (such as, cyber and technology risks)?
OTHERS
The Way Forward?
39
40
1/1/2021
21
New loopholes in Data Security will exist especially as the push for digital transformation was
fast and security ignored.
Personal challenges and cyber bullying in companies on the rise.
Data has become the most valuable asset, the "crown
jewels", Companies must protect it at all costs.
Corporate Espionage becomes easier and more valuable.
Companies are looking for an advantage over competitors.
Retrenchments will be inevitable,employees may look for
"revenge“.
Beware The Rise On Insiders
9 security measures you can take to help secure your devices
Install reputable internet security software on your computers, tablets, and smartphones.
Use strong and unique passwords for device accounts, Wi-Fi networks, and connected devices. Don’t use common words or passwords that are easy
to guess, such as “password” or “123456.”
Be aware when it comes to apps. Always make sure you read the privacy policy of the apps you use to see how they plan on using your information and more.
41
42
1/1/2021
22
9 security measures you can take to help secure your devices
Do your research before you buy. Devices become smart because they collect a lot of personal data. While collecting data isn’t necessarily a bad thing, you should know about what types of data these devices collect, how it’s stored and protected, if it is shared with third parties, and the policies or protections regarding data breaches.
Know what data the device or app wants to access on your phone. If it seems unnecessary for the app’s functionality or too risky, deny permission.
Use a trusted VPN, which helps to secure the data transmitted on your home or public Wi-Fi.
9 security measures you can take to help secure your devices
Check the device manufacturer’s website regularly for firmware updates.
Use caution when using social sharing features with these apps. Social sharing features can expose information like your location and let people know when you’re not at home. Cybercriminals can use this to track your movements. That could lead to a potential cyberstalking issue or other real-world dangers.
Never leave your smartphone unattended if you’re using it in a public space. In crowded spaces, you should also consider turning off Wi-Fi or Bluetooth access if you don’t need them. Some smartphone brands allow automatic sharing with other users in close proximity.
43
44
1/1/2021
23
Thank you
45
46