-
1/1/2021
1
Data Protection and Breaches in
the Internet of Things
Sanjeev Gathani, Group Compliance and HR Officer of RV
Healthcare Pte Ltd
Food for Thought
DigitalisedvsDigitised
1
2
-
1/1/2021
2
Digitised
to convert from a physical to a digitalformat so that it can be
processed by acomputer(example : printed text, music,pictures)
Digitalised
to make use of digital technology to create new value, new business models and new ways of thinking, making decisions and doing business
3
4
-
1/1/2021
3
Past, Present and Future
Table of Content
Definitions
Privacy & security - IOT
Data breaches
Responses and Strategy
Questions and Answers
5
6
-
1/1/2021
4
Privacy
Encompasses the rights and obligations of individuals and
organizations with respect to the COLLECTION, USE, RETENTION,
DISCLOSURE AND DISPOSAL of personal information – The American
Institute of Certified Public Accountants (AICPA)
Privacy Classes+ Collect+ Use + Dispose+ Store
7
8
-
1/1/2021
5
Data Protection Rules
Data Protection Authority Data Controller
Data Processor Data Subject
Security
the quality or state of being secure: such as. a freedom from
danger : safety b freedom from fear or anxiety c freedom from the
prospect of being laid off job security
9
10
-
1/1/2021
6
Security is not Privacy
Privacy Big Themes
Notifying individuals about what’s happening with their data
Compliance requirements for processors
Breach notification
Lawful processing must be ‘provable’ before you process
Geographic reach
Principles
Legal rights of individuals
DPO (data protection officer)
Fines – potential for litigation and criminal penalties
Data transfers
Stricter rules for obtaining consent
Increased compliance requirements for controllers
Subject matter(data categories)
Privacy
11
12
-
1/1/2021
7
Integrity and confidentiality (security)
Principle 6
Purpose limitation
Principle 2
Lawfulness, fairness and transparency
Principle1
Principle 3
Data minimisation
Principle 4
Accuracy
Principle 5
Storage limitation
Accountability
Principles For Organisations To Consider
obligationsenterprise-wide
programour duty
oversee effectiveness appropriately
confidentmajor transactions
risk
sustained compliancediscipline
responsibleconflicts
processing lawfullyshow compliance prior
sufficient resourcestrained
show lawful evidence
regulators and the courts
THE BOARD MANAGEMENT
13
14
-
1/1/2021
8
+You’re in control, (panic?), it’s the LAW, not just for Christmas
No plan? = oh dear = unhappy Courts and Supervisors and litigious individuals
You MUST prove lawfulness before you process (required in some jurisdictions)
Clarity of vision Accountability
Compliance is specific to you organisation
Get the basics right first
Get the basics right first
Get the basics right first
Get the basics right first
Get the basics right first
Get the basics right first
Deliberation Time
15
16
-
1/1/2021
9
Privacy and Security - IOT
+ Concerns have been raised regarding security and privacy
challenges posed by the IOT ecosystem
Data Breaches
Data breaches may involve financial information such as credit
card or bank details, personal health information (PHI), Personally
identifiable information (PII), trade secrets of corporations or
intellectual property
Most data breaches involve overexposed and vulnerable
unstructured data – files, documents, and sensitive information
17
18
-
1/1/2021
10
“A Data Breach is generally taken to be a suspected breach of
data security of personal data held by a data user, exposing these
data to the risk of loss, unauthorized or accidental access,
processing, erasure or use” - PCPD, HK
What is a Data Breach?ExamplesLoss of personal data kept in
storage e.g. laptop computers, tablets, USB flash drives
Improper handling of personal data – e.g. disposal, sending to
wrong party, authorized access by employee, etc.
Database containing personal info being hacked or access by
outsiders without authorization
19
20
-
1/1/2021
11
What are the 15 of the Biggest Data Breaches in the Last 15 Years
15 of the Biggest Data Breaches in the Last 15 Years
https://hostingtribunal.com/blog/biggest-data-breach-statistics
21
22
-
1/1/2021
12
Game Time
Instructions
Discuss the assigned scenario within your team and answer the
following questions:
+As a DPO, how would you handle this situation?+How would you
demonstrate to PDPC that you have implemented
appropriate data protection policies and practices?+What are
your recommendations for preventing this incident from
occurring in future?+Be prepared to present your findings and
recommendations to
the PDPC investigators
23
24
-
1/1/2021
13
Case Study One
+The offsite store, where archived documents were stored, had a
break in. Boxes of documents and were found strewn all over. Some
thumb drives were lying around as well. There were also boxes
missing.
+ It was difficult to ascertain if all the contents in the boxes
were accounted for as everything was in a mess. Thus, the extent of
the risk of exposure of the confidential documents was difficult to
assess.
+A whistle blower reported the break to the Regulator. It was
not known if there is a retention policy for the documents at the
offsite store nor if the thumb drives were encrypted.
Case Study Two
+You were informed by your boss that PDPC has sent a letter to
the HR department. The background is that an anonymous email was
sent (presumably from a disgruntle employee) to the HR director
copying the Regulator accusing the company of negligence in
handling employees' personal data. The individual cited cases where
old resumes were found (with salary expectations written on it) as
well as P-files left unintended.
25
26
-
1/1/2021
14
Incident / Response Management& Demonstrating
Accountability
Importance of Response Management
Breaches
Complaints
Issues, Concerns, Clarification
Requests for Information
Access & Correction Requests
27
28
-
1/1/2021
15
Defining Accountability
Ownership Responsibility Evidence
Need to demonstrate accountability to regulators
AccountabilityAccountability to a regulator follows a poorly
handled event.
WhoWhat
When
Demonstrate Evidence of Accountability
• Existence of privacy awareness program
• Compliance Manual• Dedicated privacy team, • Breach protocols,
• Internal communication –
training & awareness• Enforcement (warnings,
counseling, termination)
29
30
-
1/1/2021
16
Accountability
Ensure Accountability
Monitor Compliance
Address Incidents
Respond to Inquiries
Resolve Complaints
Settle Disputes
Basic Principles
+Allow an affected person the opportunity to protect himself
from identity theft or other harm(e.g. financial loss, reputation
damage, embarrassment)
+Primary focus when managing any privacy incident is harm
prevention and/or minimisation
Data Breach – Preventing Harm
31
32
-
1/1/2021
17
1. Discovery of an incident2. Containment & Analysis3.
Notification4. Eradication & Prevention
How should a data breach be handled?
Essential Information to Gather• When did the breach occur?•
Where did the breach take
place?• How was the breach
detected and by whom?• What was the cause of the
breach?• What kind and extent of
personal data were involved?• How many data subjects
(Individuals) were affected?
Privacy Incidents
Who’s Involved
IS
Legal
HR
Marketing
Business Devt
PR
Union Reps
Finance
CEO
Customer Care
Effective incident response requires systematic, well-conceived
planning before a breach. Many organisationsinclude incident
response planning into their broader business continuity plan.
33
34
-
1/1/2021
18
Data Breach Response & Notification
To notify or not
to notify
Ability to mitigate
Nature of data
Number of individuals
Accessibility of
information
Harmfulness of breach
CARE GuidelinesAction to takeC containing the BreachA assessing
Risks and ImpactR reporting the IncidentE evaluating the Response
& Recovery to Prevent Future BreachesEssential Information to
Gather• When did the breach occur?• Where did the breach take
place?• How was the breach detected and by
whom?• What was the cause of the breach?• What kind and extent
of personal data
were involved?• How many data subjects (Individuals)
ff t d?35
36
-
1/1/2021
19
Future Direction
Has the board evaluated whether Business Continuity Plans
worked? Were there gaps? Were there failures, e.g. Phone Systems,
Printing services?
Has the company reacted well?Did the company Implement work from
home arrangement and provide necessary digital and technology tools
& enablers (e.g. laptop pool, BYOD, video conference
facilities, file sharing etc.)
Were there any Scape goats?
Were new guidelines introduced to adapt to these new
arrangement? Employee monitoring guidelines? To Managers?
The Current Crisis
37
38
-
1/1/2021
20
Digital Leadership counts during this crisis and during the
enforced Digital Transformation Process
e.g. Did the board have meetings on speakers or
earpiece?e.g. Did the board securely
transfer files?e.g. Did the board use Virtual
backgrounds in meeting or lock meetings?
Did The Board/Management Lead By Example?
Are we going to embrace this enforced digital transformation and
amend our workflows and permanently adopt new technologies and
SECURELY use them to enhance the business?
How are we going to now plan our Secure Digital Transformation
to ensure it positively affects and enhance security?
What is happening to demand, has it gone
digital, can we secure it?
How have customers’ ability to pay in this
environment changed? CUSTOMERS
EMPLOYEES
How are employees doing in the new normal? Are they
working at home or elsewhere? How are we
helping ensure they are productive yet secure? How is
their virtual well being different to their physical well
being?
What is the state of the supply chain? Were they able to adapt
during this
crisis, did they grow digitally?
Can we enforce secure protocols on them? Can their systems
integrate
with ours?
SUPPLIERS
What are the implications of new government rules
and push to the new normal?
Do we have regulations such as PDPA and others
to adapt to?
GOVERNMENT
What other risks might increase while focus is on
the Pandemic and recovery (such as, cyber and technology
risks)?
OTHERS
The Way Forward?
39
40
-
1/1/2021
21
New loopholes in Data Security will exist especially as the push
for digital transformation was
fast and security ignored.
Personal challenges and cyber bullying in companies on the
rise.
Data has become the most valuable asset, the "crown
jewels", Companies must protect it at all costs.
Corporate Espionage becomes easier and more valuable.
Companies are looking for an advantage over competitors.
Retrenchments will be inevitable,employees may look for
"revenge“.
Beware The Rise On Insiders
9 security measures you can take to help secure your devices
Install reputable internet security software on your computers,
tablets, and smartphones.
Use strong and unique passwords for device accounts, Wi-Fi
networks, and connected devices. Don’t use common words or
passwords that are easy
to guess, such as “password” or “123456.”
Be aware when it comes to apps. Always make sure you read the
privacy policy of the apps you use to see how they plan on using
your information and more.
41
42
-
1/1/2021
22
9 security measures you can take to help secure your devices
Do your research before you buy. Devices become smart because
they collect a lot of personal data. While collecting data isn’t
necessarily a bad thing, you should know about what types of data
these devices collect, how it’s stored and protected, if it is
shared with third parties, and the policies or protections
regarding data breaches.
Know what data the device or app wants to access on your phone.
If it seems unnecessary for the app’s functionality or too risky,
deny permission.
Use a trusted VPN, which helps to secure the data transmitted on
your home or public Wi-Fi.
9 security measures you can take to help secure your devices
Check the device manufacturer’s website regularly for firmware
updates.
Use caution when using social sharing features with these apps.
Social sharing features can expose information like your location
and let people know when you’re not at home. Cybercriminals can use
this to track your movements. That could lead to a potential
cyberstalking issue or other real-world dangers.
Never leave your smartphone unattended if you’re using it in a
public space. In crowded spaces, you should also consider turning
off Wi-Fi or Bluetooth access if you don’t need them. Some
smartphone brands allow automatic sharing with other users in close
proximity.
43
44
-
1/1/2021
23
Thank you
45
46
