IAPP Global Privacy Summit

Protecting Privacy Under the Cybersecurity Microscope

Victoria King

UPS

(404) 828-6550

vking@ups.com

Lisa J. Sotto

Hunton & Williams LLP

(212) 309-1223

lsotto@hunton.com

www.huntonprivacyblog.com

March 6, 2014

What is Privacy and Data Security?

• Privacy is the appropriate use of information as defined by:

– Laws and regulations

– Individuals’ expectations

• Security is the protection of information

– Protection of data

– Confidentiality

– Data integrity

2

Privacy and Data Security Risks

• Privacy Risks

– Legal compliance

– Reputation

– Investment

– Reticence

• Security Risks

– Loss of sensitive or business confidential data

– Data corruption

– Disruption of business processes / systems

– Reputation 3

Cybersecurity Landscape

• Threat actors

• Threat vectors

• Information and systems targeted

4

U.S. Legislative Landscape

• Numerous bills proposed

• Key privacy-related provisions

– Information sharing

– Liability protections

• Reasons for failure

5

U.S. Policy Landscape

February 2013: the President announced two new initiatives

1) Executive Order 13636: Improving Critical Infrastructure

Cybersecurity

2) Presidential Policy Directive – 21: Critical Infrastructure

Security and Resilience

Together, they create an opportunity to work together to effect a

comprehensive national approach to security and risk management

Implementation efforts will drive action toward system and network

security and resiliency

6

Executive Order 13636: Improving Critical Infrastructure Cybersecurity

• Directs the Executive Branch to:

Develop a technology-neutral, voluntary cybersecurity framework

Promote and incentivize the adoption of cybersecurity practices

Increase the volume, timeliness and quality of cyber threat information

sharing

Incorporate strong privacy and civil liberties protections into every

initiative to secure our critical infrastructure

Explore the use of existing regulation to promote cyber security

7

Executive Order Privacy Provisions

• Section 5 requires that privacy and civil liberties protections be incorporated into the various activities required of agencies under the EO

• Protections should be based on FIPPs

• CPO of DHS must assess against FIPPs privacy risks of DHS programs

– The same is required of other agencies’ privacy officials

• Data submitted voluntarily by private entities under the EO will be protected from disclosure to the fullest extent permitted by law

• Framework must include methodologies to protect privacy

8

Cybersecurity Framework

• Developed by NIST and industry stakeholders

• Intended to provide guidance on managing cybersecurity risk

• Reliance on existing standards, guidance and best practices

• Risk-based approach

• Composed of three parts:

– Framework Core

– Framework Profile

– Framework Implementation Tiers

• Significance of Framework

9

A Life-Cycle Methodology

10

NIST Core Framework Structure

11

Function Category Subcategory Industry Standards

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

Function Categories

6 Functions, 22 Categories, 98 Sub Categories

Identify – Asset management, business environment, governance, risk assessment, risk management

Protect – Access control, awareness & training, data security, process & procedures, maintenance, protective technologies

Detect – Anomalies & events, continuous monitoring, detection processes

Respond – Response planning, communications, analysis, mitigation, improvement

Recover - Recovery planning, improvements, communications

12

Executive Information

13

* This same roadmap visualization can be applied to the categories and sub-categories within each function.

Framework Privacy Provisions

• Background

• Appendix B

– Workshop discussions

• Final framework addresses privacy in the “How to Use”

section

– Now a “general set of considerations”

14

EU Cybersecurity Issues

• ePrivacy Directive breach notification requirements, but limited to

telecos and ISPs

• Some breach notification requirements at Member State level

• NIS Directive draft

– Member states must adopt NIS strategy and designate a national

NIS authority

– Creation of network for governments to share threat information

– Critical infrastructure and information services companies (e.g.,

social networks) must implement security measures and report

significant incidents to NIS Authority

• Overlap with proposed General Data Protection Regulation

– Requires reporting of personal data breaches to DPA 15

U.S. Information Sharing

• DHS CRADA

– Required for private-sector entities to participate in NCCIC and

CISCP

– Facilitates information sharing

• FBI MOA

– MOA delineates expectations and obligations for participating

companies

– So FBI can share actionable cyber information with industry

partners

– Industry partners are encouraged to share data with FBI

• Privacy risks associated with information sharing

16

Managing the Changing Landscape

• This is a governance issue, not an IT issue

– Senior executives set the tone

• Cybersecurity used to be the CISO’s responsibility

– Those days are over

• Interdisciplinary efforts are key

– CISO, IT, CPO, GR, Communications, other

stakeholders

• The issue has now spread throughout the organization —

and the CPO’s involvement is crucial 17

Organizational Shift is Needed

• Managing cybersecurity implicates privacy at every turn

• Data identification and classification is necessary to

manage cyber risks

• Sharing data is necessary for incident prevention

• Access controls are key

• Use of data often is required for response actions

18

Integrating Privacy Into the CISO’s Suite

• Coordinated governance between CISO and CPO

– Formalized issue review process

– Integration of privacy into information security’s risk

assessment process

– Cross-functional team reviews

• Privacy by design for new products and processes

• Periodic review of current processes

– Cross-training

– Communication 19

Training and Awareness

• Proselytize early and often so personnel have an

understanding of global privacy considerations

• Tailored approach: no one-size-fits-all

– Formal training

– Creative communications tools

– Knowing communication tricks

– Measuring effectiveness

20

Protecting PII in an Insecure World

• Identify categories of PII stored and know locations

• Identify key threats to PII and plug vulnerabilities

– Focus on most sensitive data

• Ensure strict access controls to databases containing

sensitive PII

– Frequently revisit PII access permissions

• Ensure other strong safeguards to PII in your system

• Also consider vendor systems

• Practice data minimization

21

Privacy Considerations During an Event

• Anonymize or delete PII before sharing in connection with a

cybersecurity investigation or remediation activities

– Limit disclosure of PII to what is necessary to mitigate

the incident

• When performing forensics, retain only the PII necessary to

the investigation

• Understand global breach reporting obligations

22

Key Privacy Issues When Interacting

with Law Enforcement

• Collection limitation

• Purpose specification

• Use limitation

• Disclosure limitation

• Data integrity

• Retention limitation

23

PwC

Data Breach Response Timeline Event

Mobilize

Stabilize

Investigate

Notify

Review & Improve

Regulatory Response

Lawsuits March 2011

1

2

8

7

6

5

4

3

24

Contacts

Victoria King

Global Privacy Officer

UPS

(404) 828-6550

vking@ups.com

Lisa Sotto

Partner

Hunton & Williams LLP

lsotto@hunton.com

www.huntonprivacyblog.com

25

.48

Privacy in the DHS Cybersecurity Enterprise

Privacy Process

• Embed People

• Establish Policy

• Conduct PIAs

• Conduct PCRs

Privacy Protections

• Limit collection

• Protection at the edge

• (re)Enforce oversight

• Drive Transparency

www.dhs.gov/cybersecurity-and-privacy

Karen Neuman Chief Privacy Officer