Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
IAPP Global Privacy Summit
Protecting Privacy Under the Cybersecurity Microscope
Victoria King
UPS
(404) 828-6550
Lisa J. Sotto
Hunton & Williams LLP
(212) 309-1223
www.huntonprivacyblog.com
March 6, 2014
What is Privacy and Data Security?
• Privacy is the appropriate use of information as defined by:
– Laws and regulations
– Individuals’ expectations
• Security is the protection of information
– Protection of data
– Confidentiality
– Data integrity
2
Privacy and Data Security Risks
• Privacy Risks
– Legal compliance
– Reputation
– Investment
– Reticence
• Security Risks
– Loss of sensitive or business confidential data
– Data corruption
– Disruption of business processes / systems
– Reputation 3
Cybersecurity Landscape
• Threat actors
• Threat vectors
• Information and systems targeted
4
U.S. Legislative Landscape
• Numerous bills proposed
• Key privacy-related provisions
– Information sharing
– Liability protections
• Reasons for failure
5
U.S. Policy Landscape
February 2013: the President announced two new initiatives
1) Executive Order 13636: Improving Critical Infrastructure
Cybersecurity
2) Presidential Policy Directive – 21: Critical Infrastructure
Security and Resilience
Together, they create an opportunity to work together to effect a
comprehensive national approach to security and risk management
Implementation efforts will drive action toward system and network
security and resiliency
6
Executive Order 13636: Improving Critical Infrastructure Cybersecurity
• Directs the Executive Branch to:
Develop a technology-neutral, voluntary cybersecurity framework
Promote and incentivize the adoption of cybersecurity practices
Increase the volume, timeliness and quality of cyber threat information
sharing
Incorporate strong privacy and civil liberties protections into every
initiative to secure our critical infrastructure
Explore the use of existing regulation to promote cyber security
7
Executive Order Privacy Provisions
• Section 5 requires that privacy and civil liberties protections be incorporated into the various activities required of agencies under the EO
• Protections should be based on FIPPs
• CPO of DHS must assess against FIPPs privacy risks of DHS programs
– The same is required of other agencies’ privacy officials
• Data submitted voluntarily by private entities under the EO will be protected from disclosure to the fullest extent permitted by law
• Framework must include methodologies to protect privacy
8
Cybersecurity Framework
• Developed by NIST and industry stakeholders
• Intended to provide guidance on managing cybersecurity risk
• Reliance on existing standards, guidance and best practices
• Risk-based approach
• Composed of three parts:
– Framework Core
– Framework Profile
– Framework Implementation Tiers
• Significance of Framework
9
A Life-Cycle Methodology
10
NIST Core Framework Structure
11
Function Category Subcategory Industry Standards
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Function Categories
6 Functions, 22 Categories, 98 Sub Categories
Identify – Asset management, business environment, governance, risk assessment, risk management
Protect – Access control, awareness & training, data security, process & procedures, maintenance, protective technologies
Detect – Anomalies & events, continuous monitoring, detection processes
Respond – Response planning, communications, analysis, mitigation, improvement
Recover - Recovery planning, improvements, communications
12
Executive Information
13
* This same roadmap visualization can be applied to the categories and sub-categories within each function.
Framework Privacy Provisions
• Background
• Appendix B
– Workshop discussions
• Final framework addresses privacy in the “How to Use”
section
– Now a “general set of considerations”
14
EU Cybersecurity Issues
• ePrivacy Directive breach notification requirements, but limited to
telecos and ISPs
• Some breach notification requirements at Member State level
• NIS Directive draft
– Member states must adopt NIS strategy and designate a national
NIS authority
– Creation of network for governments to share threat information
– Critical infrastructure and information services companies (e.g.,
social networks) must implement security measures and report
significant incidents to NIS Authority
• Overlap with proposed General Data Protection Regulation
– Requires reporting of personal data breaches to DPA 15
U.S. Information Sharing
• DHS CRADA
– Required for private-sector entities to participate in NCCIC and
CISCP
– Facilitates information sharing
• FBI MOA
– MOA delineates expectations and obligations for participating
companies
– So FBI can share actionable cyber information with industry
partners
– Industry partners are encouraged to share data with FBI
• Privacy risks associated with information sharing
16
Managing the Changing Landscape
• This is a governance issue, not an IT issue
– Senior executives set the tone
• Cybersecurity used to be the CISO’s responsibility
– Those days are over
• Interdisciplinary efforts are key
– CISO, IT, CPO, GR, Communications, other
stakeholders
• The issue has now spread throughout the organization —
and the CPO’s involvement is crucial 17
Organizational Shift is Needed
• Managing cybersecurity implicates privacy at every turn
• Data identification and classification is necessary to
manage cyber risks
• Sharing data is necessary for incident prevention
• Access controls are key
• Use of data often is required for response actions
18
Integrating Privacy Into the CISO’s Suite
• Coordinated governance between CISO and CPO
– Formalized issue review process
– Integration of privacy into information security’s risk
assessment process
– Cross-functional team reviews
• Privacy by design for new products and processes
• Periodic review of current processes
– Cross-training
– Communication 19
Training and Awareness
• Proselytize early and often so personnel have an
understanding of global privacy considerations
• Tailored approach: no one-size-fits-all
– Formal training
– Creative communications tools
– Knowing communication tricks
– Measuring effectiveness
20
Protecting PII in an Insecure World
• Identify categories of PII stored and know locations
• Identify key threats to PII and plug vulnerabilities
– Focus on most sensitive data
• Ensure strict access controls to databases containing
sensitive PII
– Frequently revisit PII access permissions
• Ensure other strong safeguards to PII in your system
• Also consider vendor systems
• Practice data minimization
21
Privacy Considerations During an Event
• Anonymize or delete PII before sharing in connection with a
cybersecurity investigation or remediation activities
– Limit disclosure of PII to what is necessary to mitigate
the incident
• When performing forensics, retain only the PII necessary to
the investigation
• Understand global breach reporting obligations
22
Key Privacy Issues When Interacting
with Law Enforcement
• Collection limitation
• Purpose specification
• Use limitation
• Disclosure limitation
• Data integrity
• Retention limitation
23
PwC
Data Breach Response Timeline Event
Mobilize
Stabilize
Investigate
Notify
Review & Improve
Regulatory Response
Lawsuits March 2011
1
2
8
7
6
5
4
3
24
Contacts
Victoria King
Global Privacy Officer
UPS
(404) 828-6550
Lisa Sotto
Partner
Hunton & Williams LLP
www.huntonprivacyblog.com
25
.48
Privacy in the DHS Cybersecurity Enterprise
Privacy Process
• Embed People
• Establish Policy
• Conduct PIAs
• Conduct PCRs
Privacy Protections
• Limit collection
• Protection at the edge
• (re)Enforce oversight
• Drive Transparency
www.dhs.gov/cybersecurity-and-privacy
Karen Neuman Chief Privacy Officer