Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
19/03/2013
1
Managing a data breach8 April 2013
Robert BondPartner and Notary Public
Our team
• Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered
in London. We work with business and private clients across the UK and internationally and
focus on the financial services, private wealth, technology, real estate and construction
sectors
• We have offices in Luxembourg and Zurich
• Our Data Protection & Information Law team provide a range of expertise on data privacy
audit, compliance, risk management, information security and data breaches
• We are listed in Chambers 2013 as a leading law firm for Data Protection and have advised
on this area of law since 1983
• “Robert Bond and his team have always provided comprehensive, practical advice on a
timely basis. Their knowledge of the EU regulatory scene, including experience with specific
agencies, as well as privacy issues globally has been instrumental in establishing our privacy
policies and procedures.”
2
19/03/2013
2
Robert Bond
A Certified Compliance & Ethics Professional, Robert has specialised in dataprotection since 1983 and is listed in the top 20 Best Privacy Advisers in a recentsurvey published in Computer World.
He was recently appointed an Ambassador for Privacy by Design byCommissioner Ann Cavoukian of Ontario.
He has advised many multinationals on trans border data flows and global dataprotection compliance since 1997, and co-authored the ICC BCR Report in2006, the ICC Guidelines on Basel II and Data Protection in 2007and the ICCUK Cookies Guide in 2011. Robert is the author of many books, including mostrecently for Sweet & Maxwell who publish his book Negotiating InternationalSoftware Licenses and Data Transfer Agreements. Robert is a Companion of theBritish Computer Society, a Fellow of the Society of Advanced Legal Study andin 1994 was a researcher in Information Security and Data Protection at theUniversity of Leicester. Robert is listed in Legal Experts 2012 and The Who’sWho of International Internet & E-Commerce Lawyers and is also recognised asa Legal Expert by Euromoney’s Guide to the World’s Leading TechnologyTelecommunications Lawyers.
He is also a frequent speaker at industry events and conferences.Robert is listed as Tier 1 for Data Protection in Chambers UK 2013 to 2010describing him as” an esteemed figure in the field. He has an impressivereputation for his work on cross-border data compliance and cutting-edge ITdata privacy issues within the digital, online and social media spheres.” He islisted as a data protection expert in Chambers (2009) and in Chambers (2008)where clients describe him as “a brilliant lecturer, a meticulous lawyer” and“responsive – if you contact him, you know he’ll get back to you within the hour”and “authoritative – he really knows his stuff, and he has so many contactswithin the EC he can predict trends and what’s coming further down the line,which is very useful for forward planning.”
3
A data security breach can happen for a number of reasons:
• Loss or theft of data or equipment on which data is stored
• Inappropriate access controls allowing unauthorised use
• Equipment failure
• Human error
• Unforeseen circumstances such as a fire or flood
• Hacking attack
• ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
19/03/2013
3
Data at the tipping point
Finding 1
There is a notable difference between organizations’ intentions regarding data privacy and how
they actually protect it, creating an uneven trust landscape.
Finding 2
A majority of organizations have lost sensitive personal information, and among these
Organizations, the biggest causes are internal and therefore something they potentially could
control.
Finding 3
Compliance complacency is prevalent throughout the world.
Finding 4
Understanding the perspective on and approach to data privacy and protection of business
partners is crucial.
Finding 5
Organizations that exhibit a “culture of caring” with respect to data privacy and protection are
far less likely to experience security breaches.
Accenture 2012
The Numbers according to Chartis
Nine billion connected devicesworldwide, predicted to rise to24 billion by 2020
More than 50% of the world’spopulation is aged under 30
If Facebook was a country itwould be the third largest in theWorld
77 million customers werethreatened by the Sony databreach
Global cyber security spendingwas expected to reach $60bn in2011
It is forecast to grow 10% everyyear during the next three tofive years
Up to 600,000 Facebookaccounts are blocked every dayafter hacking attempts
More than 6.7 million distinctbot-infected computers weredetected in 2009.
19/03/2013
4
Memorable security breaches
Heartland
TJX
Sony
HMRC
T-Mobile
Bank of New York
The starting point!
“Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data”
Art. 17 EU DP Directive
According to PIPEDA, personal information must be protected by security
safeguards appropriate to the sensitivity of the information. The security
safeguards must protect personal information against loss or theft, as well as
unauthorized access, disclosure, copying, use, or modification.
19/03/2013
5
Controller or Processor?
• A “data controller” is a person or organization that (alone or with others) determines the purposes for which and the manner in which personal data will be processed
• A “data processor” any person or organization (other than an employee of the data controller) who processes personal data on behalf of the data controller
Corporate governance
Corporate governance
• Responsibilities of publicly traded or listed companies• Industry specific rules• Risk management approach• Best practice
Standards
• ISO 27001:2005 Information Security• BSI 10012:2009 Data Protection• FSA SYSC• PCI DSS
19/03/2013
6
The end point?
Preparation for policy and procedure
Security policy content
• scope and explanation• IT security procedures• organisational procedures• back-up• measuring compliance• incident procedures• personnel issues
Related Data Privacy Issues
Registration
Notification
Vendor management
International data transfer
Subject Access Requests
19/03/2013
7
Threats: The Cloud
Determination:
• data controller?• data processor?
Agreed terms: Seventh Data Principle
Off-shoring: Eighth Data Principle
• adequacy solutions• Safe Harbor• model clauses – sub-processor/contractor
Threats: Social Media
In the workplace
Blurring the distinction
• work into home life• home life into workplace
Is there a risk?
• corporate message• corporate information• IT estate
Policies
• people risk• information risk
19/03/2013
8
Threats: Monitoring
It is regulated
Privacy impact
Means justify the goal?
Privacy Impact Assessment
Cross border investigations
Threats: Internal Threats
Employee
Rogue
BYOD
Dropbox and Sharepoint
Lack of controls
Liability
• employee?• employer?
Question: did the controls match risks?
19/03/2013
9
Threats: External Threats
Risk assessment
Information security expertise
Core legal requirements
Controller or processor?
Question: did the controls match risks?
When it goes wrong!
Containment and
Recovery
Surviving a data breach
Assessment
of Risk
Notification
Evaluation &
Remedy
19/03/2013
10
Breach coach service: Incident response plan
Stage 1 Initial response and risk assessment
Stage 2 Containment and response management
Stage 3 Notification of affected parties and regulators
Stage 4 Legal advice, report and lessons learned
Stage 1 - the Risk assessment meeting / call
Small crisis team:
• 4 or 5 members
• One representative from each of SB, Insurer, Insured, Forensics and PR Agency (if needed for PR reasons)
Informing employees / data protection authorities
Assigning a risk level: HIGH / MEDIUM / LOW
19/03/2013
11
Stage 2 – Containment and response management
Containment
Blocking devices / patches /
sniffers / access controls
Containment
Physical searches and
questioning (HR / police
involvement?)
Identifying any
network / server
infestation
Reboot and restoration
Stage 2 – Containment and response managementResponse management
Response management
Resourcing (data recoverability effort / internal expertise and availability / tools and equipment)
Public relations
Practical issues (incident response team / war room / safeguarding evidence)
Evidence gathering and
investigation (Forensic teams / witness
interviews / criminal investigation?)
19/03/2013
12
Stage 3 – Notification of parties concerned
How? (as prescribed by law / by phone /
email / physical notice etc)
Notification of parties concerned
Whether / when? (issues
of containment / tipping off / PR / “putting hand up”)
Who?(data subjects /
controllers / DPAs / sector regulators / ISP or software
vendor)
Policy coverage
(includes cost of notifying data subjects and
relevant regulators)
Stage 4 - Legal advice, report and lessons learned
Investigation report
Legal advice, report & lessons
learned
Legal risk exposure (data protection, litigation,
employment law, “multimedia” liability)
Compliance(FSA SYSC, other
regulatory regimes)
“Lessons
learned” meeting
and/or paper
19/03/2013
13
Containment and recovery
Decide on who should take the lead on investigating the breach andensure they have the appropriate resources
• Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. This could be isolating or closing a compromised section of the network, finding a lost piece of equipment or simply changing the access codes at the front door.
• Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of back up tapes to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts
• Where appropriate, inform the police
Assessing the risks
What type of data is involved?
How sensitive is it? Remember that some data is sensitive because of its very personal nature (health records) while other data types are sensitive because of what might happen if it is misused (bank account details)
If data has been lost or stolen, are there any protections in place such as encryption?
What has happened to the data? If data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk
• Regardless of what has happened to the data, what could the data tell a third party about the individual? Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people
19/03/2013
14
Assessing the risks
How many individuals’ personal data are affected by the breach? It is not necessarily the case that the bigger risks will accrue from the loss of large amounts of data but is certainly an important determining factor in the overall risk assessment
Who are the individuals whose data has been breached? Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks
What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and
other aspects of their life?
• Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?
If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use.
Notification of breaches
Are there any legal or contractual requirements?
Some laws expressly require you to notify a breach and sector specific rules may lead you towards issuing a notification
Can notification help you meet your security obligations with regard to applicable laws?
Can notification help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information you provide to mitigate risks, for example by cancelling a credit card or changing a password?
If a large number of people are affected, or there are very serious consequences, you should inform the appropriate regulator.
Consider how notification can be made appropriate for particular groups of individuals, for example, if you are notifying children or vulnerable adults.
19/03/2013
15
Notification of breaches
Make sure you notify the appropriate regulatory body. A sector specific regulator may require you to notify them of any type of breach but the DPA in the EU should only be notified when the breach involves personal data
There are a number of different ways to notify those affected so consider using the most appropriate one. Always bear in mind the security of the medium as well as the urgency of the situation
Your notification should at the very least include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to respond to the risks posed by the breach
When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them
Provide a way in which they can contact you for further information or to ask you questions about what has occurred – this could be a helpline number or a web page, for example.
Evaluation and response
Identify weak points in your existing security measures such as the use of portable storage devices or access to public networks
• Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice
• Consider whether you need to establish a group of technical and non-technical staff who discuss ‘what if’ scenarios – this would highlight risks and weaknesses as well as giving staff at different levels the opportunity to suggest solutions
If your organisation already has a Business Continuity Plan for dealing with serious incidents, consider implementing a similar plan for data security breaches
It is recommended that at the very least you identify a group of people responsible for reacting to reported breaches of security
19/03/2013
16
The cost of a data breach
Sony: share prices dropped 9% in Tokyo (on 13 May 2011) following Playstationhacks, where the personal information of around 100 million users was stolen. Sony has spent $170 million rectifying the breach to date.
Heartland Payment’s data breach in 2009 impacted 175,000 merchants and millions of payment card transactions each month. Heartland saw its share price drop 33%.
Epsilon: total cost of the breach including forensic audits and monitoring, fines, litigation and lost business for provider and customers could eventually run as high as $3 to $4billion.
In reporting its fourth-quarter and year-end earnings Global Payments said that the March 201 2breach had cost it $84.4m before tax.
It is estimated that the average data breach costs a company £2 million, or £71 per record violated.
Remember: Cyber incidents WILL happen
“Only a person who risks is free.The pessimist complains about the wind;
The optimist expects it to change;And the realist adjusts the sails.”
“To Risk” by William Arthur Ward
19/03/2013
17
What to tell ICO
When notifying the ICO you should also include details of the security measures in place such as encryption and, where appropriate, details of the security procedures you had in place at the time the breach occurred.
You should also inform them if the media are aware of the breach so that they can manage any increase in enquiries from the public.
When informing the media, it is useful to inform them whether you have contacted the ICO and what action is being taken.
ICO will not normally tell the media or other their parties about a breach notified to them, but they may advise you to do so.
The ICO has produced guidance for organisations on the information they expect to receive as part of a breach notification and on what organisations can expect from them on receipt of their notification. This guidance is available at:
http://www.ico.gov.uk/Home/what_we_cover/data_protection/guidance/good_practice_notes.aspx
Ensuring a crisis does not become a disaster
In addition to the ICO advice consider
Who is the data controller?
Who is at fault?
What is the data that is lost?
Who are the data subjects?
Is this an insured risk?
When you put your head above the parapet, what next?
Assume the worst
Treat a data breach like a manufacturer treats a product recall – except you can’t recall the
data!!
19/03/2013
18
The Proposed EU Data Protection Regulation
Data breaches
• There are enhanced requirements for data security and specifically in Article 31 there is a
mandatory breach notification procedure for all but small enterprises
• Data subjects need to be notified after the controller has “where feasible” within (24) 72 hours
of a breach notified to the DPA.
• Softer position than leaked draft
• No de-minimis limit for reports to DPA
• DPA must keep a public register of types of breach notified
• Communication of breach to data subjects only where likely to adversely affect, e.g. identity
theft, fraud, physical harm, significant humiliation or damage to reputation.
• Responsibility of DPO
35
The Proposed EU Data Protection Regulation
Remedies and sanctions
• Data subjects can complain to a Supervisory Authority in any Member State
• Remedies will be available against Supervisory Authorities where they fail to act in a proper
or timely manner on complaints
• Data subjects may take action against controllers or processors for breach of legislation and
may seek damages
• Supervisory Authorities will have power to fine controllers or processors for contravention of
the Regulation
• Fines for more serious breaches can be up to EUR 1,000,000 or 2% of the annual worldwide
turnover of the business, with regular updating of absolute amount of fines for a regulation
that should be in force for a certain time.
36
19/03/2013
19
FURTHER INFORMATION
For more information on our services, please contact:
Robert Bond, BA, CCEP, FSALS, CompBCS, HonMIEx
Solicitor & Notary Public
+44 (0)20 7427 6660
Tweet me @iinonline
37