19/03/2013

1

Managing a data breach8 April 2013

Robert BondPartner and Notary Public

Our team

• Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered

in London. We work with business and private clients across the UK and internationally and

focus on the financial services, private wealth, technology, real estate and construction

sectors

• We have offices in Luxembourg and Zurich

• Our Data Protection & Information Law team provide a range of expertise on data privacy

audit, compliance, risk management, information security and data breaches

• We are listed in Chambers 2013 as a leading law firm for Data Protection and have advised

on this area of law since 1983

• “Robert Bond and his team have always provided comprehensive, practical advice on a

timely basis. Their knowledge of the EU regulatory scene, including experience with specific

agencies, as well as privacy issues globally has been instrumental in establishing our privacy

policies and procedures.”

2

19/03/2013

2

Robert Bond

A Certified Compliance & Ethics Professional, Robert has specialised in dataprotection since 1983 and is listed in the top 20 Best Privacy Advisers in a recentsurvey published in Computer World.

He was recently appointed an Ambassador for Privacy by Design byCommissioner Ann Cavoukian of Ontario.

He has advised many multinationals on trans border data flows and global dataprotection compliance since 1997, and co-authored the ICC BCR Report in2006, the ICC Guidelines on Basel II and Data Protection in 2007and the ICCUK Cookies Guide in 2011. Robert is the author of many books, including mostrecently for Sweet & Maxwell who publish his book Negotiating InternationalSoftware Licenses and Data Transfer Agreements. Robert is a Companion of theBritish Computer Society, a Fellow of the Society of Advanced Legal Study andin 1994 was a researcher in Information Security and Data Protection at theUniversity of Leicester. Robert is listed in Legal Experts 2012 and The Who’sWho of International Internet & E-Commerce Lawyers and is also recognised asa Legal Expert by Euromoney’s Guide to the World’s Leading TechnologyTelecommunications Lawyers.

He is also a frequent speaker at industry events and conferences.Robert is listed as Tier 1 for Data Protection in Chambers UK 2013 to 2010describing him as” an esteemed figure in the field. He has an impressivereputation for his work on cross-border data compliance and cutting-edge ITdata privacy issues within the digital, online and social media spheres.” He islisted as a data protection expert in Chambers (2009) and in Chambers (2008)where clients describe him as “a brilliant lecturer, a meticulous lawyer” and“responsive – if you contact him, you know he’ll get back to you within the hour”and “authoritative – he really knows his stuff, and he has so many contactswithin the EC he can predict trends and what’s coming further down the line,which is very useful for forward planning.”

3

A data security breach can happen for a number of reasons:

• Loss or theft of data or equipment on which data is stored

• Inappropriate access controls allowing unauthorised use

• Equipment failure

• Human error

• Unforeseen circumstances such as a fire or flood

• Hacking attack

• ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it

19/03/2013

3

Data at the tipping point

Finding 1

There is a notable difference between organizations’ intentions regarding data privacy and how

they actually protect it, creating an uneven trust landscape.

Finding 2

A majority of organizations have lost sensitive personal information, and among these

Organizations, the biggest causes are internal and therefore something they potentially could

control.

Finding 3

Compliance complacency is prevalent throughout the world.

Finding 4

Understanding the perspective on and approach to data privacy and protection of business

partners is crucial.

Finding 5

Organizations that exhibit a “culture of caring” with respect to data privacy and protection are

far less likely to experience security breaches.

Accenture 2012

The Numbers according to Chartis

Nine billion connected devicesworldwide, predicted to rise to24 billion by 2020

More than 50% of the world’spopulation is aged under 30

If Facebook was a country itwould be the third largest in theWorld

77 million customers werethreatened by the Sony databreach

Global cyber security spendingwas expected to reach $60bn in2011

It is forecast to grow 10% everyyear during the next three tofive years

Up to 600,000 Facebookaccounts are blocked every dayafter hacking attempts

More than 6.7 million distinctbot-infected computers weredetected in 2009.

19/03/2013

4

Memorable security breaches

Heartland

TJX

Sony

HMRC

T-Mobile

Bank of New York

The starting point!

“Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental

loss or destruction of, or damage to, personal data”

Art. 17 EU DP Directive

According to PIPEDA, personal information must be protected by security

safeguards appropriate to the sensitivity of the information. The security

safeguards must protect personal information against loss or theft, as well as

unauthorized access, disclosure, copying, use, or modification.

19/03/2013

5

Controller or Processor?

• A “data controller” is a person or organization that (alone or with others) determines the purposes for which and the manner in which personal data will be processed

• A “data processor” any person or organization (other than an employee of the data controller) who processes personal data on behalf of the data controller

Corporate governance

Corporate governance

• Responsibilities of publicly traded or listed companies• Industry specific rules• Risk management approach• Best practice

Standards

• ISO 27001:2005 Information Security• BSI 10012:2009 Data Protection• FSA SYSC• PCI DSS

19/03/2013

6

The end point?

Preparation for policy and procedure

Security policy content

• scope and explanation• IT security procedures• organisational procedures• back-up• measuring compliance• incident procedures• personnel issues

Related Data Privacy Issues

Registration

Notification

Vendor management

International data transfer

Subject Access Requests

19/03/2013

7

Threats: The Cloud

Determination:

• data controller?• data processor?

Agreed terms: Seventh Data Principle

Off-shoring: Eighth Data Principle

• adequacy solutions• Safe Harbor• model clauses – sub-processor/contractor

Threats: Social Media

In the workplace

Blurring the distinction

• work into home life• home life into workplace

Is there a risk?

• corporate message• corporate information• IT estate

Policies

• people risk• information risk

19/03/2013

8

Threats: Monitoring

It is regulated

Privacy impact

Means justify the goal?

Privacy Impact Assessment

Cross border investigations

Threats: Internal Threats

Employee

Rogue

BYOD

Dropbox and Sharepoint

Lack of controls

Liability

• employee?• employer?

Question: did the controls match risks?

19/03/2013

9

Threats: External Threats

Risk assessment

Information security expertise

Core legal requirements

Controller or processor?

Question: did the controls match risks?

When it goes wrong!

Containment and

Recovery

Surviving a data breach

Assessment

of Risk

Notification

Evaluation &

Remedy

19/03/2013

10

Breach coach service: Incident response plan

Stage 1 Initial response and risk assessment

Stage 2 Containment and response management

Stage 3 Notification of affected parties and regulators

Stage 4 Legal advice, report and lessons learned

Stage 1 - the Risk assessment meeting / call

Small crisis team:

• 4 or 5 members

• One representative from each of SB, Insurer, Insured, Forensics and PR Agency (if needed for PR reasons)

Informing employees / data protection authorities

Assigning a risk level: HIGH / MEDIUM / LOW

19/03/2013

11

Stage 2 – Containment and response management

Containment

Blocking devices / patches /

sniffers / access controls

Containment

Physical searches and

questioning (HR / police

involvement?)

Identifying any

network / server

infestation

Reboot and restoration

Stage 2 – Containment and response managementResponse management

Response management

Resourcing (data recoverability effort / internal expertise and availability / tools and equipment)

Public relations

Practical issues (incident response team / war room / safeguarding evidence)

Evidence gathering and

investigation (Forensic teams / witness

interviews / criminal investigation?)

19/03/2013

12

Stage 3 – Notification of parties concerned

How? (as prescribed by law / by phone /

email / physical notice etc)

Notification of parties concerned

Whether / when? (issues

of containment / tipping off / PR / “putting hand up”)

Who?(data subjects /

controllers / DPAs / sector regulators / ISP or software

vendor)

Policy coverage

(includes cost of notifying data subjects and

relevant regulators)

Stage 4 - Legal advice, report and lessons learned

Investigation report

Legal advice, report & lessons

learned

Legal risk exposure (data protection, litigation,

employment law, “multimedia” liability)

Compliance(FSA SYSC, other

regulatory regimes)

“Lessons

learned” meeting

and/or paper

19/03/2013

13

Containment and recovery

Decide on who should take the lead on investigating the breach andensure they have the appropriate resources

• Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. This could be isolating or closing a compromised section of the network, finding a lost piece of equipment or simply changing the access codes at the front door.

• Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of back up tapes to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts

• Where appropriate, inform the police

Assessing the risks

What type of data is involved?

How sensitive is it? Remember that some data is sensitive because of its very personal nature (health records) while other data types are sensitive because of what might happen if it is misused (bank account details)

If data has been lost or stolen, are there any protections in place such as encryption?

What has happened to the data? If data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk

• Regardless of what has happened to the data, what could the data tell a third party about the individual? Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people

19/03/2013

14

Assessing the risks

How many individuals’ personal data are affected by the breach? It is not necessarily the case that the bigger risks will accrue from the loss of large amounts of data but is certainly an important determining factor in the overall risk assessment

Who are the individuals whose data has been breached? Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks

What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and

other aspects of their life?

• Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?

If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use.

Notification of breaches

Are there any legal or contractual requirements?

Some laws expressly require you to notify a breach and sector specific rules may lead you towards issuing a notification

Can notification help you meet your security obligations with regard to applicable laws?

Can notification help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information you provide to mitigate risks, for example by cancelling a credit card or changing a password?

If a large number of people are affected, or there are very serious consequences, you should inform the appropriate regulator.

Consider how notification can be made appropriate for particular groups of individuals, for example, if you are notifying children or vulnerable adults.

19/03/2013

15

Notification of breaches

Make sure you notify the appropriate regulatory body. A sector specific regulator may require you to notify them of any type of breach but the DPA in the EU should only be notified when the breach involves personal data

There are a number of different ways to notify those affected so consider using the most appropriate one. Always bear in mind the security of the medium as well as the urgency of the situation

Your notification should at the very least include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to respond to the risks posed by the breach

When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them

Provide a way in which they can contact you for further information or to ask you questions about what has occurred – this could be a helpline number or a web page, for example.

Evaluation and response

Identify weak points in your existing security measures such as the use of portable storage devices or access to public networks

• Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice

• Consider whether you need to establish a group of technical and non-technical staff who discuss ‘what if’ scenarios – this would highlight risks and weaknesses as well as giving staff at different levels the opportunity to suggest solutions

If your organisation already has a Business Continuity Plan for dealing with serious incidents, consider implementing a similar plan for data security breaches

It is recommended that at the very least you identify a group of people responsible for reacting to reported breaches of security

19/03/2013

16

The cost of a data breach

Sony: share prices dropped 9% in Tokyo (on 13 May 2011) following Playstationhacks, where the personal information of around 100 million users was stolen. Sony has spent $170 million rectifying the breach to date.

Heartland Payment’s data breach in 2009 impacted 175,000 merchants and millions of payment card transactions each month. Heartland saw its share price drop 33%.

Epsilon: total cost of the breach including forensic audits and monitoring, fines, litigation and lost business for provider and customers could eventually run as high as $3 to $4billion.

In reporting its fourth-quarter and year-end earnings Global Payments said that the March 201 2breach had cost it $84.4m before tax.

It is estimated that the average data breach costs a company £2 million, or £71 per record violated.

Remember: Cyber incidents WILL happen

“Only a person who risks is free.The pessimist complains about the wind;

The optimist expects it to change;And the realist adjusts the sails.”

“To Risk” by William Arthur Ward

19/03/2013

17

What to tell ICO

When notifying the ICO you should also include details of the security measures in place such as encryption and, where appropriate, details of the security procedures you had in place at the time the breach occurred.

You should also inform them if the media are aware of the breach so that they can manage any increase in enquiries from the public.

When informing the media, it is useful to inform them whether you have contacted the ICO and what action is being taken.

ICO will not normally tell the media or other their parties about a breach notified to them, but they may advise you to do so.

The ICO has produced guidance for organisations on the information they expect to receive as part of a breach notification and on what organisations can expect from them on receipt of their notification. This guidance is available at:

http://www.ico.gov.uk/Home/what_we_cover/data_protection/guidance/good_practice_notes.aspx

Ensuring a crisis does not become a disaster

In addition to the ICO advice consider

Who is the data controller?

Who is at fault?

What is the data that is lost?

Who are the data subjects?

Is this an insured risk?

When you put your head above the parapet, what next?

Assume the worst

Treat a data breach like a manufacturer treats a product recall – except you can’t recall the

data!!

19/03/2013

18

The Proposed EU Data Protection Regulation

Data breaches

• There are enhanced requirements for data security and specifically in Article 31 there is a

mandatory breach notification procedure for all but small enterprises

• Data subjects need to be notified after the controller has “where feasible” within (24) 72 hours

of a breach notified to the DPA.

• Softer position than leaked draft

• No de-minimis limit for reports to DPA

• DPA must keep a public register of types of breach notified

• Communication of breach to data subjects only where likely to adversely affect, e.g. identity

theft, fraud, physical harm, significant humiliation or damage to reputation.

• Responsibility of DPO

35

The Proposed EU Data Protection Regulation

Remedies and sanctions

• Data subjects can complain to a Supervisory Authority in any Member State

• Remedies will be available against Supervisory Authorities where they fail to act in a proper

or timely manner on complaints

• Data subjects may take action against controllers or processors for breach of legislation and

may seek damages

• Supervisory Authorities will have power to fine controllers or processors for contravention of

the Regulation

• Fines for more serious breaches can be up to EUR 1,000,000 or 2% of the annual worldwide

turnover of the business, with regular updating of absolute amount of fines for a regulation

that should be in force for a certain time.

36

19/03/2013

19

FURTHER INFORMATION

For more information on our services, please contact:

Robert Bond, BA, CCEP, FSALS, CompBCS, HonMIEx

Solicitor & Notary Public

+44 (0)20 7427 6660

robert.bond@speechlys.com

Tweet me @iinonline

37