Embed Size (px)
Citation preview
v
Presented By:
vv
vPresented By:
v
Presented By:
vv
vPresented By:
v
Presented By: 3
Federal Trade Commission Policies
Cybersecurity Regulations: What You Need to know
Julie S. Brill, Commissioner , Federal Trade Commission
Patrick W. Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer, Monster Worldwide, Inc.
Alice Geene, SVP, Corporate Affairs, General Counsel & Secretary Rewards Network, Rewards Network
James Grady, Deputy Chief Privacy Officer, AON
James Arnold, Managing Director, Forensic Services, KPMG LLP
v
Presented By: 4
Federal Trade Commission Policies
v
Presented By:
FTC Litigation and Enforcement
“unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”
“unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”
• The Fair Credit Reporting Act• Graham‐Leach‐Bliley Act (GLBA)• Children’s Online Privacy Act (COPA)
Federal Trade Commission Act, Section 5 (15 USC 45)
FTC’s Most Significant Cases
v
Presented By: Source: Symantec Corporation, 20146
Trends & Statistics: Global Intelligence Network (GIN)
Solving the Cybersecurity Puzzle
v
Presented By:
Trends & Statistics: ISTR
7
U.S. businesses paid $5.4 million per data breach on average or $188 per record
Each of the Top 10 breaches exposed more than 10 million identities
Federal enforcement actions, Consumer Lawsuits, and Shareholder Derivative Actions
50% of employees keep confidential info at termination…40% plan to use it at their new job
Alabama, New Mexico, and South Dakota are the only states without breach notification statutes
Increase in trade secret theft, white collar crime, and patent litigation
Legal Consequences
v
Presented By:
Trends & Stats
Solving the Cybersecurity Puzzle
8
RansomwareInternet of ThingsDrones Mobile
v
Presented By:
What Organizations Should Know About the FTC & Data Breaches:
Government InvestigationsFTC has taken the position that an actual injury or breach is not required prior to launching an investigation if the Bureau detects risky behavior or a problem that is deceptive or risky. The FTC has the authority to take action if an ongoing practice causes or is likely to cause consumer injury. For example, companies found to have weak or flawed security practices may be ordered to redesign product security, pay fines and undergo years of mandatory audits. The Bureau may also investigate businesses merely for failing to disclose how data is stored and shared, especially if company practices are contrary to “terms of use” agreements published on websites.
Organizations maintaining consumer data must become familiar with the types of enforcement actions the Bureau is pursuing and understand the consequences of non‐compliance. Please visit the link below to review pending cases.https://www.ftc.gov/enforcement/cases‐proceedings
v
Presented By:
NIST Cybersecurity Framework
Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices ‐ for reducing cyber risks to critical infrastructure.
The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost‐effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity‐related risk.
To view the roadmap for the framework, please visit http://www.nist.gov/cyberframework/upload/roadmap‐021214.pdf
To Download the framework, please visit: http://www.nist.gov/itl/upload/alternative‐view‐framework‐core‐021214.pdf
v
Presented By:
How To Secure Your Personal Data In The Internet Of Things:
The FTC recently released a report on the Internet of Things that warns devices could be used to harvest huge amounts of personal information. The report focuses on data privacy and best practices for businesses storing and collecting Internet of Things data. It also outlines a variety of potential security issues that can be exploited, such as enabling unauthorized access and misuse of personal information.
1. Security• Companies should build security into their devices at the outset, rather than as
an afterthought. As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products.
2. Data Minimization• Data minimization refers to the concept that companies should limit the data
they collect and retain, and dispose of it once they no longer need it. Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.
v
Presented By:
How To Secure Your Personal Data In The Internet Of Things:
The FTC recently released a report on the Internet of Things that warns devices could be used to harvest huge amounts of personal information. The report focuses on data privacy and best practices for businesses storing and collecting Internet of Things data. It also outlines a variety of potential security issues that can be exploited, such as enabling unauthorized access and misuse of personal information.
3. Notice and Choice• The Commission has recognized that providing choices for every instance of data
collection is not necessary to protect privacy but whatever privacy choices it offers should be clear and prominent, and not buried within lengthy documents.
4. Data Minimization• Data minimization refers to the concept that companies should limit the data
they collect and retain, and dispose of it once they no longer need it. Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.
v
Presented By:
How To Secure Your Personal Data In The Internet Of Things:
The FTC recently released a report on the Internet of Things that warns devices could be used to harvest huge amounts of personal information. The report focuses on data privacy and best practices for businesses storing and collecting Internet of Things data. It also outlines a variety of potential security issues that can be exploited, such as enabling unauthorized access and misuse of personal information.
5. Legislation• There is great potential for innovation in this area. General data security
legislation should protect against unauthorized access to both personal information and device functionality itself. Although the Commission currently has authority to take action against some IoT‐related practices, it cannot mandate certain basic privacy protections – such as privacy disclosures or consumer choice – absent a specific showing of deception or unfairness. Commission staff thus again recommends that Congress enact broad based (as opposed to IoT‐specific) privacy legislation. Such legislation should be flexible and technology‐neutral, while also providing clear rules of the road for companies about such issues as how to provide choices to consumers about data collection and use practices.
v
Presented By:
Mobile Protection/Mobile Protection/ Web Security
Mobilize Business Process and Workforce Streamline business processes, enhance employee productivity, and improve customer service and satisfaction by providing your workforce with relevant and secure mobile apps, either custom‐developed or commercially off‐the‐shelf, and the mechanism to manage the apps and policies by user or device.
Protect Clouds Consume services directly, build your own cloud for internal operations or external reach, or extend into third‐party clouds safely and efficiently
Web SecurityEnable every website visitor to experience the strongest SSL encryption available to them and always protect the transfer of sensitive data on websites, intranets, and extranets.
v
Presented By:
Data Encryption/ Data Loss Prevention/ Email Security
Data EncryptionEncrypt sensitive data being moved onto removable media devices or residing in emails and files.
Data Loss PreventionMonitor, protect and manage your confidential data wherever it’s stored and used –across endpoints, mobile devices, network and storage systems.
Email SecurityGet security, privacy and control over your email. Protection is needed from malware, phishing, spam and targeted attacks. Combined with BYOD, secure email for Smartphones & Tablets, Archiving, Data Loss Prevention & Encryption to compliment your cloud hosted or on premise mailboxes.
v
Presented By:
People Process Technology
• Identify Key Stakeholders
• Define Roles & Responsibilities
• Leverage Outside Counsel & Consultants if Necessary
• Identify Gaps
• Invest in Technology to Protect, Manage and Discover Information Efficiently & Defensibly
• Review Current Process
• Identify Gaps
• Prioritize Risks/Costs
• Create/Revise Policies
• Train Employees
• Enforce Compliance
Tips
16
v
Presented By:
Resources: www.FTC.Gov
Solving the Cybersecurity Puzzle
17
v
Presented By:
ResourcesWhat Organizations Should Know About the FTC & Data Breaches: https://www.linkedin.com/pulse/20141107183128‐12588369‐what‐organizations‐should‐know‐about‐the‐ftc‐and‐data‐breaches
Commissioner Brill: https://www.ftc.gov/public‐statements/2015/03/one‐year‐later‐privacy‐data‐security‐world‐big‐data‐internet‐things‐global
NIST Cybersecurity Framework: http://www.nist.gov/cyberframework/
How To Secure Your Personal Data In The Internet Of Things: http://www.forbes.com/sites/symantec/2015/01/30/how‐to‐secure‐your‐personal‐data‐in‐the‐internet‐of‐things/?linkId=12837744
FTC IoT Report: https://www.ftc.gov/tips‐advice/business‐center/guidance/careful‐connections‐building‐security‐internet‐things
FAA Proposes Commercial Drone Rules: http://www.wsj.com/articles/obama‐issues‐privacy‐rules‐for‐government‐drones‐in‐u‐s‐1424015402
18
v
Presented By:
QUESTIONS
