Privacy, Risk and Regulations - Scope, Rights, Penalties and Process across the Ohio DPA, CCPA, and GDPR
The growing need for privacy and legal risk professionals serving multi-jurisdictional or international organizations has been heightened by the November 2, 2018 deadline
mandated by the Ohio Data Protection Act (“DPA”). This workshop will provide intensive, hands-on instruction integrating the frameworks of the Ohio DPA, the Californian
Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR) which became effective May 25, 2018. The workshop will focus on understanding the
business, legal and technology processes with the ultimate goal preparing for current or future client representation with formal professional certification goals.
The workshop will provide an explicit path to follow in order to lessen exposure for clients and organizations, including discussing:
•State, Federal and International breach notification regulations;
•Breach response evaluation procedures, including safe harbor defenses;
•Confidentiality, liability and privilege protections (specific focus on professional ethics, responsibilities and technical competency);
•Risk matrix and assessment tools;
•Process and decision flow charts (risk, security, privacy, information, marketing, customer, data processors);
•Contract provisions (Consumer, Vendor, Technology and 3rd Party);
•New Technology Opportunities (Blockchain, identity and AI) and the Technology Associated Risks.
3.5 CLE approved in OH and IN (pending in KY).
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
About Me - Thomas Doty, Esq., LLM
Presenter:
As General Counsel for TaxToken, he advises on cryptocurrency compliance/regulatory issues of Blockchain/AI technology transactions.
A recent panelist at the NEXT Conference presenting non-fungible tokenization concepts supporting “Artists, Creatives and Intermediaries in the 21st Century Blockchain World”.
In his role as Intellectual Asset Protection Director for NuStrategies, he develops strategy on human capital supply chain risks of Blockchain ERP, VMS, HRIS legacy systems and AI advanced technologies. He also
advises the federal bench on technical competence, cybersecurity awareness associated with the 21st century practice of law.
Past 10 years on legal and technology strategies advising law entities and Fortune 100 companies on issues concerning cyber securi ty, data privacy, information management and cyber governance matters.
Internationally certified in IP mediation and commercial arbitration,
A military veteran DARPA trained technologist and startup advisor holding several technical credentials.
He has held strategic and C-level public, private and government positions within technology, software and human capital industries.
He will be delivering the keynote at the Fourth Annual IP Mosaic Conference - IP Unbundled: Theory, Policy, and Practice.
He also presented essential information and planning guidelines for corporate counsel, HR professionals and compliance managers exploring 21st century legal challenges, the promise of Blockchain, HR data
security, and workforce disruptions at the 2018 Littler Executive Employer Conference session - "The Future Workplace: From Gig Workers to Virtual Workers: How the AI and Robotics Revolution Will Shape the
Employment and Labor Law Landscape".
As 21st century practice of law techno/legal evangelist he frequently speaks on international legal entity/trusted third party vendor risk exposure of talent sourcing technologies focusing on Blockchain and technical
competency effects upon client representation. Over the past year he has also presented:
•“Security, Regulations and Artificial Intelligence Have Transformed Governance, Risk and Compliance to Integrated Risk Management”;
•“AI/Blockchain Opportunities in Law: From Lex Mercatoria to Lex Cryptographica”;
•“AI/Blockchain Opportunities in Law: Creative Economy Assets & The First Sale Doctrine”;
•“A Strategic Briefing on the Human Capital Industry: AI / Blockchain Opportunities in HC Supply Chain VMS”;
•“Tech Competence, Confidentiality, and Cyber Ethics for Lawyers and Law Firms”
•“The Issues of Professionalism and the Use of Technology in the 21st Century Practice of Law”
•“The Lawyers Ethics Deployment, Use and Protection of Social Media Brands”
•“Information Security, Confidentiality, and Cyber Ethics for Law Entities”
•“The Rapidly Changing Need of Cyber Insurance: Why doesn’t my policy cover that?”
Past chairman and board member of the Arts, Communications, Entertainment and Sports Section, directs the board’s current focus on creative rights management and use of AI, ML and Blockchain technologies for
democratization and tokenization. He also serves on the boards of the Information Technology section, Privacy Committee and State Bar of Michigan Awards Committee.
Licensed in California, Michigan and Virginia, Mr. Doty is admitted to the U.S. Court of Appeals for the Federal Circuit, U.S. Court of Appeals for the Sixth and Ninth Circuits, U.S. Court of International Trade, U.S.
District Court for the Eastern District of Michigan and the Northern District of California. He holds a B.S.I.T. from Southern Illinois University and received his Master of Laws in Intellectual Property from Franklin Pierce
Law Center (UNH).
Thomas Doty, JD, LLMDirector, Intellectual Asset Protection
NuStrategies, LLC
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process across the Ohio DPA, CCPA, and GDPR
Thursday, October 11, 2018
1:00 PM - 4:30 PM
Northern Kentucky University
Griffin Hall 201 (Digitorium)
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Goals and Objectives
Understanding the business, legal and technology risk assessment
processes associated with current or future client representation
– Local / State (Ohio DPA – November 2, 2018)
– Interstate / Nationally (CaCPA – January 2019 / 2020)
– Internationally / Cross Border (GDPR – May 25, 2018)
Breach assessment, evaluation, response and notification
Integrate Risk Management Process and Tools
New Technology Opportunity and Associated Risks
Ethical and Legal Considerations (competence, contracts & bias)
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Glossary
GDPR
Ohio DPA
CaCPA / CCPA
NIST SP 800-171
NIST 800-53
ISO 27001
SOX
GLBA
FTC
SEC
FCRA
• HiTECH
• HIPAA
• CIRP
• DOD 858201
• FinTech
• KYC
• AML
• VMS
• COPPA
• PIPEDA
• FOIPA
• CFPB
• CIRP
• Dodd-Frank
• Anonymization
• Pseudonymization
• DPO
• IRM
• KRI
• USA-PATRIOT
• TSR
• CAN-SPAM
• DRM
• VRM
• BCM
• AM
• CCO
• ELM
• NAI
• OWASP
• OECD
• CIPA
• CALEA
• FACTA
• FTCA
• DPPA
• FERPA
• PPA
• CISA
• TCPA
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Getting to Know You…
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Rank Company
Market Cap
(Billions, as of
May 11, 2017)
Primary Revenue Driver
#1 Apple $804 Hardware
#2 Alphabet $651 Advertising
#3 Microsoft $536 Software
#4 Amazon $455 Online Retail
#5 Facebook $434 Advertising
TOTAL $2,880
Money + Media = Advertising
Chart: Here’s How 5 Tech Giants Make Their Billions, Jeff Desjardins on May 12, 2017 at 1:03 pm
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Money + Media = Advertising
During a search for “laundry detergent” on Amazon’s site,
an ad for Tide and Gain popped up.
Amazon has long sold sponsor listings and other ads tied to search keywords on its site.
Due to the vast amount of data Amazon collects from its customers, targeting ads beyond basic
demographics
During a search for “dog food” on
Amazon, a Purina Pro Plan ad
appeared.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Climbing the Chart with a Bullet
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR as Business Opportunity
34.5 % maintain GDPR practices
32.7 % hope to be compliant within 2018
11.7% plan to take a “wait and see” approach
56% haven’t performed an audit
Still scrambling to demonstrate a defensible
position on GDPR compliance
POLL SHOWS GDPR COMPLIANCE LACKING
September 10, 2018
State of third-party data accessExtent artificial intelligence is applied data
Deloitte “EU General Data Protection Regulation: Practical steps for compliance” June 22, 2018. 490+ respondents
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR Compliance Components
2017 Deloitte Seminar -General Data Protection Regulation A New Era for Privacy
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR Compliance Workshop Does your organization have a physical or virtual operation of EU consumers/customers?
Potential Question: Who could be asked?
Who is accountable for your GDPR compliance efforts? Privacy, Legal, and IT How are you planning for the requirements of the GDPR? Privacy, Legal, Compliance,
and IT How has the C-suite responded regarding potential fines to be imposed by the GDPR?
Privacy
Do you have an inventory as to where your personal data is? What about within your “shadow IT” environment? Transfer?
Privacy, Business teams, and IT
Do you know which of your third-party vendors have your data? What about past vendors? Do you conduct pre-contract assessments? Do you audit as a routine?
Privacy, Business teams, and IT
Where are you imbedding the PIA process within your operations? Who is leading the associated remediation?
Privacy and IT
How are you preparing to respond to requests from a consumer to delete their records? What about access and provisions in an electronic format?
Privacy and IT
Privacy and ITHow confident are you that the organization can meet the 72-hour breach notification requirement?
Privacy and IT
Do your data mining activities comply with the GDPR's requirements? Do you use automated methods to make decisions without human intervention?
Privacy, Legal, Business teams, and IT
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
DPIA – Data Processing Impact Assessment
DPIAs are an essential part of your
accountability obligations.
Conducting a DPIA is a legal requirement for
any type of processing, including certain
specified types of processing, that are likely
to result in a high risk to the rights and
freedoms of individuals.
Failing to carry out a DPIA in these cases
may leave you open to enforcement action,
including a fine of up to €10 million, or 2%
global annual turnover if higher.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Planning – Pre and Post Breach
Preliminary Asset Evaluation
Legal Assets (Crown Jewels)
Intellectual Property – People Information (PHI / PII) – Financial Information
– Business Information (strategy, performance, transactions, experts, witnesses)
Do you know
what you
have
or
others may
want?
Do you know how your business
processes make these assets more vulnerable?
Do you understand how these
assets could be accessed
or
disrupted?
Would you know if you were being
attacked
or
if the assets were compromised?
Do you have a plan
to react and
minimize loss caused
by any disruption?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Privacy vs. Security – Is there a difference?
Privacy is all about the use of information, the policies and
practices that dictate what data is collected, and how that data
is used.
Security is all about how you control and protect that data.
Here’s another way to think about it
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Privacy & Security – It Crosses All Borders
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Privacy & Security – Regulatory Issues
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Privacy & Security – GDPR Specifics
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Which is the Greater Risk?
Trusted
Insider
Unknown
Outsider
Trusted 3rd Party
Vendor
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The Risk Documented – Insider Threat 51%
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Human error as a major risk management and
security issue: Accidental loss, consisting of
improper disposal of records, misconfigured
databases and other unintended security issues,
caused 1.9 billion records to be exposed. A
dramatic 580% increase in the number of
compromised records from 2016.
Internal threats are increasing: The number of
records stolen increased to 30 million, a 117%
increase from 2016.
Identity theft is still the number one type of data
breach: Identity theft was 69% of all data breach
incidents.
Over 600 million records were impacted resulting in
a 73% increase from 2016.
Data Records Compromised in 2017
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Breach Level Index (BLI), in 2017,
the number of data records
compromised in publicly disclosed
data breaches surpassed 2.5 billion,
up 88% from 2016.
The only year in BLI’s history to
surpass this total was 2013.
The world didn’t learn that until 2017
when Verizon Communications
confirmed the exposure of all three
billion Yahoo users’ accounts in a
2013 breach.
Breach Level Index
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Trusted 3rd Party Vendors
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Trusted 3rd Party Vendors
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Cybersecurity Expectations of Law Entities
• Vendor Risk Assessments (VRA) are a
standard compliance requirement for all
vendors on the “approved vendors” list.
• Onsite inspection and policy review by the
corporate client (not just the insurer) insisting
verified evaluations of a law firm’s security
protocols, technical competence and data
protection standards.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Courts consider whether entity took reasonable steps
to keep communication confidential.
Unintentional waivers frequently involve situations in which the disclosure
is inadvertent (such as an overheard conversation, a misdirected email. A
lost device or a document mistakenly distributed or produced).
The analysis as to whether the unintentional disclosure will be deemed a
waiver rests largely on whether the entity took reasonable and appropriate
steps to keep the communication confidential. See FED. R. EVID. 502(b);
United States v. de la Jara, 973 F.2d 746, 750 (9th Cir. 1992).
Client-Lawyer Relationship –
Waiving Confidentiality
Attorneys have an ethical duty to preserve confidentiality
unless the client waives the protection
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
ABA Model Rule 1.1 – Competence
– A lawyer shall provide competent representation to a client.Competent representation requires the legal knowledge,skill, thoroughness and preparation reasonably necessaryfor the representation.
Comment [8]
– To maintain the requisite knowledge and skill, a lawyershould keep abreast of changes in the law and its practice,including the benefits and risks associated with relevanttechnology, engage in continuing study and education andcomply with all continuing legal education requirements towhich the lawyer is subject.
Your Ethical Duties
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The attorney-client privilege will
protect confidential communications
between the attorney and client in
cases of inadvertent disclosure
ONLY if the attorney and client act
reasonably to protect that privilege.
A lack of reasonable care to
protect against disclosing privileged
and protected information when
handling ESI can be deemed a
waiver of the attorney-client
privilege.
Client-Lawyer Relationship –
Confidentiality of Information
Duty of Confidentiality - Rule 1.6 - Confidentiality of Information
(a) A lawyer shall not reveal information relating to the representation of a client
unless the client gives informed consent, the disclosure is impliedly authorized
in order to carry out the representation…
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Rule 1.6 - Confidentiality of Information
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or
unauthorized disclosure of, or unauthorized access to, information relating
to the representation of a client. See Rule 1.0(h)
Comment 18[18] Paragraph (c) requires a lawyer to act competently to safeguard
information relating to the representation of a client against unauthorized
access by third parties and against inadvertent or unauthorized disclosure by
the lawyer or other persons who are participating in the representation of the
client or who are subject to the lawyer’s supervision*…The unauthorized
access to, or the inadvertent or unauthorized disclosure of, information relating to
the representation of a client does not constitute a violation of paragraph (c) if the
lawyer has made reasonable efforts to prevent the access or disclosure.
* Breach or disclosure of a client’s information invokes Rule 1.4
Client-Lawyer Relationship –
Confidentiality of Information
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Rule 1.6 - Confidentiality of Information (Comments)
Acting Competently to Preserve Confidentiality
[18] … Whether a lawyer may be required to take additional steps to
safeguard a client’s information in order to comply with other law, such as
state and federal laws that govern data privacy or that impose notification
requirements upon the loss of, or unauthorized access to, electronic
information, is beyond the scope of these Rules.
For a lawyer’s duties when sharing information with nonlawyers outside the
lawyer’s own firm, see Rule 5.3, Comments [3]-[4].
Client-Lawyer Relationship –
Confidentiality of Information
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Vendor Due Diligence Checklist
Auditing
Financial records audit.
A review of data transactions and data processing.
Regulatory compliance with any government (HIPAA, GLBA) or
Industry (PCI-DSS) regulations that may apply to your business.
Ongoing security monitoring.
Ongoing security due diligence.
CIRP tabletop simulations with client IT staff present.
Basic and advanced security policies and compliance.
Computer acceptable use policies
Computer incident response plan (CIRP)
Interviews with key personnel.
Network vulnerability assessment or penetration test.
If you are in the DOD supply chain, you have been required to comply with NIST SP 800-171
and DOD 858201p
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Vendor Due Diligence Checklist
Secure Access
Two factor authentication
Permission based network segmentation and access.
Use of secure connections such as VPNs
The presence of security devices on your network, such as firewalls,
Intrusion dection and prevention devices (IDS or IPS),
Unified threat management platforms such as AlienVault.
Training
Ongoing monthly, quarterly, or annual cybersecurity awareness training program.
Phishing simulation
On-site live, online, or video training
CIRP tabletop simulations with your internal staff only.
If you are in the DOD supply chain, you have been required to comply with NIST SP 800-171
and DOD 858201p
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Vendor Due Diligence Checklist
Governmental and third-party requests: Immediate notification of all requests for disclosure of data by any party with provision to control the response.Service level agreements: Uptime guarantees and monetary credits for failure to comply. Suspension of services: The vendor should provide sufficient notification, with time to cure, before suspending services for any breach of contract.Indemnity and Cyber Insurance: The entity must require indemnity for harm caused to third parties by the vendor's breach of confidentiality obligations, data security or privacy requirements, or noncompliance with laws. Entities also should require vendors to have adequate cyber insurance covering both data loss and data breach response. Business continuity/disaster recovery: Vet the vendor’s business including all information, business continuity and disaster recovery plans, incorporated and attached into the contract.Dispute resolution: Arbitration clauses should be considered as an efficient and cost-effective means to resolve disputes arising under the vendor agreement.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Vendor Due Diligence Checklist
Integrate Cyber Risk Management into Vendor Management
Identify all systems that you utilize which any external vendors provides including: Vendors used to help manage the IT systems at your main headquarter and each location; IT system dedicated to processing payment cards; Systems utilized for employee payroll processing; Cloud sourcing of corporate data including sensitive and confidential information; Security vendors or systems utilized for cameras, access control and security monitoring; Mechanical Vendors utilized for watering or cooling control system; Also review physical and electronic access systems vendors (locksmiths and keycard vendors).
TRUST BUT VERIFY – ALL VENDOR RELATIONSHIPSThe business dependencies of the vendor and the current vendor agreement, including the vendor’s agreement with external parties. These agreements should outline: Business roles, responsibilities, liabilities, and determinations for breach notification Conduct a site visit to key vendors to review and insure compliance Review the current signed non-disclosure agreement (NDA) with necessary vendors
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Preemptive Guide1. Cybersecurity Policies and Procedures.
A. Incident response plan
B. Business continuity plans in case of a cyber-attack
C. Personnel continuity. Competition for talent in the information
security space is intense
D. PCI Compliance plan
E. A/C protection & control (including cyber vendor oversight during
litigation or investigation);
F. Employee Awareness Training Programs
G. Cybersecurity threat information sharing processes (CISA) – FBI,
DOHS, US Secret Service, State AG, Regulatory agencies
Guide For Trusted Third Party Vendors
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Preemptive Guide
2. A Digital Forensics/Data Breach Response Firm on Call - will require immediate assistance and there will not be time for the usual due diligence and contractual review of the engagement of an incident response firm – so having an agreement, such as a master service agreement, in place makes sense.
3. When negotiating cyber insurance policies, some insurance policies will seek “panel” and “prior consent” provisions that purport to mandate that an insured hire a specific digital forensic/data breach response firm (even if the victim firm already has a prior existing relationship with a particular vendor). Insured should consider such a provision carefully; much like choosing one’s own surgeon for a heart procedure, an insured might want the same freedom of choice when it comes to selecting a digital forensics/data breach response firm.
Guide For Trusted Third Party Vendors
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Is the House On Fire? - Cyber Risk Profile
A cyber risk profile is a measure of an organization's security posture. It is a
picture of your risk related to technical aspects such as network and system
security liability and network interruption, as well as more organizational
aspects such as cyber defense maturity.
1. Create a profile - Performing a baseline audit of hardware and software
and then performing a business impact analysis (BIA) to understand
which applications contribute the greatest financial or reputational
exposure.
2. Review defenses and the strength of technical controls
3. Review security policies and user training, and assess how those align
with compliance and operational goals.
4. Develop quantitative results, insurers do not need qualitative analysis.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Cyber Liability Risks
1st & 3rd Party Liability
You may be liable for costs incurred by customers and other third parties as a result of a cyber
attack or other IT-related incident.
System Recovery
Repairing or replacing computer systems or lost data can result in significant costs. In
addition, your company may not be able to remain operational while your system is down,
resulting in further losses.
Notification Expenses
In 48 states, if your business stores customer data, you’re required to notify customers if a
data breach has occurred or is even just suspected. This can be quite costly, especially if you
have a large number of customers.
Regulatory Fines
Several federal and state regulations require businesses and organizations to protect
consumer data. If a data breach results from your business’s failure to meet compliance
requirements, you may incur substantial fines.
Class Action Lawsuits
Large-scale data breaches have led to class action lawsuits filed on behalf of customers
whose data and privacy were compromised
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Threat x Vulnerability = Risk
Cost of Implementing Controls
– Cost of not Implementing Controls
= Cost
Cost vs. Risk Assessment
One risk that law firms must anticipate involves security breaches.
There are three major categories of reported data loss breaches involving
lawyers and law firms: (1) disposal of client records, (2) mobile device theft
or loss, and (3) misuse of firm systems and security protocols.
Other Risks – physical security, password management, lack of encryption,
lax policies, inadequate training, or the inattention of system users.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Judge Learned Hand described the “calculus of negligence”
or the Hand Test (classic example of a balancing test)
Judge Hand's formula, C > GL (cost is greater than gravity of loss) BPL
If (Burden < Cost of Injury × Probability of occurrence) then…
the accused will not have met the standard of care required.
If (Burden ≥ Cost of injury × Probability of occurrence) then…
the accused may have met the standard of care.
Tort of Negligence - Reasonable Care
The Hand Test
United States v. Carroll Towing Co.
159 F.2d 169 (2d. Cir. 1947)
Risk = Threat X Vulnerability X Impact
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Privacy & Security – Common Requirements
Category Requirement Commonalities
Organization Includes requirements to establish management accountability and responsibility for privacy and the specific organizational roles and responsibilities for legal entities and/or individuals. The category also includes obligations to train employees, define, document and communicate privacy policies and procedures and notify, register, and/or file processing activities with local DPAs.
Notice Includes requirements to notify and disclose to data subjects details of the organization’s data privacy practices including how data subjects’ information is protected and the purposes for which their personal information is collected, used and disclosed. Such requirements include the presentation of privacy notice prior to the collection of personal information as well as those surrounding the form and content of such notice.
Choice Includes requirements to obtain consent from data subjects or to otherwise provide choice, for the use of personal information for primary or secondary purposes. Such requirements include those surrounding the form and content of the consent provided by the data subject, consent revocation procedures as well as opt-out and opt-in process management.
Access Includes requirements to permit data subject’s access to personal information that the organization may have about them. Closely tied to these requirements are the data subject’s right to amend incorrect details and to reasonably request the deletion of unauthorized, unnecessary or inaccurate information subject to certain exceptions. Such requirements include the rights of data subjects to request, obtain, rectify, update and, when applicable, suppress or keep confidential their information.
Security for Privacy
Includes requirements to provide administrative, technical and/or physical security controls to prevent unauthorized or accidental loss, corruption or disclosure of personal information related to data subjects. Such requirements include those surrounding the development and implementation of written information security policies and procedures as well as implementation of physical and electronic access controls, transmission controls, monitoring controls, availability controls and third-party controls.
Transfer Includes data protection requirements for the transfer of personal information to third parties or to other countries. Such requirements include the identification of current data transfers, the security of the transfer, compliance with local registration requirements, and documented business need for the transfer of personal data.
Data Integrity Includes requirements that relate to the quality of information the organization has about its data subjects. Such requirements include those related to the organization’s efforts to confirm that personal information collected, used or disclosed by or on behalf of an organization is relevant, accurate, complete, and up-to-date.
Information Mgt Includes data protection requirements on the collection, use, storage and destruction of personal information. Such requirements include those surrounding the manner in and purpose for which data is obtained, the retention period of such data, the use of such data as it relates to the purpose for which it was obtained or the manner in which such data is deleted, made anonymous or returned.
Breach Notification
Includes requirements which provide specific notification procedures in the event of a privacy/security breach. Includes those surrounding breach assessment and the need for notification as well as timing, form, content and distribution of the notification.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Cyber Insurance and Risk
1. Determining what costs, expenses and incidents need coverage.
2. Identifying your organizational ‘first-party’ costs and the costs that others may claim against you following an incident
3. Identify what ‘third-party costs,’ is crucial to ensure that your coverage tower is suitable. Develop and deploy a “holistic cybersecurity program incorporating cyber risk management, technology, cybersecurity practices and incident response plans, awareness and training, self-assessment and vendor testing.
4. Create a Business Impact Assessment to compare the anticipated data breach costs with the limits of liability available and the associated costs. The costs of responding to a data breach can be substantial and often prohibitive.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Cyber Insurance and Risk
5. Incident Response Plan must include key requirements in including notification requirements and other stipulations.
6. Establish an Insider Threat Program - Insider threats are critical threats, acting as perpetrators, they are authorized to access systems and sensitive data. Some insider threats are malicious, some are caused by misuse of equipment, or compliance with established security protocols.
7. Establish Policies and Procedures outlining best practices for security internally while demonstrating to your vendors and clients that your entity takes security seriously. Identified industry standard policies and procedures include roadmaps (sector specific or NIST 800-53 rev 4) or best practice (e.g., SANS Critical Controls, ISO 27000 series).
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Cyber Insurance and Risk
8. Establish, develop and deploy an Awareness Program: Train your entity on the types of cyber threats that are targeting their organization. Develop a security-minded culture. Less ‘shock and awe’ and more reinforcement of the best practices and guidelines outlined in the policies and procedures.
9. Asset Management: Asset management gets left behind. Simple inventory with a spreadsheet of individuals and the assigned corporate devices and software licenses is a security and human resource; the IT department updates software as needed and the HR department expedites termination or resignation process by rapidly identifying what needs to be collected from the employee.
10. Drills, “Table Top” exercises, Phishing assessment and training. Phishing exercises help users to spot suspicious emails and train users to inform IT through the appropriate mechanisms in the event of a phishing email.
11. Risk Management each business unit should identify the key business, legal, and brand risks to their systems or operations.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Cyber Insurance and Risk
12. Identify external resources and talent. - dedicate security personnel to handle onsite incidents and coordinate all parties internal and external to the organization.
13. Annual Penetration Testing - Pentests reveal weaknesses and attack vectors. Pen Testing alone should not be the main method of security testing.
14. Auditing - Monitor systems, servers, workstations throughout the security lifecycle to understanding the security risk, the types of threats targeting, the types of applications and software operating, and the connections internally and externally on your network.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Profile
Source: NIST Impact areas
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Appetite – Costs of a Data Breach
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What Do Underwriters Value
in Assessing Cyber Risk?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What Do Insurers Ask About in Their Applications?
Sourced from: Travelers CyberRisk Coverage Application
Does the Applicant have a formal program in place to test or audit
network security controls?
How often are internal audits performed?
How often are outside/third party audits performed?
Does the Applicant use firewall technology?
Does the Applicant use anti-virus software?
Is anti-virus software installed on all of the Applicant’s computer
systems, including laptops, personal computers, and networks?
Does the Applicant use intrusion detection software to detect
unauthorized access to internal networks and computer systems?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What Do Insurers Ask About in Their Applications?
Sourced from: Travelers CyberRisk Coverage Application
Is it the Applicant’s policy to upgrade all security software as new
releases or improvements become available?
Is a multi-factor authentication process (multiple security measures
used to reliably authenticate/verify the identity of a customer or other
authorized user) or a layered security approach required to access
secure areas of Applicant’s website? Please describe
authentication/verification methods used.
Is all valuable/sensitive data backed-up by the Applicant on a daily
basis?
o If No, please describe exceptions:
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What Do Insurers Ask About in Their Applications?
Sourced from: Travelers CyberRisk Coverage Application
Does the Applicant conduct training regarding security issues and
procedures for employees that utilize computer systems?
Does the Applicant publish and distribute written computer and
information systems policies and procedures to its employees?
Does the Applicant terminate all associated computer access and
user accounts as part of the regular exit process when an
employee leaves the company?
Does the Applicant have a formal documented procedure in place
regarding the creation and periodic updating of passwords used by
employees or customers?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
American Tooling Center Inc. v.
Travelers Casualty and Surety Company of America
• The vice president received emails purportedly from the vendor
instructing ATC to send payment for several legitimate outstanding
invoices to a new bank account, according to the ruling.
• Without verifying the new banking instructions, ATC wire-transferred
about $800,000 to a bank account that was not, in fact, controlled by the
vendor.
• The Judge granted Summary Judgment for Traveler’s since:
• There was no infiltration or ‘hacking’ of ATC’s computer system,
• The emails themselves did not directly cause the transfer of funds;
rather, ATC authorized the transfer based upon the information
received in the emails,”
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Cyber Insurance Claim Denial
A Rhode Island law firm has filed a lawsuit against its insurer over coverage for a ransomware attack that locked
down the firm’s computer files for three months. Moses Afonso Ryan, a 10-lawyer law firm in Providence, says it
paid $25,000 in ransom, but the amount is far less than its lost billings. A review of records for the same three
months last year shows the firm had more than $700,000 in billings during the time period. It claims that Sentinel
Insurance Co. is responsible for the loss under policy coverage for lost income.
Moses Afonso Ryan’s computers became infected with the ransomware virus last year as a result of a lawyer
clicking on an email attachment
The virus disabled the firm’s computer network, along with all of the documents and information on the network.
As a result, lawyers and staffers “were rendered essentially unproductive,” according to the suit.
Sentinel denies an unjustified refusal to provide coverage under the law firm’s business owner’s policy.
Sentinel says it has paid the law firm the policy maximum of $20,000 for losses caused by computer viruses,
which are covered under a computers and media endorsement.
The insurer says it has no legal obligation to cover other ransomware losses.
The policy coverage for lost business income applies only when there is physical loss or damage to property at
the business premises
Moses Afonso Ryan LTD v. Sentinel Insurance Company
(1:17-cv-00157), Rhode Island District Court, Filed: 04/21/2017
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
SONY Revisited
• General property insurance policy for cyber-attack coverage is risky
• Directors should not rely on a Commercial General Liability policy to cover a data breach
• Sony breach - Zurich American stated in court papers that as a result, Sony was the defendant in over 50 class action lawsuits.
• Sony policy required the policyholder (Sony) to perpetrate or commit the act of publication of the personal information, the judge stated, “Paragraph E (oral or written publication in any manner of the material that violates a person’s right to privacy) requires some kind of act or conduct by the policyholder in order for coverage to present.”
• This decision highlights the hazards of relying on traditional CGL coverage policies for potential data breach coverage. See, Zurich American Insurance Co. v. Sony Corp. of America, et al (Supreme Court , State of New York 651982/2011)
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Duty to Supervise - Rule 5.1This duty can be met through association with
outside attorney, outside vendor, subordinate
attorney or even the client.
• Attorney must maintain overall
responsibility for and remain engaged in
the work of the expert;
• The attorney must educate everyone
involved about:• The legal issues in the case;
• The factual matters impacting discovery,
witnesses and key evidentiary issues;
• The obligations around discovery imposed
by law or the court;
• Any risks associated with the case tasks at
hand.
Supervision & Associations – The New Legal Model
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Rule 5.3: Responsibilities Regarding Non-lawyer Assistant
A lawyer’s duties when sharing information with non-lawyers outside the
lawyer’s own firm
With respect to a non-lawyer employed or retained by or associated with a
lawyer:
(a) a partner, and a lawyer who individually or together with other lawyers
possesses comparable managerial authority in a law firm shall make
reasonable efforts to ensure that the firm has in effect measures giving
reasonable assurance that the person's conduct is compatible with the
professional obligations of the lawyer;
see Rule 5.3, Comments [3]-[4].
Supervision & Associations
Sharing Confidential Information
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Rule 5.3: Responsibilities Regarding Nonlawyer Assistant
A lawyer’s duties when sharing information with nonlawyers outside the
lawyer’s own firm (Comments [3]-[4])
Nonlawyers Outside the Firm
[3] A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client.Examples include the retention of an investigative or paraprofessional service, hiring a document management company to
create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and
using an Internet-based service to store client information. When using such services outside the firm, a lawyer must make
reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional
obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and
reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of
client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly
with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6
(confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law). When retaining or
directing a nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances to give
reasonable assurance that the nonlawyer's conduct is compatible with the professional obligations of the lawyer.
[4] Where the client directs the selection of a particular nonlawyer service provider outside the firm, the lawyer ordinarily should
agree with the client concerning the allocation of responsibility for monitoring as between the client and the lawyer.
Law Firms and Associations –
Responsibilities Regarding Nonlawyer Assistance
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Technical Competence –
Protection of Confidentiality of Information
Competence and the Technological Issues Associated With Hiring
Service Providers
Many lawyers and clients partner with service providers to assist with the legal
support and litigation. An attorney is responsible for the conduct of a service
provider or non-lawyer working under their supervision. 7 Accordingly, an attorney
should ensure that a service provider they retains to assist with the discovery of ESI
is competent to undertake the tasks assigned, and to ensure compliance with the
attorneys' other ethical obligations, such as protection of confidential client
data 8 and adversaries' data. 9 The tools used by service providers vary significantly
in their functionality, sophistication, and cost.7 See MRPC 5.3.8 See MRPC 1.6.9 See MRPC 3.4.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Technical Competence:
Co-Council, Consultants & Experts
To be competent in working with co-counsel and consultants:
• Understand the responsibility of co-counsel and consultants/experts;
• Understand the technological experience of co-counsel and experts;
• Confirm that client data is being stored and transmitted securely;
• Confirm that confidentiality protections are being maintained;
• Ensure that confidentiality agreements and protective orders are
implemented and followed;
• Keep well-informed of the discovery process and supervise decisions;
• Understand, at least generally, any technology that is the focus of an
expert's opinion or advice.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Regulatory –
ABA opinions fail to discuss regulatory requirements
The Alphabet Soup of Regulations & Regulatory Entities
• FTC – Federal Trade Commission
• SEC – Securities and Exchange Commission
• FCRA – Fair Credit Reporting Act
• Myriad of State Online Privacy Acts (COPPA
• International Regulation
• Canada – PIPEDA (Personal Information Protection and Electronic Document Act)
• British Columbia – FOIPA (Freedom of Information and Privacy Act)
• European Inion – Data Protection Directive
• European Union - GDPR
• Consumer Financial Protection Bureau - CFPB Bulletin 2012-03
• As codified under Dodd-Frank Wall Street Reform Act – Requires
thorough due diligence to verify compliance with Federal consumer
financial law;
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Regulations Affecting Legal Entities
HIPAA (applies to covered entities and business associates)
• Administrative Safeguards (164.308)
• Security Management Process
• Assigned Responsibility
• Workforce Security
• Information Access Management
• Physical Safeguards (164.310)
• Facility Access
• Workstation Use
• Workstation Security
• Device & Media Controls
• Technical Safeguards (164.308)
• Access Controls
• Audit Controls
• Integrity
• Personal Authentication
• Transmission Security
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
1. Use firewalls between networks;
2. Encrypt stored credit card information;
3. Use industry standard password complexity;
4. Employ reasonable measures to detect and prevent unauthorized access;
5. Implement security updates on a timely basis;
6. Follow incident response procedures;
7. Adequately restrict vendor access; and
8. Fix existing security issues.
Avoiding FTC Actions - 2015
FTC published data security guidance titled Start With Security: A
Guide for Business.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
1. Perform risk assessments;
2. Conduct regular testing and monitoring of privacy controls;
3. Conduct regular reviews of privacy statements/notices for correlation to actual practices and disclosures;
4. Obtain user consent with respect to new data or products;
5. Require strong user credentials and password policies and procedures;
6. Segment servers and limit employee access to PII;
7. Implement reasonable data storage policies and procedures;
8. Encrypt data in transit and at rest;
Avoiding FTC Actions - 2015
FTC enforcement actions include the failure to:
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
9. Implement policies and procedures for data retention, destruction and disposal;
10. Implement controls and security reviews for new software and products;
11. Require and implement contractual requirements for service providers;
12. Reasonably oversee service providers;
13. Perform cybersecurity audits;
14. Assess network vulnerabilities;
15. Evaluate the risk of third party access;
16. Implement reasonable measures to assess and enforce compliance with policies
and procedures; and
17. Implement policies and procedures for the prevention and detection of
unauthorized access.
Avoiding FTC Actions - 2015
FTC enforcement actions include the failure to:
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Industry-Specific Rules and Guidance
KY Bar ethics resource - https://www.kybar.org/?page=EthicsHotline
Ruth Baxter Lawyers Mutual - http://www.lmick.com/component/contact/contact/16-general/2-ruth-h-baxter
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
https://www.sec.gov/rules/final/2013/34-69359.pdf.
http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.
http://www.sec.gov/investment/im-guidance-2015-02.pdf.
https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
http://transition.fcc.gov/pshs/advisory/csric4/CSRIC_WG4_Report_Final_March_18_2015.pdf.
http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0520/DA-15-603A1.pdf.
Minimal Standard of Care Government Resources
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
EU General Data Protection Regulations
The GDPR
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What About the 800lb Gorilla - GDPR
General Data Protection Regulations (EU GDPR)Requires private or government entities to notify individuals of security
breaches of information involving PII:
• Definitions of PII (e.g., name combined with SSN, drivers license
or state ID, account numbers, etc.);
• What constitutes a breach (e.g., unauthorized acquisition of data);
• Requirements for notice (e.g., timing or method of notice, who
must be notified);
Exemptions (e.g., for encrypted information)
Security breach notification laws also typically have provisions regarding
who must comply with the law:
• Businesses, data/ information brokers, government entities &
vendors;
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR, DPA, CaCPA & Beyond“Consumers deserve clear answers and standards on data privacy protection,” - John Thune
Federal privacy law - preemption
rather than a patchwork of different
state privacy laws;
FTC as regulator for a federal
privacy law;
Protecting consumer privacy;
Establish clear regarding the
responsible use of data; and
Key principles that should be
included in any federal privacy law.
Witnesses:
Global Public Policy, AT&T Inc.
Associate General Counsel, Amazon.com, Inc.
Chief Privacy Officer, Google LLC
Global Data Protection Officer and Associate Legal Director, Twitter, Inc.
Software Technology, Apple Inc.
Policy & External Affairs, Charter Communications, Inc.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
54 Breach Notification Laws – April 2018
With last month’s passage of the Alabama Data Breach Notification Act of 2018 (SB 318), all 50 states will have laws requiring companies to notify individuals when their personal information is exposed as a result of a data breach.
It took 15 years from the first data breach notification law passed in California (2003).
Ohio Data Protection Act did not remove or modify any of the existing statutory notice obligations upon discovery of a breach event (Ohio Rev. Code § 1349.19
Ohio businesses entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
“Internet” Bill of Rights - Rep. Ro Khanna (D-Calif.)
You should have the right:
1. to have access to and knowledge of all collection and uses of personal data by companies;
2. to opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;
3. where context is appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honored by third parties;
4. to have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;
5. to move all personal data from one network to the next;
6. to access and use the Internet without Internet service providers blocking, throttling, engaging in paid prioritization orotherwise unfairly favoring content, applications, services or devices;
7. to Internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;
8. to have access to multiple viable, affordable Internet platforms, services and providers with clear and transparent pricing;
9. not to be unfairly discriminated against or exploited based on your personal data; and
10. to have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The GDPR, CaCPA & Ohio DPA
GDPR CaCPA
General Data Protection Regulation California Consumer Privacy Act of 2018
Regulation (EU) 2016/679 SB 1121 AB 375
Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of
the California Civil Code Section 1798.198
'Regulation' directly applicable and has consistent effect in all Member
States.
50+ areas covered by GDPR allow Member States to legislate differently in
their own domestic data protection laws.
Reinforcing and expanding individual citizen’s privacy rights
GDPR has extra-territorial effect.
An organization not established within the EU will still be subject to the
GDPR if it processes personal data of data subjects who are in the Union
where the processing activities are related "to the offering of goods or
services" (Article 3(2)(a)) (no payment is required) to such data subjects in
the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their
behaviour takes place within the EU.
WHO IS PROTECTED?
Any data subject that is an EU resident. A data subject is any person whose
personal data is being collected, held or processed. The regulation protects
the rights and interests of individuals.
Uses the term “Consumer” rather than “data subject.” Consumer/natural
person who is a California resident. Includes every individual who is in the
State for any reason other than a temporary or transitory purpose, and
every individual who is domiciled in the State who is outside the State for
a temporary or transitory purpose.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The GDPR, CaCPA & Ohio DPA
GDPR CaCPA
DEFINITION OF PERSONAL INFORMATION
Any information that identifies a natural person directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location number, an
online identifier or to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person.
Sensitive information: Racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and the processing of genetic data, biometric data
for uniquely identifying a natural person, data concerning health or data concerning a
natural person’s sex life or sexual orientation.
Contains a broader definition of “personal data” and also covers information
pertaining to households and devices and any information that relates to a particular
consumer or household.
Includes: consumer’s name (first and last); postal address; e-mail address; social
security number; identification card number; biometric data; internet activity; and
geolocation.
Unique identifiers or unique personal identifier:
Information that be used to recognize a consumer, family, or device such as an IP
address, cookies, beacons, pixel tags, mobile ad identifiers, customer number, phone
numbers.
“Personal information” does not include publicly available information. For these
purposes, “publicly available” means information that is lawfully made available from
federal, state, or local government records, if any conditions associated with such
information. “Publicly available” does not mean biometric information collected by a
business about a consumer without the consumer’s knowledge. Information is not
“publicly available” if that data is used for a purpose that is not compatible with the
purpose for which the data is maintained and made available in the government
records or for which it is publicly maintained. “Publicly available” does not include
consumer information that is deidentified or aggregate consumer information.
“Pseudonymize” or “Pseudonymization” means the processing of personal
information in a manner that renders the personal information no longer attributable
to a specific consumer without the use of additional information, provided that the
additional information is kept separately and is subject to technical and organizational
measures to ensure that the personal information is not attributed to an identified or
identifiable consumer.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The GDPR, CaCPA & Ohio DPA
GDPR CaCPA
WHO NEEDS TO COMPLY?
Data controllers and processors who process data of an EU resident,
including organizations outside the EU.
Companies that process the data of at least 50,000 California residents
annually or have more than $25 million in annual revenue.
PROCESSING THE DATA OF MINORS
When the child is below the age of 16 years, such processing shall be lawful
only if and to the extent that consent is given or authorized by the holder of
parental responsibility over the child.
Member States may provide by law a lower age of consent, provided that
such lower age is not below 13 years.
Businesses are prohibited from selling the personal information of
consumers who the businesses know are under 16 years old and for
whom they do not have appropriate opt-in consent.
INDIVIDUAL RIGHTS
Right to information
Right to access
Right to rectification
Right to withdraw
Right to be forgotten
Right to object
Right for data portability
Right to know what data a business collects on you.
Right to say no to the sale of your information.
Right to delete your data.
Right to be informed of what categories of data will be collected about
you prior to its collection, and to be informed of any changes to this
collection.
Right to know the categories of third parties with whom your data is
shared.
Right to know the categories of sources of information from whom your
data was acquired.
Right to know the business or commercial purpose of collecting your
information
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The GDPR, CaCPA & Ohio DPA
GDPR CaCPA
DATA SUBJECT REQUESTS
Organizations are expected to respond within 30 days either by providing the data
requested, asking for further documentation proving a data subject’s identity, or
replying with an answer as to why the data cannot be provided.
Responses to requests for data access, deletion and portability must be made
within 45 days.
Organizations must verify the identity and authorization of persons who make
requests for data access, deletion, or portability. The bill also states that
organizations must provide two methods for consumers to place their
requests: 1.) Toll-free number 2.) Website address or form.
Organizations must also avoid requesting opt-in consent for 12 months after a
California resident opts out.
PENALTIES
Any consumer whose nonencrypted or nonredacted personal information, as
defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section
1798.81.5, is subject to an unauthorized access and exfiltration, theft, or
disclosure as a result of the business’ violation of the duty to implement and
maintain reasonable security procedures and practices appropriate to the
nature of the information to protect the personal information may institute a
civil action
The GDPR is enforced by EU Member State DPAs, and the penalties can range
from 10-20 million euros or 2%-4% of global annual revenue.
Enforced by the Attorney General, and the penalties are up to $7,500 per
violation, including failure to address a request within 30 days.
25 May 2018 January 1, 2020 - Amendments passed as SB 1121 on Aug. 31 and signed into
law by Gov. Brown on Sept. 23 extend the time for the California attorney
general (CaAG) to promulgate regulations to July 1, 2020 (no enforcement
actions may be taken by the Attorney General until the earlier of six months
after final regulations are adopted)
To comply with the 12-month look back for consumer requests as of the law’s
effective date, businesses will need to start data mapping and record keeping
of personal information as of Jan. 1, 2019.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Data Protection Act 2018 - UK
The UK's third generation of data protection law has now received the Royal Assent and its main
provisions will commence on 25 May 2018. The new Act aims to modernize data protection laws
to ensure they are effective in the years to come.
What is the difference between the DPA 2018 and the GDPR?
The GDPR has direct effect across all EU member states and has already been passed. This
means organizations will still have to comply with this regulation and we will still have to look to the
GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to
make provisions for how it applies in their country. One element of the DPA 2018 is the details of
these. It is therefore important the GDPR and the DPA 2018 are read side by side.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Data Protection Act 2018 - UK
What else does the DPA 2018 cover?
•The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is
related to immigration. It applies GDPR standards but it has been amended to adjust those that would not
work in the national context.
•It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive)
into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part
3 of the DPA 2018sets out the requirements for the processing of personal data for criminal ‘law enforcement
purposes’. The ICO has produced a detailed Guide to Law Enforcement Processing in addition to a
helpful 12 step guide for quick reference.
•National security is also outside the scope of EU law. The Government has decided that it is important the
intelligence services are required to comply with internationally recognised data protection standards, so
there are provisions based on Council of Europe Data Protection Convention 108 that apply to them.
•There are also separate parts to cover the ICO and our duties, functions and powers plus the enforcement
provisions. The Data Protection Act 1998 is being repealed so it makes the changes necessary to deal with
the interaction between FOIA/EIR and the DPA.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The Ohio DPA – A “Legal Safe Harbor”
On November 2, 2018 Ohio law SB220 provides a “legal safe harbor” from tort claims related to
a data breach, to entities that have implemented and comply with specified cybersecurity
frameworks. Ohio Rev. Code §§ 1354.01-.05
Designed to “proactively” protect the security and confidentiality of information, protect against any
anticipated threats or hazards to the security or integrity of information, and protect against
unauthorized access/acquisition of information that is likely to result in a material risk of identity theft or
other fraud.
Showing that the covered entity obtained a certification from a third-party auditor of compliance with a
framework/standard at some point in time may not be sufficient to meet a defendant’s burden of proof.
Thank you to Carol Furnish - NKU Chase College of Law Library
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The Ohio DPA – A “Legal Safe Harbor”
Thank you to Carol Furnish - NKU Chase College of Law Library
SB 220 provides covered entities with an affirmative defense to any tort action (e.g., negligence,
invasion of privacy, etc.) brought under Ohio law (or in an Ohio court) that alleges a breached entity
failed to implement reasonable information security controls - Ohio Rev. Code § 1354.02(D)(1).
Eligible for the Safe Harbor under § 1354.02(B) requires:
An Ohio entity will need to establish that it designed, implemented, and maintained its cybersecurity
program to:
protect the security and confidentiality of the information;
protect against any anticipated threats or hazards to the security or integrity of the information; and
protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The Ohio DPA – A “Legal Safe Harbor”
Thank you to Carol Furnish - NKU Chase College of Law Library
§ 1354.03(A)(1) - Non-regulated entities (e.g., those whose security is not regulated by the state or
federal government), are required to implement a security program that conforms "reasonably" to one
of the following:
• one of the National Institute of Standards and Technology frameworks/publications;
• the Federal Risk and Authorization Management program security assessment framework;
• the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
• ISO 27000 family – information security management systems
§ 1354.03(B)(1). Regulated entities (one whose security is regulated by the state or federal government)
are required to implement a security program that conforms "reasonably" to, as applicable, the:
• Health Insurance Portability and Accountability Act's security requirements;
• Gramm-Leach-Bliley Act of 1999;
• Federal Information Security Modernization Act of 2014; or
• Health Information Technology for Economic and Clinical Health Act.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
The Ohio DPA – A “Legal Safe Harbor”
Thank you to Carol Furnish - NKU Chase College of Law Library
An entity that wishes to take advantage of the Safe Harbor should consider the following steps:
• Gain an understanding of the information in its possession (what is collected; how it is collected,
stored, and shared) in order to ascertain the necessary scope of its security program;
• Determine if the entity is subject to any statutory and/or regulatory information security control
requirements, and its current compliance status with respect to those requirements;
• If the entity is not adhering to one of the articulated standards, identify an appropriate standard to
adopt in developing the program, and then identify any gaps the entity has;
• Design a cybersecurity program that adheres to the applicable standard, and to the extent that such
a program necessarily involves a risk-based approach, document the entity's risk assessment and
decision-making process in order to help prove at a later date that its program is within SB 220's
Safe Harbor; and
• Implement the program and maintain it over time, including conducting ongoing risk assessments
and updating security measures to the extent mandated by applicable security standards.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Data Breach Reporting Requirements
Requirements of General Data Protection
Regulation (GDPR)
Regulation (EU) 2016/679, Arts. 33-34.
Effective May 25, 2018
Ohio Rev. Code § 1349.19
H.B. 104 ,amended by S.B. 126
Effective February 17, 2006
Cal. Civ. Code § 1798.29; 1798.80 et seq.
S.B. 1386
Effective July 1, 2003
Ind. Code § 4-1-11 et seq.; § 24-4.9-1 et seq.
S.B. 503
Effective July 1, 2006
KY Rev. Stat. §365.732
H.B. 232
Effective July 15, 2014
Time After Discovery of Breach Action Required
10 Calendar Days Puerto Rico Department of Consumer Affairs
14 Business Days Vermont AG preliminary notification
15 Business Days California residents, California AG, and California Department of Public
Health must be notified of the disclosure of PHI by a clinic, health facility,
home health agency, or hospice licensed by the California Department of
Public Health (“CDPH”)
30 Calendar Days Florida residents, AG (500+ residents) (Can request 15 day extension) (60
Days for PHI/HIPAA incidents).
Indiana AG will open an investigation if not notified within 30 days
45 Calendar Days Ohio residents
Tennessee residents (60 Days for PHI/HIPAA incidents)
Vermont residents, AG
Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA
incidents)
Wisconsin residents (60 Days for PHI/HIPAA incidents
New Mexico residents, AG (500+ residents)
Maryland residents (60 Days for PHI/HIPAA incidents)
60 Calendar Days Delaware (effective 4/14/18), AG (500+ residents)
Individuals and HHS OCR for PHI disclosure
90 Calendar Days Connecticut residents (60 days for PHI/HIPAA incidents)
Most expedient time and without
unreasonable delay
AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC,
GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY,
NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY
As soon as possible NE, NH, TX
Days After Confirmation
of Breach
Action Required
45 Calendar Days Rhode Island residents, AG (500+ residents) (60 Days for PHI/HIPAA
incidents).
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR Compliance Workshop Compliance Demonstration is required
Privacy by design PIA Process Privacy by default
Consider privacy at start
of process
Prior to processing Adopt privacy friendly
settings
Account for end-to-end
data lifecycle
High-risk / sensitive data
/ systematic / large-scale
No pre-checked box
Consider context Description of PI Minimum storage time
Minimum volume
Define and implement
privacy enhancing
controls
Assessment of PI Necessary purpose only
Right to be forgotten Document measures Strictly necessary
purposes only
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR Compliance Workshop Lawful Basis – Article 6
At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a
specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or
because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including
contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for
your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the
legitimate interests of a third party unless there is a good reason to protect the individual’s
personal data which overrides those legitimate interests. (This cannot apply if you are a public
authority processing data to perform your official tasks.)
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR Compliance Workshop Lawful Basis – Consent
• The lawful basis for your processing
can also affect which rights are
available to individuals.
• An individual always has the right to
object to processing for the purposes
of direct marketing, whatever lawful
basis applies.
• Your lawful basis may affect how
provisions relating to automated
decisions and profiling apply
• If you are relying on legitimate
interests you need more detail in your
privacy notice to comply with the right
to be informed.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR Compliance Workshop 9 Lawful Basis
CONTRACT
Processing is necessary
due to fulfillment of a contract. NEW CONTRACT In order to complete a new contract or fulfill an existing
contract, processing is necessary.
SALES PROCESS A potential customer’s
information is needed as part of the pre-contractual process.
LEGITIMATE INTERESTProcessing is necessary to the legitimate
interests of an
organization or third-party affiliate. MARKET RESEARCH The situation calls for the transfer of
personal data to a third party for analysis as part of market research.
FRAUD PREVENTION
Processing is necessary for direct marketing or fraud prevention
purposes.
INTERNAL OPERATIONS
Personal data must be processed within the organization for internal
operations like payroll.
LEGAL OBLIGATION
Processing is necessary to comply
with an EU Member State’s law.HEALTH AND SAFETY
Information reports require processing for health and
safety records.
CRIMINAL INVESTIGATION
A criminal investigation requires the processing of
personal data.
COURT ORDERS Court orders or subpoenas require the processing of
personal data.
EMPLOYEE INFORMATION
Employee information (salary, etc.) is needed by a regulatory or
government body.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR - Anonymization vs. Pseudonymization
Two distinct techniques that permit data controllers and processors to use de-identified data.
The difference between the two techniques rests on whether the data can be re-identified.
These benefits will make the pseudonymization of personal data an attractive opportunity to simultaneously achieve GDPR compliance and expand
the uses of collected data.
Ultimately, the hallmark of both anonymization and pseudonymization is that the data should be nearly impossible to re-identify. This theory, however,
has its practical and mathematical limits.
As a well known study shows, it’s possible to personally identify 87 percent of the U.S. population based on just three data points: five-digit ZIP code,
gender, and date-of-birth. So, even though each of these data points on their own would be non-identifiable, storing them together makes it possible
to uniquely identify an individual. This presents a major concern for data controllers that seek to anonymize or pseudonymize data.
The effectiveness (and legality) of both anonymization and pseudonymization hinge on their abilities to protect data subjects from re-identification. In
Recital 26, the GDPR limits the ability of a data handler to benefit from pseudonymized data if re-identification techniques are “reasonably likely to be
used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”
The Health Insurance Portability and Accountability Act has provided clear guidance for anonymizing data. HIPAA treats data as anonymized if 18
specific data elements are removed. The removal of these same 18 elements, however, may not be enough to achieve anonymization or even
pseudonymization in the EU.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Anonymization - Recital 26 of the GDPR defines anonymized data as “data rendered anonymous in
such a way that the data subject is not or no longer identifiable.”
- anonymized data must be stripped of any identifiable information, making it impossible to derive
insights on a discreet individual, even by the party that is responsible for the anonymization.
- When done properly, anonymization places the processing and storage of personal data outside the
scope of the GDPR.
The Article 29 Working Party has made it clear, though, that true data anonymization is an extremely
high bar, and data controllers often fall short of actually anonymizing data.
GDPR - Anonymization v. Pseudonymization
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Pseudonymization - Article 4(5) of the GDPR defines pseudonymization as “the processing of personal data in such a way that
the data can no longer be attributed to a specific data subject without the use of additional information.” By holding the de-
identified data separately from the “additional information,” the GDPR permits data handlers to use personal data more liberally
without fear of infringing the rights of data subjects. This is because the data only becomes identifiable when both elements are
held together.
By rendering data pseudonymous, controllers can benefit from new, relaxed standards under the GDPR. For instance, Article
6(4)(e) permits the processing of pseudonymized data for uses beyond the purpose for which the data was originally collected.
Additionally, the GDPR envisions the possibility that pseudonymization will take on an important role in demonstrating compliance
under the GDPR. Both Recital 78 and Article 25 list pseudonymization as a method to show GDPR compliance with requirements
such as Privacy by Design. These benefits will make the pseudonymization of personal data an attractive opportunity to
simultaneously achieve GDPR compliance and expand the uses of collected data.
Ultimately, the hallmark of both anonymization and pseudonymization is that the data should be nearly impossible to re-identify.
This theory, however, has its practical and mathematical limits. As a well known study shows, it’s possible to personally identify 87
percent of the U.S. population based on just three data points: five-digit ZIP code, gender, and date-of-birth. So, even though each
of these data points on their own would be non-identifiable, storing them together makes it possible to uniquely identify an
individual. This presents a major concern for data controllers that seek to anonymize or pseudonymize data.
GDPR - Anonymization v. Pseudonymization
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Pseudonymization - Article 4(5) of the GDPR defines pseudonymization as “the processing of personal data in such a
way that the data can no longer be attributed to a specific data subject without the use of additional information.”
By holding the de-identified data separately from the “additional information,” the GDPR permits data handlers to use
personal data more liberally without fear of infringing the rights of data subjects. This is because the data only
becomes identifiable when both elements are held together.
By rendering data pseudonymous, controllers can benefit from new, relaxed standards under the GDPR.
Article 6(4)(e) permits the processing of pseudonymized data for uses beyond the purpose for which the data was
originally collected.
The GDPR envisions the possibility that pseudonymization will take on an important role in demonstrating
compliance under the GDPR.
Both Recital 78 and Article 25 list pseudonymization as a method to show GDPR compliance with requirements such
as Privacy by Design.
GDPR - Anonymization v. Pseudonymization
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Recital 40 of the GDPR states that in order
for processing to be lawful, personal data
should be processed on the basis of the
consent of the data subject concerned or
some other legitimate basis.
That legitimate basis should be laid down by
law with the law being the General Data
Protection Regulation itself or other laws of the
EU or its member states.
Although consent (which is not strictly the
same as explicit consent, even if de facto
the line can be really thin) is the best known
of the legal grounds as they are summed up
in GDPR Article 6 of the GDPR text on
lawfulness of processing, it is not always
the best path to take.
Lawfulness of Processing – Recital 40
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Lawfulness of Processing – Recital 40
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
•The GDPR sets out seven key principles:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability
•These principles should lie at the heart of your approach
to processing personal data.
7 Key Principles of Processing
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
In accordance with GDPR Has proposed a derogation
7 Key Principles of Processing
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
GDPR Article Austria
*
Czech
Republic
France Germany
*
Netherlands United
Kingdom
Right to Access 15
Right to Erasure 19
16 - Age of
Consent
Appointment of
a DPO
Fines &
Penalties
20m €
or 4%
Processing of
Data^
Has proposed derogations In accordance with GDPR
An organization must keep track of EU
Member States’ privacy bill drafts.
(1) Determine EU Member State
jurisdictions applicable to your
organization’s processing activities.
(2) Identify country-specific requirements;
(3) Perform a gap analysis; and
(4) Maintain a flexible approach to
compliance.
Article 30 data-mapping initiatives
Understanding Your Data
What types of personal data are collected
- where the data is located
- where data subjects reside. * Germany and Austria enacted laws supplementing the GDPR
7 Key Principles of Processing
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Art. 5 GDPR Principles relating to processing of personal data
1.Personal data shall be:
1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be
considered to be incompatible with the initial purposes (‘purpose limitation’);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to
the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and
organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2.The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Suitable Recitals
(39) Principles of data processing
Article 5 – Processing of Personal Data
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Process Planning - ADTOC
Assess
Design
Transform
Operate
Conform
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Assess
Privacy requirements for the Assess phase
• Review existing privacy policies and statements and document how they compare with GDPR requirements
• Assess data subject rights to consent, use, access, correct, delete and transfer personal data
• Discover and classify personal data assets and affected systems
• Identify potential access risks
Security requirements for the Assess phase
• Assess the current state of your security policies, identifying gaps, benchmarking maturity and establishing conformance roadmaps
• Identify potential vulnerabilities, supporting security and privacy by design
• Discover and classify personal data assets and affected systems in preparation for designing security controls
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Design
Privacy requirements for the Design phase
• Create a roadmap that details your GDPR remediation and implementation plan
• Design the policies, business processes and supporting technologies you’ll need to implement your plans
• Create a GDPR reference architecture
• Evaluate controller or processor governance
Security requirements for the Design phase
• Create a security remediation and implementation plan
• Create a security reference architecture
• Design technical and organizational measures (TOMs) to reduce risk, including encryption, pseudonimization, access control and monitoring, for example
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Transform
Privacy requirements for the Transform phase
• Implement and execute policies, processes and technologies
• Automate data subject access requests
Security requirements for the Transform phase
• Implement privacy-enhancing controls, including encryption, tokenization and dynamic masking, for example
• Boost protection by implementing security controls; mitigate access risks and security vulnerabilities
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Operate
Privacy requirements for the Operate phase
• Manage GDPR data governance practices, including information lifecycle governance
• Manage GDPR enterprise conformance programs, including those for data use, consent activities and data subject requests
• Monitor personal data access
• Govern roles and identities
• Develop GDPR metrics and reporting schemas
Security requirements for the Operate phase
• Manage and implement security program practices, including those for risk assessment, roles and responsibilities, and program effectiveness
• Monitor security operations and intelligence to help detect, respond to and mitigate threats
• Govern incident response and forensics practices
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Conform
Privacy requirements for the Conform phase
• Record personal data access audit trails, including individuals’ rights to access, modify, delete and transfer data
• Perform data processor and controller governance, including providing processor guidance, tracking data processing activities, providing audit trails and preparing for data subject access requests
• Document and manage your compliance program, including ongoing monitoring, assessment, evaluation and reporting of GDPR activities
• Respond to and manage breaches
Security requirements for the Conform phase
• Demonstrate technical and organizational measures to ensure security appropriate to processing risk
• Document your security program, including ongoing monitoring, assessment, evaluation and reporting of security controls and activities
• Respond to and manage breaches
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Containing the breach and recovering from the impact
Assessing the risk
Deciding who you need to inform
Learning from the incident
Breach Management – First 4 steps
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Containing the breach:
Establish a lead – this will often be the data protection officer or team, or it might be an external consultant. The main thing is that there is a point of contact for staff and customers and for the ICO if necessary.
Contain the Breach
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Assessment:
Are there any safeguards in place that could lower the risk? For example, is the data encrypted? Has it gone to a trusted body?
Are there more safeguards you can put in place now?
Assess the Risk
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Containing the breach:
They should also be thinking about who will need to be informed, including the ICO, the data subjects, industry regulators and the police.
Who Needs to Be Informed
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
C.I.A. (Not the Deep State Type)
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Confidentiality Breach
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Integrity Breach
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Availability Breach
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Breach Assessment
What happened?
When did it happen?
How did it happened.
How many people could be affected?
What sort of data has been breached?
What did you have in place that could have stopped it?
What have you done to help the people this affects?
What have you learned?
How can you stop similar breaches in the future?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Personal Data Breach Defined
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data (or a combination of these).
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What is a personal data breach?
The GDPR defines a personal data breach as:
“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
This includes breaches that are the result of accidental or deliberate causes. It also means that a breach is more than just about losing personal data.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Personal Data Breach Defined
In short, there will be a personal data breach whenever:
- someone accesses the data or passes it on without proper authorization;
- the data is (maliciously or accidentally) corrupted, lost, or destroyed;
- or if the data is made unavailable (eg encrypted by ransomware, or lost)
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Breach Awareness
The Article 29 Working Party considers that a controller has
become aware of a breach when it has a “reasonable degree
of certainty that a security incident has occurred that has led to
personal data being compromised”.
If you (the controller) use a processor and it experiences a
breach, then under Article 33(2) it must inform you without
undue delay as soon as it becomes aware.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
72 Hours – The Clock is ticking
You must report a notifiable breach to the ICO
without undue delay, but not later than 72 hours
after becoming aware of it, where feasible.
If you take longer than this,
you must give reasons for
the delay.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
When telling individuals about a breach you need to
describe, in clear and plain language, the nature of the personal data breach
and, at least:
• the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
• You should tell individuals what you’re doing to mitigate the breach, and how they can protect themselves from the impact of the breach.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
If you fail to report…
Failing to notify a breach when required
to do so can result in a significant fine
up to 10 million euros or 2% of your
global turnover. The fine can be
combined the ICO’s other corrective
powers under Article 58.
So it’s important to make sure you
have a robust breach-reporting
process in place to ensure you can
detect and notify a breach, on time;
and to provide the necessary details.
Reporting a breach
• a description of the nature of the personal data breach including,
where possible: the categories and approximate number of
individuals concerned; and the categories and approximate
number of personal data records concerned
• the name and contact details of the data protection officer (if
your organisation has one) or other contact point where more
information can be obtained
• a description of the likely consequences of the personal data
breach and
• a description of the measures taken, or proposed to be taken, to
deal with the personal data breach, including, where
appropriate, the measures taken to mitigate any possible
adverse effects.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Processor Contract
If you use a processor the
requirements about breach
reporting should be detailed
in the contract between you
and your processor, as
required under Article 28.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk assessment
Not every breach needs to be
reported…
…but you will need to notify unless it’s unlikely to
result in a risk to individuals’ rights and freedoms
(and you can demonstrate this).
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
A combination of
the severity
and
likelihood
of the potential
negative consequences
of a breach.
When assessing risk, you should be considering…
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Do you have a process in place to assess the likelihood and
severity of the risk to individuals’ rights and freedoms?
Think of the consequences… what are the potential effects of a breach on individuals; how severe are these, and how likely are they to happen?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
the potential or actual consequences for individuals is
more severe.
This is part of the reason for telling individuals about a
breach involving their personal data – to help them take
steps to protect themselves from its effects.
High Risk
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Some factors to consider include:
• the type of breach
• the nature, sensitivity and volume of
personal data
• the ease of identification of individuals
• the severity of the consequences
• any special characteristics of the
individual / controller
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Breach Management – From 4 to 5 key steps
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Integrated Risk Management
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What is RISK?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
What is RISK?
What compels most of us to avoid risk?What compels others to run straight into the fire?
Insurance industry - risk is all about math.
War – military leaders rely on statistical analysis to assess risk vs. forecasts of causalities vs costs (munitions, transportation, food)
Law - (marriage & divorce) financial devastation vs locked in purgatory that drags on (months or years)
Is risk a necessary component of progress?
Can risk ever be eliminated?
Will predictive analytics reduce or remove Risk?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Integrated Risk Management
Integrates risk Management enables an organization to advance more sustainable strategic decision making.
IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies that
improves decision-making and performance through an integrated view of risk.
For most organizations, building an IRM program means blowing up traditionally siloed risk areas and replacing
them with a single, holistic view of enterprise risk. By integrating siloed risk under one centralized risk
management framework, an organization can view and analyze every risk metric simultaneously.
Linking the overall corporate risk reduction strategy to distinct, quantifiable business objectives, which can be
met by deploying specific risk mitigation actions across the organization with support of the IT infrastructure.
An organization must apply this “integrated” view across a variety of risk management activities that take on
distinct perspectives of risk.
A legal department has its own definition of risk and its own series of mitigation plans, but that legal definition of
risk varies drastically from the way IT-related risk is being addressed.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Corporate Compliance and Oversight (CCO)
Business Continuity Management (BCM)
Third-party Risk Management
/ Vendor Risk Management (VRM)
Digital / IT Risk Management (DRM)
Identity Risk Management
Audit Management (AM)
Enterprise Legal Management (ELM)
Risk Management Components
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Management Components
Corporate Compliance and Oversight (CCO)
The job of compliance managers only becomes more complicated as new regulations, like GDPR, come
into effect, and organizational compliance requirements (social and environmental responsibility, for
example) begin to accumulate. As compliance management scope increases, regulatory compliance and
change management becomes more complicated. An increase in focus on commercial compliance
(increasingly required by business partners) and organizational compliance requirements (such as ethics
and corporate social responsibility). CCO provides policy development and management, compliance risk
assessment, control rationalization, assessment and attestation, regulatory change management and
investigative case management.
Strategic question: What is the impact of incidents on my compliance obligations?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Management Components
Business Continuity Management (BCM)
Business continuity management is the practice of coordinating, facilitating and executing activities to
identify risks of business disruptions, implement disaster recovery solutions and recovery plans, respond to
disruptive events and recover mission-critical business operations. The ability to identify, respond to, and
recover from business disruptions is critical to the success of the modern digital business. BCM includes
processes such as risk assessment, business impact analysis (BIA), and recovery plan development,
exercising and invocation. Critical and enhanced capabilities that address BCM help organizations to
initiate BCM programs and improve overall continuity capability.
• Strategic question: Does the business impact analysis align with the overall risk
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Management Components
Third-party Risk Management / Vendor Risk Management (VRM)
Managing complex vendor supply chains is one of the biggest challenges facing security and risk
management leaders today. Recent third-party breaches and new compliance mandates make the issue
even more pressing. Vendor risk management programs help organizations manage the risks of third
parties with adequate controls for business continuity management, performance, viability, security and
data protection. Failure to comply with these mandates can have significant customer- and service-related,
audit-related, and, for some industries, regulatory repercussions that can undermine shareholder value and
corporate viability. The VRM use case addresses risks to regulatory compliance, information security and
vendor performance arising from enterprises' increased use of, and reliance on, service providers and IT
vendors. Solutions geared toward this use case have capabilities such as risk assessment, risk monitoring
and/or risk rating.
• Strategic question: What is the impact on business continuity management or identity access
management if the third-party risk for a particular vendor is high?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Management Components
Digital / IT Risk Management (DRM)
The risk associated with new and growing technologies continues to evolve. The Internet of Things (IoT),
machine learning, social media, big data, and mobile devices (among many others) disrupt traditional risk
management models and present new challenges for enterprise decision makers. DRM technology
integrates the management of risks of digital business components, such as cloud, mobile, social and big
data, and third-party technologies like artificial intelligence and machine learning, operational technology
(OT), and the Internet of Things (IoT).
Strategic question: What is the impact of vulnerability management on IT risk?
Identity Risk Management - IdRM is the set of processes to mitigate the access risk in an organization
through the Identity Access Management process (infrastructure for creating, maintaining, and using digital
identities). When integrated within the broader technology risk posture of the organization, it will provide
substantial improvements in an organization’s ability to measure and mitigate overall enterprise risk.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Management Components
Audit Management (AM)
Auditors independently and objectively evaluate, analyze and assess the effectiveness of an organization's
system of internal control, governance processes and risk management capability. The auditors provide
assurance, insight and recommendations on operational improvements to the board of directors, senior
management and business process owners. Auditors do this through both auditing and consulting activities.
The audit management solution market automates internal audit operations, such as audit planning,
scheduling, work paper management, time and expense management, reporting, and issue management.
Enterprise Legal Management (ELM)
Enterprise legal management is focused on supporting legal, contracting and compliance departments,
corporate secretaries, boards of directors and senior management. ELM provides better documentation,
spend management, information availability and collaboration via an integrated set of applications. These
applications include matter management, e-billing, financial/spend management, legal document
management and business process management.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Trend No. 1: The Spotlight is On
Security breaches threaten C-level jobs and cost organizations millions of dollars,
as proven by Equifax and Maersk.
As a result, business leaders and senior stakeholders now focus much more on
what is going on in the security department.
Strategic Risk Management (SRM) leaders should capitalize on this increased
attention and work closely with business stakeholders to link security strategy
with business initiatives.
This is also a perfect opportunity to address skill shortages and increase
professional development of the internal security workforce.
“Speak the language of the business and don’t lose yourself in technical terms when you deal with the C-suite.”
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Trend No. 2: Regulations Enforce Change
The rise of data breaches forces enterprises to comply with an increasingly complex legal and regulatory
environment, including Europe’s General Data Protection Regulation.
Data is both an asset and a potential liability.
Digital business plans must weigh both and seek innovative solutions to lower costs and liabilities.
The message Strategic Risk Management leaders must communicate to CEOs is that data protection has
both costs and risk but can also be used as a business differentiator.
Leading organizations are focused on how compliance
programs can act as a business enabler
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Trend No. 3: Machine learning becomes the watchdog
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Trend No. 3: Machine learning becomes the watchdog
By 2025, machine learning (ML) will be a normal part of security practice and will
offset some skills and staffing shortfalls.
ML is better at addressing narrow and well-defined problem sets, such as classifying
executable files.
We can’t escape the fact that humans and machines complement each other, and
together they can outperform each alone.
Machine learning reaches out to humans for assistance to address uncertainty and
aids them by presenting relevant information.
Keep in mind that ML requires human assistance, the key question is where that
assistance comes from.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Trend No. 4: Concentrations of Digital Power
Digital trust has been consolidated and rests with a few big players — in form of certificates, domains and
email providers — which raises security concerns.
As centralization gives way to monopolies and monocultures, the risk of disruptions and undesirable
outcomes increases.
Consequently, we see a rise in efforts to create decentralized alternatives such as blockchain and edge
computing, which moves computing resources away from centralized servers. The ultimate goal of these
decentralization approaches is to increase availability, security and privacy for users. Security and risk
management leaders envisioning constraints on digital business plans as a result of a concentration of
resources should:
•Evaluate the security implications of centralization on availability, confidentiality and resiliency on digital
business plans.
•Explore an alternative decentralized architecture in digital business planning initiatives where centralization
increases the risks to the business goals.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Infonomics
The theory, study and discipline of asserting economic
significance to information
Applies both economic and asset management
principles and practice to the valuation, handling and
deployment of information assets.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Seven questions legal teams should ask to understand their privacy risk exposure
1) How heavily does our business model depend on the use of high-risk data?
2) Does our business strategy document and subsequently manage potential privacy risks created by
that strategy?
3) Are we being as transparent as possible with our customers in communicating how we use their
data?
4) How effective are the controls we’ve put in place to manage our privacy risks, especially those in
our highest-risk areas?
5) Are we using all possible information sources to understand risk at our organization?
6) How effectively are we monitoring ongoing third-party compliance with our standards?
7) What’s our third-party strategy?
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Six Areas of Privacy Risk Response
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
• Establish governance and organization — understand key business drivers and obtain senior management support for a robust cybersecurity program;
establish roles and responsibilities; agree strategy, develop policies and standards; enable reporting.
• Identify what matters most — map business objectives/products/services to supporting people, processes, technology and data infrastructure, and rank by
criticality to your business. This includes the ecosystem/supply chain in which you operate: both third parties who supply you and those that you supply.
• Understand the threats — understand who might want to attack you, why, and how they might carry out an attack; focus your efforts on how to respond to
the most likely threats.
• Define your risk appetite — understand what the most likely cyber attacks could cost your business through simplified cyber risk quantification coupled
with a cyber risk management framework, which forms part of your overall operational risk management processes; set your risk appetite and reporting
mechanisms to ensure you operate within it.
• Focus on education and awareness — establish an education and awareness program, ensuring all employees, contractors and third parties can identify
a cyber attack and are aware of the role they play in defending your business.
• Implement basic protections — secure your business at the technology level by deploying basic protections including secure configuration, patch
management, firewalls, anti-malware, removable media controls, remote access controls, and encryption; establish a Vulnerability Management (VM)
program which manages vulnerabilities from identification through to remediation; establish an effective Identity and Access Management (IAM) program to
control access to your information; focus on data protection and privacy (technical and compliance) as well as managing third parties who have access
to/control of your data.
good basic cybersecurity.
Processes Organizations Should Implement to Minimize their Risk exposure
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
• Be able to detect an attack — establish a security monitoring capability that can detect an attack through monitoring activity at various levels
within your business; this could be a basic system whereby an alert is generated and emailed when suspicious activity is detected on a firewall,
through to a 24x7x365 Security Operations Center (SOC) monitoring networks, operating systems, applications and end users.
• Be prepared to react — establish a formal cyber incident management team who have been trained in and are following a documented plan,
which is tested at least annually.
• Adopt a risk-based approach to resilience — establish recovery plans (including comprehensive backups) for all processes and supporting
technologies in line with their criticality to the survival of the business.
• Implement additional automated protections — mature existing capabilities (for example, automate VM and IAM processes using specific
technology), in addition to implementing complimentary capabilities/technologies such as Intrusion Prevention Systems (IPS), Intrusion Detection
Systems (IDS), Web Application Firewalls (WAF) and Data Loss Prevention (DLP) systems.
• Challenge and test regularly — carry out a cyber incident simulation exercise to test your executive management’s ability to manage the
response to a significant cyberattack; carry out an initial red team exercise (a planned attack, carried out by professional ethical hackers) to test
your technical ability to detect and respond to sophisticated attacks.
• Create a cyber risk management life cycle — reflect on all areas of your cyber risk management program and identify areas for ongoing
improvement; repeat risk assessments on a regular basis; consider compliance with relevant regulations.
good basic cybersecurity.
Processes Organizations Should Implement to Minimize their Risk exposure
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Processes Capability and Maturity
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Processes Capability and Maturity
A clear understanding of process maturity levels and your organization’s current process capabilities and practices will help frame the work
effort and change management required to improve information economics and achieve defensible disposal. The twenty-two information
maturity processes incorporate the way an organization defines demand (what information is needed, why and for how long) and how it
manages supply (what is provisioned, managed, decommissioned, and disposed).
At the highest level of maturity and capability, there is a closed loop between supply and demand, information cost is aligned with its value
over time and risk is limited or removed. More precise and rigorous legal holds and retention as well as consistent, defensible disposal are
designed into processes at maturity level 4
.
Level 1 is an ad hoc, manual and unstructured process performed differently by each practitioner. Only the individual practitioner has
access to the process facts or results. These processes are highly unreliable and difficult to audit.
Level 2 is a manual process with some consistency in how it is performed across practitioners within a particular function or department.
Only the department has access to the process facts and results, and often these are embedded in multiple spreadsheets and seldom
accessed. These processes can be more reliable, but still very difficult to audit.
Level 3 is a semi-automated process performed consistently within a department with process facts and results readily accessible to
departmental stakeholders. Stakeholders beyond the department who participate in or are dependent upon the process are not integrated.
These interdepartmental processes are more consistent and can readily be audited. However audit results may reflect their lack of
intradepartmental collaboration.
Level 4 is an automated and cross-functional process that is performed consistently with inclusion of dependent stakeholders across
multiple departments. Process facts and results are readily available across organizations. These processes have the lowest risk, highest
reliability and are readily and successfully audited.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Third Party Risk Intelligence - Supplier risk review
Third-Party Risk Management Must Go Beyond Assessments
1) Understanding where your supplier data is being kept – all the certifications and verifications,
licenses, etc. – Identify duplication;
2) Determine which suppliers are your most critical, making sure to involve all the relevant
stakeholders – as mentioned above, supplier management has many more departments
involved, so this is highly likely to include multiple business owners with competing
goals/needs.
3) Concentrate on specific risks that are applicable to products or services provided by those
suppliers.
You're only as strong as your weakest third party. Most risk professionals can't easily find their weakest links -
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Third Party Risk Intelligence - Supplier risk review
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
IRM Critical Capabilities
Provides business leaders with effective means of assessing risk and control effectiveness, identifying risk
events, managing remediation efforts, and quantifying the associated risk exposure across the organization.
Risk and Control Documentation/Assessment
Risk statements and the related controls required to mitigate them to an acceptable level must be documented
sufficiently to satisfy a number of key internal and external stakeholders — including regulators, external auditors,
business partners/associates, suppliers, senior executives and board members. Statements and controls must also
provide the basis for performing a comprehensive risk assessment at a strategic, operational and technological level.
Features within this capability include:
• Risk-related content, including a risk framework, taxonomy/library, key risk indicator (KRI) catalog, and legal,
regulatory and organizational compliance requirements
• Risk assessment methodology and calculation capabilities (for example, bow tie risk assessment)
• Policy documentation and control mapping
• Documentation workflow including authoring, versioning and approval
• Business impact analysis/recovery plan documentation
• Audit work paper and testing management
• Third-party control evaluation
• Contract management
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Incident Management
Proactive management of risk incidents can lead to a reduction in business impact and inform future risk
mitigation efforts. A record of incidents can be used to inform the risk assessment process and facilitate the
identification of event causes. In addition, IRM solutions can integrate with external systems to identify
potential risk events related to third-party risk profiles and known incidents. Features within this capability
include:
• Incident data capture
• Incident management workflow and reporting
• Root cause analysis
• Crisis management
• Emergency mass notification
• Investigative case management
• Legal matter management
IRM Critical Capabilities
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Mitigation Action Planning
When risks are assessed to be beyond defined risk tolerance levels, action plans must be developed to ensure that the
appropriate mitigation steps are taken to meet the risk appetite set by the board of directors or other governance body.
IRM solutions can provide support to risk professionals and business leaders in managing and testing the associated
risk mitigation efforts. Features within this capability include:
• Project management capabilities to track progress on risk-related initiatives, audits or investigations
• Risk control testing capabilities, such as continuous control monitoring
• Control mapping to risks, business processes and technology assets
• Control mapping to legal requirements and compliance mandates
KRI Monitoring/Reporting
To effectively monitor risks across the organization, companies can utilize IRM solutions to aggregate and report a wide
array of risk levels using key risk indicators (KRIs). Features within this capability include:
• Risk scorecard/dashboard capabilities
• External data integration (for example, information security vulnerability assessment data)
• The ability to link KRIs to performance metrics
IRM Critical Capabilities
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Risk Quantification and Analytics
• Beyond the exercise of assessing risk from a qualitative perspective, companies in many industries (including banking,
insurance and securities) seek to measure risk on a quantitative basis. Some of the quantitative analysis is used to
support capital calculation requirements driven by regulatory mandates, such as Basel III and Solvency II. Other
quantitative analysis methods are used to develop more precise predictive models to determine the potential for
certain operational risk events, such as fraud or theft. As such, the features within this capability include:
• "What if" risk scenario analysis capabilities
• Statistical modeling capabilities (for example, Monte Carlo simulation, value at risk, and Bayesian statistical
inference)
• Predictive analytics
• Capital allocation/calculation
• Fraud detection capabilities
IRM Critical Capabilities
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Driving Compliance
Data & Behavioral Science: A New Approach to Risk Management
The research identifies several trends:
61% said clear guidance regarding laws and regulations is one of their top considerations when
helping employees understand compliance
57% cited culture of a country or region as a major obstacle to the implementation an effective
compliance framework.
66% said requests from government officials are the biggest challenge in asset management
83% use informal background checks conducted internally to carry out third-party diligence
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
THREAT ACTORS
FINANCIAL
SERVICES RETAIL LEGAL ENERGY HEALTHCARE
TECH /
ENTERTAINMENT TELECOM
GOV’T /
MILITARY
NGO’S /
CIVIL
SOCIETY CAPABILITY
POTENTIAL
IMPACT
CHINAX X X X X X X X TIER 6
CATASTROPHIC
FIVE EYES*X X X X TIER 6
CATASTROPHIC
IRANX X X X X TIER 4 MODERATE/SEVERE
NORTH KOREAX X X X X X TIER 4** SEVERE
RUSSIAX X X X X X X TIER 6 CATASTROPHIC
DISRUPTIVE/
ATTENTION-
SEEKING
ACTORS
X X TIER 3 MODERATE
CYBERCRIMIN
ALS X X X X X X TIER 4 SEVERE
HACKTIVISTSX X X X X X X TIER 3 MODERATE
JIHADI
HACKERS X X X X TIER 2 NEGLIGIBLE
Threat Matrix
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
TIER 1 The cyber actor(s) possess extremely limited technical capabilities and largely
makes use of publicly available attack tools and malware. Sensitive data
supposedly leaked by the attackers are often linked back to previous breaches
and publicly available data.
TIER 2 Attackers can develop rudimentary tools and scripts to achieve desired ends in
combination with the use of publicly available resources. They may make use of
known vulnerabilities and exploits.
TIER 3 Actors maintain a moderate degree of technical sophistication and can carry out
moderately damaging attacks on target systems using a combination of custom
and publicly available resources. They may be capable of authoring rudimentary
custom malware.
TIER 4 Attackers are part of a larger and well-resourced syndicate with a moderate-to-
high level of technical sophistication. The actors are capable of writing custom
tools and malware and can conduct targeted reconnaissance and staging prior to
conducting attack campaigns. Tier 4 attackers and above will attempt to make use
of publicly available tools prior to deploying more sophisticated and valuable
toolkits.
TIER 5 Actors are part of a larger and well-resourced organization with high levels of
technical capabilities such as those exhibited by Tier 4 actor sets. In addition, Tier
5 actors have the capability of introducing vulnerabilities in target products and
systems, or the supply chain, to facilitate subsequent exploitation.
TIER 6 Nation-state supported actors possessing the highest levels of technical
sophistication reserved for only a select set of countries. The actors can engage in
full-spectrum operations, utilizing the breadth of capabilities available in cyber
operations in concert with other elements of state power, including conventional
military force and foreign intelligence services with global reach.
FLASHPOINT CAPABILITY SCALE FLASHPOINT POTENTIAL IMPACT SCALE
NEGLIGIBLE Damage from these attacks is highly unlikely or is unable to adversely affect the
targeted systems and infrastructure. Such incidents may result in minor
reputational damage. Sensitive systems and data remain intact, confidential, and
available.
LOW Attacks have the capacity to disrupt some non-critical business functions, and the
impact is likely intermittent and non-uniform across the user base. User data and
sensitive information remain protected.
MODERATE Attacks have the potential to disrupt some core business functions, although the
impact may be intermittent and non-uniform across the user base. Critical assets
and infrastructure remain functional, even if they suffer from moderate
disruption. Some non-sensitive data may be exposed. Actors at this level might
also expose sensitive data.
SEVERE Cyber-attacks at this level have the capacity to disrupt regular business operations
and governmental functions severely. Such incidents may result in the temporary
outage of critical services and the compromise of sensitive data.
CATASTROPHI
C
Kinetic and cyber-attacks conducted by the threat actor(s) have the potential to
cause complete paralysis and/or destruction of critical systems and infrastructure.
Such attacks have the capacity to result in significant destruction of property
and/or loss of life. Under such circumstances, regular business operations and/or
government functions cease and data confidentiality, integrity, and availability are
completely compromised for extended periods.
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Discussion – Future Technology Opportunities
Privacy, Risk and Regulations - Scope, Rights, Penalties and Process
across the Ohio DPA, CCPA, and GDPR
Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018
#nkucyber11
Thank you!
Thomas Doty, JD, LLMDirector, Intellectual Asset Protection
NuStrategies, LLC