Global security personal devices and corporate data

  • 246 views
Uploaded on

From Snowden to Snapchat, data privacy is a hot topic. Partner Todd Daubert explores the global data landscape, keys to protecting company data, privacy laws around the globe among other of-the-moment …

From Snowden to Snapchat, data privacy is a hot topic. Partner Todd Daubert explores the global data landscape, keys to protecting company data, privacy laws around the globe among other of-the-moment issues. He also looks at the EU Data Protection Directive and UK Data Protection Act, international data transfers, employment issues and security in the cloud.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
246
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Global Security: Personal Devices and Corporate Data CLE Seminar for In-House Counsel June 24, 2014 St. Louis, MO Todd Daubert Partner, Washington, DC Dentons +1 202 408 6458 todd.daubert@dentons.com
  • 2. Prologue • http://www.youtube.com/watch?v=F7pYHN9iC9I 2
  • 3. In the news… 3
  • 4. Brands in the Headlines FTC hits Google with $22.5 million fine for Safari tracking 4
  • 5. Global Data Landscape - Data Creation • More data from more places • Integration of digital into everyday life leaves interaction data residue • Better, cheaper, smaller sensors integrated into more things • Internet of things combines continuous data collection and communication with machine-driven decision making • Metadata (data about data) provides additional information and context 5
  • 6. Global Data Landscape - Data Use 6 • Mobile devices becoming increasingly relied upon • Increasing Pressure for Bring Your Own Device (“BYOD”) Policies • Data and services increasingly moving to the “Cloud” • Access to the cloud is increasingly available through mobile devices • Demand for data and services everywhere all the time • Increased use of vendors and third parties for digital services • Sourced from around the world • Pressure growing to limit locations of vendors.
  • 7. Global Data Landscape - Threats 7 • Static defenses – like anti-virus and firewalls – seem to be losing ground • "Antivirus is dead" - Brian Dye, Symantec SVP for Information Security • http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578- lMyQjAxMTA0MDAwNTEwNDUyWj • Advanced persistent threats are unique, targeted and sophisticated • Threats are varied in motivation, technique, targets and geography • Manipulation of employees – social engineering – and errors (or crimes) by employees is still the most common means for obtaining unauthorized access to data
  • 8. Global Data Landscape – Motivations Behind Attacks 8 Source: Hackmageddon.com
  • 9. 9 Source: Hackmageddon.com Global Data Landscape – Attack Techniques
  • 10. Global Data Landscape – Targets 10 Source: Hackmageddon.com
  • 11. Global Data Landscape – Location of Threats 11 Source: Hackmageddon.com
  • 12. Keys to Protecting Company Data 12 • Identify the relevant risks • Risk Assessments (technical and legal) • Data Classification • Accept that security is not a destination, but rather a never-ending process of adapting to changing risks • Appreciate that security is not just IT's job • All stakeholders must commit to securing critical data and be accountable • Understand that good governance is key to success • Vendor management • Incident response • Continuous monitoring
  • 13. What is the Relevance of Data Privacy? • Personal data is all about people and underpins most business processes. It can directly impact the value of a business • Data privacy compliance goes directly to: • Brand reputation • Commercial differentiation • Share price and profit (e.g. Sony) • Security is essential for privacy • Difficult to talk about one without talking about the other • Regulators are paying more attention to privacy and security • EU and other supervisory authorities (such as Information Commissioner’s Office) • US regulators at the federal and state level 13
  • 14. Enforcement of Privacy Laws Is a Global Priority 14 • Global enforcement is high priority • Blackshades bust involved 19 countries and more than 90 arrests globally. • http://www.fbi.gov/news/stories/2014/may/international-blackshades-malware- takedown/international-blackshades-malware-takedown • But still difficult to enforce laws across borders • Justice Department just indicted 5 members of the Chinese military on hacking charges. • Same individuals from Unit 61398 identified in Mandiant APT-1 report • China blasted charges. No extradition treaty with China so unlikely to get traction. • http://www.washingtonpost.com/world/national-security/us-to-announce-first- criminal-charges-against-foreign-country-for- cyberspying/2014/05/19/586c9992-df45-11e3-810f-764fe508b82d_story.html
  • 15. But Global Perspectives on Privacy Vary Greatly 15 • US generally holds free speech above privacy and only specifically protects privacy in particular situations • Results in patchwork solutions and no general privacy right • Privacy based largely on reasonable expectations • EU protects privacy as independent and fundamental human right equal to or greater than that of free speech • Moral view of privacy • Supports general, broad rights • General privacy right that, from a US perspective, sometimes trumps common sense and practicality • Highly regulatory approach to Privacy • Data privacy regulation in Asia, Central America and South America generally is less mature, and the approaches to privacy are mixed
  • 16. Society in the US, as Reflected in the Law, Has Traditionally Focused on Expectations of Privacy 16
  • 17. US Traditions Have Heavily Influenced Our Views of the Appropriate Use of Technologies 17
  • 18. The US Approach to Privacy • The right to privacy was judicially created under other Constitutional rights • No explicit right to privacy in Constitution • “Zones of Privacy” under penumbra of 1st, 3rd, 4th, 5th and 9th Amendments • Regulation reflects a selective sector-based approach • Healthcare • Finance • Children • Free speech almost always trumps privacy • Emerging regulatory measures include the White House Consumer Bill of Rights, the FTC Multi-Stakeholder Process, and potential cyber security legislation 18
  • 19. The European Approach to Privacy • In the European Union, privacy is a fundamental human right • Embodied in Article 8 of European Convention on Human Rights • Comprehensive Approach • Privacy Right Equal to Free Speech • Considered a Moral Issue 19
  • 20. The Canadian Approach to Privacy • Privacy is not part of Constitution, but broad statutory approach is taken • National Law (PIPEDA) governs collection, use, and disclosure of personal information. • Similar provincial laws also apply • Individuals have rights similar to those in Europe • Accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; challenging compliance • Sector-specific legislation such as the federal Bank Act further covers certain sensitive information 20
  • 21. The Asia-Pacific Approach to Privacy • Multiple International Frameworks • APEC: Asia-Pacific Economic Cooperation • ASEAN: Association of Southeast Asian Nations • APPA: Asia Pacific Privacy Authorities • National Legislation: Mix of broad EU-style and US-style approaches • New Chinese regulations – somewhere between US and EU • Hong Kong, New Zealand, Japan and Australia have comprehensive privacy laws • Korea’s laws regulate only certain industries • Taiwan’s law regulates computer-processed data 21
  • 22. EU Data Protection Regulation The UK Example 22
  • 23. UK Legal Background EU Data Protection Directive 1995 UK ICO: Christopher Graham www.ico.gov.uk Similar arrangements apply in each of the 28 member states in the EU. UK Data Protection Act 1998 23
  • 24. When does the UK Data Protection Act Apply? • The Data Protection Act (DPA) applies when there is: • processing • of personal data • by a data controller • established in the UK (in the context of that establishment) or (where the data controller is established outside of the EEA) using equipment in the UK. 24
  • 25. Personal Data Personal data means data which relate to an identifiable living individual  Personal data includes records stored electronically and in a physical filing system  Examples: name, address, date of birth 25
  • 26. Sensitive Personal Data • Stricter rules apply for sensitive personal data • Sensitive personal data includes health data, criminal charges and convictions, racial or ethnic origin, sexual life, trade union records, religious and political beliefs • Possible sources: • HR Data • Background checks • Casting questionnaires • Contest entries (“Tell us about yourself”) • Requirements: • Explicit consent 26
  • 27. Data Controllers and Data Processors Data Controller: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed Data Processor: Any person (other than an employee of the data controller) who processes data on behalf of the data controller Data Subject Data ProcessorData Controller 27
  • 28. What Happens if the UK Data Protection Act Applies? • Compliance with the 8 Data Protection Principles is mandatory • The Rights of Data Subjects must be respected • Take the consequences if you fail to comply 28
  • 29. Data Protection Principles 1. Personal data must be processed transparently and lawfully 2. Personal data must only be used for specified purposes 3. Ensure that personal data is adequate, relevant and not excessive 4. Ensure that personal data is accurate and, where necessary, kept up to date 29 5. Personal data must not be retained for longer than necessary 6. Personal data must be processed in accordance with the data subject’s rights 7. Personal data must be kept securely 8. Personal data must not be transferred to any other country without adequate protection
  • 30.  The Law: Principle 8 of the Data Protection Act 1998 says:  Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of data protection  Solutions include model contracts, Binding Corporate Rules and consent of users The Eighth Data Protection Principle 30
  • 31. What happens if you get it wrong? • Privacy and consumer watchdogs can fine you • The Information Commissioner can: • issue fines of up to £500,000 • issue an information notice • issue an enforcement notice • seek to bring criminal proceedings • Compensation • Bad publicity and reputational harm • Personal liability for individuals who violate the rules 31
  • 32. Headline Changes Proposed for EU Data Regulation • "One Stop Shop" for DP regulatory supervision (?) • New extra-territorial scope: for non EU-based organisations • Narrower gateway conditions: e.g. "legitimate interests" • Privacy compliance program: policies, procedures, privacy impact assessments and audits • Privacy by design, e.g. designing a new business process or procuring a new IT system with "privacy baked in". • Breach Notification to be legal duty (24 hours?) • Appointing a DPO • New risk for data processors • Fines (2%-5% of worldwide turnover) • Deadline: Now end 2014 with 2 year transition period 32
  • 33. Data Privacy and Security for Businesses • Key points for businesses • Protecting reputation and business interests • Securing data transfers • Managing personnel and employment issues • Securing industrial systems • Pragmatism and preparation are crucial • The best plans are useless if business is unable or unwilling to implement or follow them • Not a question of whether an attack or accident will happen, but rather a question of when 33
  • 34. Business Risks Are as Important as Compliance • The risk to reputation and business interests often outweighs the risk of regulatory fines • This may change with proposed EU regulations • A simplified global compliance plan can reduce costs, improve adoption of innovations • Requires focused and strategic consideration of multinational compliance issues • Development of flexible framework can address today’s requirements and adapt to future changes 34
  • 35. Business Risks – Issue Spotting • Make sure your privacy policies and disclosures to consumers and employees match actual practice • Regulations are becoming more stringent • Build new systems with forward-looking approach to privacy • Avoid collection of unnecessary data • Take data security seriously, including independent audits and continuous risk management • Data security is not just a check-box • Data privacy officers with independence and authority are critical to ensuring compliance obligations are met 35
  • 36. Challenges to Harmonization of Approaches • “One size fits all” approach may not be possible or desirable • Example: • UK requires detailed notice of how employees can be monitored that is not required in the US • US locations formally adopting “global” policy but informally ignoring it could result in liability exposure • Single framework adaptable to local circumstances • Typically a simpler and more manageable strategy than piecemeal approaches 36
  • 37. Business Risks – Watch for PII • Despite the fragmented regulatory approaches, most regulatory regimes focus on PII or “personally identifiable information” (but may use a different term) • The Federal OMB has defined PII as “Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” • California has defined “personal information” as an “individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.” 37
  • 38. Business Risks – Data Transfers • Many jurisdictions impose specific requirements before data from their jurisdiction can be transferred to another jurisdiction • Check applicable restrictions before implementing cloud solutions or permitting data to be transferred from one country to a server in another country • Take caution when transferring data to vendors or other third parties to ensure that you are not violating any restrictions imposed by law or contract, and that the transfer is consistent with your privacy policy • Transferees must be bound by appropriate protections so that they do not cause you to violate any obligations by their actions 38
  • 39. International Data Transfers Asia Pacific Europe USA 39
  • 40. EU to US Data Sharing Choices • EU/US safe harbors • Self-certification that privacy protections are in place and adhered to • Model clauses for data protection • Contractual provisions that ensure processors and sub-processors maintain privacy protections • Binding corporate rules • Allow multinational companies to make intra-organizational transfers in compliance with EU law 40
  • 41. EU-US Data Transfer Frameworks: Safe Harbor Certification 41 • Safe Harbor Certification • Company attestation that it follows certain privacy principles • Requires internal or external assessment of governance and independent recourse mechanism (e.g., DPAs, TRUSTe) • Requires annual re-certification • Covers only receipt and processing of personal data; entities disclosed to must be independently permitted under EU framework • Broader coverage of personal data - do not have to specifically designate what data is included
  • 42. EU-US Data Transfer Frameworks: Model Contracts 42 • Model Contracts • Agreement between two defined parties • Covers specific data designated at execution, additional types of data requires amendment • Two types: Controller-controller and controller-processor. • Can include disclosures and receipt as described in contract. • No specific internal governance requirements, though compliance with contract terms implies certain governance
  • 43. EU-US Data Transfer Frameworks: Binding Corporate Rules 43 • Binding Corporate Rules • Bigger process, more involved, more expensive • Provides broader flexibility to use EU personal data
  • 44. Data Privacy and Security – Data Breaches in the US • Notification requirements in at least 46 states • Triggered when “Personal Information” compromised • Personal information is generally a name combined with financial, health, or other nonpublic information • Different definitions and triggers for each state • Most states allow reasonable time to notify customers • Some require prompt notification of state officials • Critical takeaways • Breach notification is complex • Understand your data, what could trigger notification, and create a breach response plan 44
  • 45. Managing Personnel and Employment Issues • Employee Data • Personal Information • Health-Related Information • Employee Monitoring • Mixing of business/personal communications • Policies/terms of employment • Mobile Devices • “BYOD” - Bring your own device • Location tracking 45
  • 46. Employee Vulnerability • YOU ARE THE WEAKEST LINK • Studies consistently show that majority of data breaches can be traced back to employees • Lost or stolen laptop • Credentials disclosed through phishing or social engineering attacks 46
  • 47. What is “phishing”? • A computing scam where the perpetrators try to get sensitive personal information by sending users to fake, but legitimate looking websites. • Often starts with a legitimate looking email asking the recipient to re-enter his or her login credentials, banking information, home address and phone number, credit card numbers, or other information that can be used to access accounts or computer systems. 47
  • 48. Employee Vulnerability - Phishing Target breach likely started with a phishing email to one of Target’s contractors. 48
  • 49. Phishing – Email 49 No name or eBay username Is not clearly taking you to ebay.com
  • 50. Phishing - Online 50
  • 51. What is “Social Engineering”? • Using human interaction (social skills) to manipulate individuals into performing actions or divulging confidential information • Exploits human nature 51
  • 52. Social Engineering Notorious hacker Kevin Mitnick Comments from his book The Art of Deception: • “people inherently want to be helpful and therefore are easily duped” • “They assume a level of trust in order to avoid conflict” • In more than half of his successful network exploits he gained information through social engineering. 52
  • 53. Employee Vulnerabilities – Lost and Stolen Laptops • One laptop is stolen every 53 seconds (Gartner) • 97% of stolen laptops and computers are never recovered (FBI) • Nearly 12,000 laptops are lost or go missing at U.S. airports every week (Dell, Ponemon Institute) • 65-70% of lost laptops are never reclaimed (Dell, Ponemon Institute) • 53% of business travelers carry sensitive corporate information in their laptops (Dell, Ponemon Institute) 53
  • 54. Laptop Encryption 54 • Under UK regulatory guidance and in many states in the US, a company that has encrypted all content on laptops and mobile devices would not be required to notify regulators or individuals whose data was stored on a stolen laptop or mobile devices. • HOWEVER, management and employees must take responsibility ensuring the security of laptops and mobile devices, as well as the data residing on it.
  • 55. Any Questions? 55
  • 56. © 2014 Dentons Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices. Thank you! Todd Daubert Dentons US LLP 1301 K Street, N.W. Suite 600, East Tower Washington, DC 20005