On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
Data Security Regulatory LansdcapePresentation Transcript
Before we begin If you learn whats in this presentation You will .........
... spend LESS time preparing for test (IAPP, CISA, CGEIT, etc.)
... have interesting material to impress your friends
Learn the difference between real risk and just plain fun
Get a keenerperspective ofOperational Risk ,which isRisk withoutReward
Lets get started !
SourcesAchieving Data Privacy in the Enterprise, Safenet Derek Tumulak, April 8, 2010Regulatory Information Architecture, Steven Alder, IBM, 2010The source of much of my research, Sue Hammer, IBM, 2010California Data Privacy Laws: Is Compliance Good Enough?, Lumension, Chris Merritt, May 2010Privacy Law & Financial Advisors, Proskauer, Brendon M. Tavelli, Nov 20, 2009Medical Records on the Run: Protecting Patient Data with Device Control and Encryption, Sept 20092010 Data Breach Report, VerizonFive Countries: Cost of Data Breach Sponsored by PGP Corporation, Dr. Larry Ponemon, April 19, 2010How secure is your confidential data?, By Alastair MacWillson, ACCENTUREThe Leaking Vault, Five Years of Data Breaches, Suzanne Widup, Digital Forensics, July 2010Top 10 Big Brother Companies: Ranking the Worst Consumer Privacy Infringers, Focus EditorsFirst Annual Cost of Cyber Crime Study, Ponemon, July 2010States failing to secure personal data, By Kavan Peterson, Stateline.orgNational Archives & Records Administration in Washington2010 Annual Identity Protection Services Scorecard, Javelin Strategy & ResearchA New Era of Compliance - Raising the Bar for Organizations Worldwide, RSA, Oct12, 2010Evolve or Die, Bunger & Robertson, 2010Compliance With Clouds: Caveat Emptor, by Chenxi Wang, Ph.D. , August 26, 2010Obscured by Clouds, Ross Cooney, 2010Digital Trust in the Cloud, Liquid Security in Cloudy Places, CSC, 2010Making Data Governance as simple as possible, but not simpler, Dalton Servo
Let me be crystal clear,Brian is NOT a lawyer DISCLAIMER
My FOCUSOn the globe but US Centric You are here DISCLAIMER
Whats Inside ?Erosion in Trust Industry Customer Regulator Futures
Business is concerned with RISKRisk from Regulation, Organized Crime, Reduced Staffing, Sloppy Performance, Lack of Training, New Technologies, and even ... Clients/Customers ... is creating an EROSION in TRUST!
Top Business Concern Financial Times
New Motivations E&Y 2010
Geography ImplicationsThe Economist Intelligence Unit
Loss of data is one of the biggest regulator concernsLoss, theft, mistakes, under protected, ...... a Breach of Trust – Over 500,000,000 U.S. records since 2005
90% from external sources 48% insider help 85% from organized criminals 94% targeted financial data or sector 98% of records stolen produced by hack96% of Trojans found were: "Crimeware-as-a-Service."
We can do better96% avoidable by simple controls86% had evidence in log files66% on devices NOT aware contain SPI 5% loss to shareholders after breach43% higher breach cost in U.S.
Financial Service providers have a 39% confidence factor for their ability to protect your data from Insider Threats vs. 71% for External ThreatsDeloitte – 2010 Financial Services Global Security Study – the faceless threat
A reputation is easy to lose, not so easy to recover- 60% of companies that lose their data will shut down within 6 months of the disaster.- 93% of companies that lost their data center for 10 days or more due to a disasterfiled for bankruptcy within one year of the disaster.- 50% of businesses that found themselves without data management for this sametime period filed for bankruptcy immediately.
What can business do? Restrict and monitor privileged users Watch for Minor Policy Violations Implement Measures to Thwart Stolen Credentials Monitor and Filter Outbound TrafficChange Your Approach to Event Monitoring and Log Analysis Share Incident Information
What is the Customers view? ...what is causing this Erosion of Trust
Identity Theft #1 Consumer Complaint - FTC 10M Victims in the U.S. $5K loss per business, $50B total $500 loss per victim, $5B total 30 hours to recovery, 297M hours all numbers are approximate or rounded up
Whats on your mind?
Riskiest places for SSN# Universities and colleges Banking and financial institutions Hospitals State governments Local government Federal government Medical (supply) businesses Non-profit organizations Technology companies Health insurers and medical offices Symantec – Nov, 2010
45% of businesses disagree to customer data control 47% of businesses disagree the customer has a right to control 50% of businesses did not see need to limit distribution of PII >50% of customers believe they have a right to control their data Trust Me – Im lying? 1 There is a notable difference between organizations’ intentions regarding data privacy and how they actually protect it. North Carolina attempting to get 50M records from Amazon on citizens
<-Diverse Deliberate-> Accountability – whos is looking out for me?2 A majority (58%) of companies have lost sensitive personal information... Insider involved in over 48% of data breaches
3 Regulatory compliance – No confidence they can keep pace Many organizations believe complying with existing regulations is sufficient to protect their data.
What do these companies have in common?
1 Top 10 Big Brother Companies Ranking the Worst Consumer Privacy Infringers, Focus Editors
48% of breaches caused by insiders 48% involved privileged misuse 61% were discovered by a 3rd party Third parties – you sent my data to who?4 Companies should be careful about the company they keep. It is crucial they understand the perspective on and approach to data protection and privacy taken by their third-party partners.
5 Culture Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to experience security breaches.
How to reverse the spin? Build a Data Protection and Privacy Strategy Assign ownership Develop comprehensive governance programEvaluate data protection and privacy technologies Build a culture Reexamine investments Choose business partners with care
You own some of this – Giving away your PRIVACYGoogleSocial networkingRFID tags/loyalty cardsThe Patriot ActGPSThe Kindle
Privacy Which comes 1st? Breach DataNotification Protection
Protect the consumer Punish the breachIf theCarrotisnt working Promote complianceits time to ....
U.S. BreachNotificationLaws 46 States, the District of Columbia, Puerto Rico and the Virgin IslandsStates with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota.http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx
Data BreachLaws goGlobal
The carrot is now...avoid the paddle!NERC - North American Electric Reliability Corporation
CurrentRegulator TakeFocus Reasonable Measures Risk Breach Based Prevention Approach Data Centric
Do the Regulatorshave to follow Regulations ?
The “Rules” of Rulemaking – Kings have rules Regulatory agencies create regulations according to rules and processes defined by another law known as the Administration Procedure Act (APA). The APA defines a "rule" or "regulation" as... ”[T]he whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy or describing the organization, procedure, or practice requirements of an agency. The APA defines “rulemaking” as… “[A]gency action which regulates the future conduct of either groups of persons or a single person; it is essentially legislative in nature, not only because it operates in the future but because it is primarily concerned with policy considerations.” Under the APA, the agencies must publish all proposed new regulations in the Federal Register at least 30 days before they take effect, and they must provide a way for interested parties to comment, offer amendments, or to object to the regulation. Once a regulation takes effect, it becomes a "final rule" and is printed in the Federal Register, the Code of Federal Regulations (CFR) and usually posted on the Web site of the regulatory agency.(c)Tomo.Yun (www.yunphoto.net/en/)"
What should be our Focus?
Establish anenterprise controls framework
Set/adjust threshold for controls for"reasonable and appropriate" security
Streamline and automatecompliance processes (GRC)
Fortify third-party risk management
Unify the compliance and business agendas
Educate and influence regulators and standards bodies
So ...RegulatorsWhere are they headed?Whats their next target?
Current... and foreseeable futureRegulator TakeFocus Reasonable Measures Risk Breach Based Prevention Approach Data Centric Redux
Privacy or data protection concerns make Cloudsrisky for Regulated data
Lack of Visibility
Who do you trust?
Security & Compliance Risk
Requires Risk Based AnalysisFedRamp - Proposed Security Assessment and Authorization for U.S. Government Cloud Computing, Nov 2, 2010
More Regulator Activity & more to Come45 states have enacted anti-bullying laws - http://www.bullypolice.org/Without: Hawaii, South Dakota, Michigan, New York, Montana, North Dakota and Missouri(SEC), and (FINRA), issued guidance on use of social media sitesSecurities and Exchange Commission, Financial Industry Regulatory AuthorityUK (ASA), issued guidance on social media marketingAdvertising Standard AuthorityFTC, Final Guides governing social media endorsementsFederal Trade CommissionMaryland leads the way in social media campaign regulationsCA – (FPPC), “regulate the same as traditional media”Fair Political Practices Commission
Future Regulatory Focus Amateur Data Controllers Right to not be over-regulated Right to demand co-operation Privacy Policies Right to be better informed Right to be forgotten Right to have policies monitored Right to Data Portability End of online anonymity Processing of data by 3rd parties Duties for data controllers Behavioral advertising Right to opt-in vs. have to opt-out The rights of minors
Where is this all headed?For us? For our clients?
Manage (Govern) the Data
What is Data Governance?An operating discipline for managing data and information as a key enterpriseassetsOrganization, processes and tools for establishing and exercising decision rightsregarding valuation and management of dataElements of data governanceDecision making authorityCompliancePolicies and standardsData inventoriesFull life-cycle managementContent managementRecords management,Preservation and disposalData qualityData classificationData security and accessData risk managementData valuation
Where does (Data Governance) fit?
Data Governance is the weakest link
Bitmap83Why is Data Governance important?Regulator shift OLD NEW Principles Rule Based Based UK FSA, has proposed a “Data Accuracy Scorecard” Financial Services Authority Regulators will punish inadequate Data Governance Breach Notification laws create demand to govern data
Ensure that the Right People have the Right Access to the Right Data Restore doing the Right Things Trust Efficiently and Productively
Future Bottom LineRegulations will be MORE : Prescriptive Prohibitive & Penalizing
BACKUP – this is backup
Laws & Regulations• Data Protection Act• Gambling Act 2005• Protection from Harassment Act 1997• Racial, sexual and age discrimination legislation• Obscenity Publications Act 1959 • “…obscene if it is intended to corrupt or deprave persons exposed to it” Laws & Regulations • The Terrorism Acts 2000 & 2006 • Money Laundering Regulations • CAP Codes & the ASA • Transparency and Honesty • Careful with trans-national campaigns • Consumer Protection from Unfair Commercial Practices Regulations 2008 (CPR’s) • Contempt of Court
High-level International Overview• New Basel Capital Accord (Basel-II)• Payment Card Industry Data Security Standard (PCI-DSS)• Society for Worldwide Interback Funds Transfer (SWIFT)• Personal Information Protection Act (PIPA) – Canada• Personal Information and Electronic Documents Act (PIPEDA) – Canada• Personal Information Privacy Act (JPIPA) – Japan• SafeSecure ISP – Japan• Federal Consumer Protection Code, E-Commerce Act – Mexico• Privacy and Electronic Communications (EC Directive) Regulations 2003• Directive 95/46/EC Directive on Privacy and Electronic Communications – European Union• Central Information System Security Division (DCSSI) Encryption – France• Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of 2001 – Germany• Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany• US Department of Commerce “Safe Harbor”
Relevant Laws and Regulations• Sarbanes-Oxley Act • Federal Trade Commission (FTC)• PCAOB Rel. 2004-001 Audit Section • CC1798 (SB1386)• SAS94 • Federal Information Security Management Act• Fair Credit Reporting Act (FCRA) (FISMA)• AICPA Suitability Trust Services Criteria • USA PATRIOT• SEC CFR 17: 240.15d-15 Controls and • Community Choice Aggregation (CCA) Procedures • Federal Information System Controls Audit• NASD/NYSE 240.17Ad-7 Transfer Agent Manual (FISCAM) Record Retention • General Accounting Office (GAO)• GLBA (15 USC Sec 6801-6809) 16 CFR 314 • FDA 510(k)• Appendix: 12 CFR 30, 208, 225, 364 & 570 • Federal Energy Regulatory Commission (FERC)• Federal Financial Institutions Examination • Nuclear Regulatory Commission (NRC) 10CFR Council (FFIEC) Information Security Part 95• FFIEC Business Continuity Planning • Critical Energy Infrastructure Information (CEII)• FFIEC Audit • Communications Assistance for Law• FFIEC Operations Enforcement Act (CALEA)• Health Insurance Portability and Accountability • Digital Millennium Copyright Act (DMCA) Act (HIPAA) § 164 • Business Software Alliance (BSA)• 21 CFR Part 11 – FDA Regulation of Electronic • New Basel Capital Accord (Basel-II) Records and Electronic Signatures • Customs-Trade Partnership Against Terrorism• Payment Card Industry Data Security Standard (C-TPAT) (PCI-DSS) • Video Privacy Protection Act of 1988 (codified at 18 U.S.C. § 2710 (2002))
US Federal Privacy Laws and US Federal Breach Laws (USA is a member, OECD and a member, CPEA. TheUS has also ratified CE ETS 185) 1. Children’s Online Privacy Protection Act (COPPA) 1. Federal Trade Commissions Final COPPA Rule (PDF) 2. Communications Assistance for Law Enforcement Act (CALEA) 3. Depart of Defense Directive 5400.11.R - Privacy Program (May 14, 2007 edition) (PDF) 1. Defense Privacy Office 4. Electronic Communications Privacy Act (ECPA) 5. Fair Credit Reporting Act (FCRA, PDF) 1. As Amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT) 2. Federal Trade Commissions Red Flag Rule (PDF) (DELAYED UNTIL NOVEMBER 1st 2009) 6. Family Educational Rights and Privacy Act (FERPA, The Buckley Amendment) 1. US Department of Education Final Rule (PDF) 2. Protection of Pupil Rights Amendment (PPRA) 3. No Child Left Behind Act (PDF) 7. Genetic Information Nondiscrimination Act 2008 (GINA, PDF) 1. Proposed rule making genetic information covered under PII, HIPAA, and HITECH (PDF) 8. Gramm-Leach-Bliley Act (GLBA) 1. Federal Trade Commissions Final Financial Privacy Rule (PDF) 2. Federal Trade Commissions Final Safeguards Rule (PDF) 9. Health Insurance Portability and Accountability Act (HIPAA, PDF) 10. HITECH Act (Notice: I could not find it consolidated and called out anywhere, so had to create it myself,PDF) 1. HITECH Breach Notification Guidance and Request for Public Comment (From the US Department ofHealth and Human Services, PDF) 11. Federal Trade Commissions Health Breach Notification FINAL Rule (PDF) 12. Safe Harbor Guidelines from the US Department of Commerce