International Perspectives on Data Breach


Published on

International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

International Perspectives on Data Breach

  1. 1. International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference<br />Constantine Karbaliotis<br />Data Protection & Privacy Lead<br />
  2. 2. US Experiences: Legislative Overview<br />Data or security breach legislation has been a fact of life in the US since 2002:<br />California first in 2002<br />Subsequently 44 more US states have passed mandatory breach notification legislation<br />Key requirement in HITECH/HIPAA legislation<br />Massachusetts Data Protection Law<br />Lessons Learned: Data Breach<br />2<br />
  3. 3. Common Elements<br />Triggered if <br />there is a breach of a data security; and<br />A consumer’s personal information is implicated<br />Not all breaches trigger notification<br />Consider definition of personal information:<br />Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud<br />Also includes medical information, as well as health insurance information under certain states laws<br />Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data<br />Direct notice is typically required, though substitute notice is permitted in certain instances<br />Lessons Learned: Data Breach<br />3<br />
  4. 4. Issues to Consider<br />Encryption – is it effective to avoid notice requirement?<br />Electronic v. non-electronic data<br />Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss<br />Who else must notice be given to?<br />Typically the Attorney-General of each state<br />What is form of notice?<br />Is notice required if there is no likelihood of identity theft?<br />Thresholds – size of breach<br />Lessons Learned: Data Breach<br />4<br />
  5. 5. Logistical Issues<br />Managing notification is often beyond the capability of most organizations<br />First challenge: Mailing the notice<br />It may be possible to handle internally if breach is small<br />Mass mailing requirement is difficult to address if numbers affected are significant<br />Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach<br />Scripting responses takes time<br />Must consider experience and nature of inquiries typically handled by your call centre<br />Lessons Learned: Data Breach<br />5<br />
  6. 6. Law Enforcement<br />Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack<br />Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators<br />Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together<br />Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together<br />Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint<br />Lessons Learned: Data Breach<br />6<br />
  7. 7. Notification to Regulator/Attorney General<br />Notification must follow standards set out in regulation<br />Important to be accurate about notification, and timely<br />In US, always leads to public notification even if breach is small<br />Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved<br />Lessons Learned: Data Breach<br />7<br />
  8. 8. Response to a Breach<br />It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it<br />Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction<br />Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating<br />Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence<br />Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself<br />Lessons Learned: Data Breach<br />8<br />
  9. 9. Organizational Capability<br />Breach experience in US highlights need to have organized response ahead of a breach<br />Must involve multi-disciplinary group:<br />Privacy<br />Information Security<br />Legal Department<br />Public Relations/Communications<br />Human Resources<br />Government Relations<br />Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response<br />Lessons Learned: Data Breach<br />9<br />
  10. 10. Lessons Learned: Data Breach<br />10<br />Constantine Karbaliotis, J.D., CIPP/C/IT<br /><br />416.402.9873<br />