International Perspectives on Data Breach
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


International Perspectives on Data Breach



International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, ...

International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).



Total Views
Views on SlideShare
Embed Views



2 Embeds 3 2 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

International Perspectives on Data Breach Presentation Transcript

  • 1. International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference
    Constantine Karbaliotis
    Data Protection & Privacy Lead
  • 2. US Experiences: Legislative Overview
    Data or security breach legislation has been a fact of life in the US since 2002:
    California first in 2002
    Subsequently 44 more US states have passed mandatory breach notification legislation
    Key requirement in HITECH/HIPAA legislation
    Massachusetts Data Protection Law
    Lessons Learned: Data Breach
  • 3. Common Elements
    Triggered if
    there is a breach of a data security; and
    A consumer’s personal information is implicated
    Not all breaches trigger notification
    Consider definition of personal information:
    Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud
    Also includes medical information, as well as health insurance information under certain states laws
    Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data
    Direct notice is typically required, though substitute notice is permitted in certain instances
    Lessons Learned: Data Breach
  • 4. Issues to Consider
    Encryption – is it effective to avoid notice requirement?
    Electronic v. non-electronic data
    Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss
    Who else must notice be given to?
    Typically the Attorney-General of each state
    What is form of notice?
    Is notice required if there is no likelihood of identity theft?
    Thresholds – size of breach
    Lessons Learned: Data Breach
  • 5. Logistical Issues
    Managing notification is often beyond the capability of most organizations
    First challenge: Mailing the notice
    It may be possible to handle internally if breach is small
    Mass mailing requirement is difficult to address if numbers affected are significant
    Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach
    Scripting responses takes time
    Must consider experience and nature of inquiries typically handled by your call centre
    Lessons Learned: Data Breach
  • 6. Law Enforcement
    Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack
    Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators
    Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together
    Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together
    Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint
    Lessons Learned: Data Breach
  • 7. Notification to Regulator/Attorney General
    Notification must follow standards set out in regulation
    Important to be accurate about notification, and timely
    In US, always leads to public notification even if breach is small
    Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved
    Lessons Learned: Data Breach
  • 8. Response to a Breach
    It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it
    Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction
    Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating
    Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence
    Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself
    Lessons Learned: Data Breach
  • 9. Organizational Capability
    Breach experience in US highlights need to have organized response ahead of a breach
    Must involve multi-disciplinary group:
    Information Security
    Legal Department
    Public Relations/Communications
    Human Resources
    Government Relations
    Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response
    Lessons Learned: Data Breach
  • 10. Lessons Learned: Data Breach
    Constantine Karbaliotis, J.D., CIPP/C/IT