Your SlideShare is downloading. ×
0
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
International Perspectives on Data Breach
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

International Perspectives on Data Breach

818

Published on

International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, …

International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
818
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference<br />Constantine Karbaliotis<br />Data Protection &amp; Privacy Lead<br />
  • 2. US Experiences: Legislative Overview<br />Data or security breach legislation has been a fact of life in the US since 2002:<br />California first in 2002<br />Subsequently 44 more US states have passed mandatory breach notification legislation<br />Key requirement in HITECH/HIPAA legislation<br />Massachusetts Data Protection Law<br />Lessons Learned: Data Breach<br />2<br />
  • 3. Common Elements<br />Triggered if <br />there is a breach of a data security; and<br />A consumer’s personal information is implicated<br />Not all breaches trigger notification<br />Consider definition of personal information:<br />Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud<br />Also includes medical information, as well as health insurance information under certain states laws<br />Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data<br />Direct notice is typically required, though substitute notice is permitted in certain instances<br />Lessons Learned: Data Breach<br />3<br />
  • 4. Issues to Consider<br />Encryption – is it effective to avoid notice requirement?<br />Electronic v. non-electronic data<br />Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss<br />Who else must notice be given to?<br />Typically the Attorney-General of each state<br />What is form of notice?<br />Is notice required if there is no likelihood of identity theft?<br />Thresholds – size of breach<br />Lessons Learned: Data Breach<br />4<br />
  • 5. Logistical Issues<br />Managing notification is often beyond the capability of most organizations<br />First challenge: Mailing the notice<br />It may be possible to handle internally if breach is small<br />Mass mailing requirement is difficult to address if numbers affected are significant<br />Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach<br />Scripting responses takes time<br />Must consider experience and nature of inquiries typically handled by your call centre<br />Lessons Learned: Data Breach<br />5<br />
  • 6. Law Enforcement<br />Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack<br />Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators<br />Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together<br />Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together<br />Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint<br />Lessons Learned: Data Breach<br />6<br />
  • 7. Notification to Regulator/Attorney General<br />Notification must follow standards set out in regulation<br />Important to be accurate about notification, and timely<br />In US, always leads to public notification even if breach is small<br />Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved<br />Lessons Learned: Data Breach<br />7<br />
  • 8. Response to a Breach<br />It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it<br />Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction<br />Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating<br />Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence<br />Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself<br />Lessons Learned: Data Breach<br />8<br />
  • 9. Organizational Capability<br />Breach experience in US highlights need to have organized response ahead of a breach<br />Must involve multi-disciplinary group:<br />Privacy<br />Information Security<br />Legal Department<br />Public Relations/Communications<br />Human Resources<br />Government Relations<br />Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response<br />Lessons Learned: Data Breach<br />9<br />
  • 10. Lessons Learned: Data Breach<br />10<br />Constantine Karbaliotis, J.D., CIPP/C/IT<br />constantine_karbaliotis@symantec.com<br />416.402.9873<br />

×