Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Understanding Global Data Protection Laws: Webinar Slide 1 Understanding Global Data Protection Laws: Webinar Slide 2 Understanding Global Data Protection Laws: Webinar Slide 3 Understanding Global Data Protection Laws: Webinar Slide 4 Understanding Global Data Protection Laws: Webinar Slide 5 Understanding Global Data Protection Laws: Webinar Slide 6 Understanding Global Data Protection Laws: Webinar Slide 7 Understanding Global Data Protection Laws: Webinar Slide 8 Understanding Global Data Protection Laws: Webinar Slide 9 Understanding Global Data Protection Laws: Webinar Slide 10 Understanding Global Data Protection Laws: Webinar Slide 11 Understanding Global Data Protection Laws: Webinar Slide 12 Understanding Global Data Protection Laws: Webinar Slide 13 Understanding Global Data Protection Laws: Webinar Slide 14 Understanding Global Data Protection Laws: Webinar Slide 15 Understanding Global Data Protection Laws: Webinar Slide 16 Understanding Global Data Protection Laws: Webinar Slide 17 Understanding Global Data Protection Laws: Webinar Slide 18 Understanding Global Data Protection Laws: Webinar Slide 19 Understanding Global Data Protection Laws: Webinar Slide 20 Understanding Global Data Protection Laws: Webinar Slide 21 Understanding Global Data Protection Laws: Webinar Slide 22 Understanding Global Data Protection Laws: Webinar Slide 23 Understanding Global Data Protection Laws: Webinar Slide 24 Understanding Global Data Protection Laws: Webinar Slide 25 Understanding Global Data Protection Laws: Webinar Slide 26 Understanding Global Data Protection Laws: Webinar Slide 27 Understanding Global Data Protection Laws: Webinar Slide 28 Understanding Global Data Protection Laws: Webinar Slide 29 Understanding Global Data Protection Laws: Webinar Slide 30 Understanding Global Data Protection Laws: Webinar Slide 31 Understanding Global Data Protection Laws: Webinar Slide 32
Upcoming SlideShare
DATA PROTECTION LAWS OF THE WORLD
Next
Download to read offline and view in fullscreen.

5 Likes

Share

Download to read offline

Understanding Global Data Protection Laws: Webinar

Download to read offline

Webinar discusses:
Key takaways on global security requirements for countries with strong restrictions.
Understanding restrictions on transferring data across country boundaries.
Best practices to prepare your company to understand the diverse data protection laws

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Understanding Global Data Protection Laws: Webinar

  1. 1. © 2015 CipherCloud | All rights reserved 1 Understanding Global Data Protection Laws Willy Leichter Global Director, Cloud Security
  2. 2. © 2015 CipherCloud | All rights reserved 2 Agenda Cloud benefits and inhibitors Changing IT landscape Compliance basics Overview of global protection laws Microsoft/Ireland legal challenge Best practices to meet compliance Recommendations
  3. 3. © 2015 CipherCloud | All rights reserved 3 Balancing Cloud Benefits with Compliance Requirements Top 3 US Bank’s Consumer Self-Service Loan Origination Portal UK Education Organization Deploys Global Cloud-Based Portal Non-Technology Leader Trust Sensitive Data in Cloud Email German Cosmetics Giants Meets International Security Regulations Major European Telco Consolidates Call Centers for 25 Countries Largest Hospital Chain Meets HIPAA & HITECH in the Cloud Top Canadian Bank Safeguards Proprietary Information in the Cloud Major Wall Street Firm Adopts Cloud Applications with Confidence Global Leader in Customer Loyalty Moves Email to the Cloud Genomics Testing Leader Protects Patient Data while Using the Cloud New Zealand Bank Collaborates in the Cloud and Meets Compliance Medical Audit Leader Launches Cloud- Based Customer Portal Large Pharmaceutical Company Uses Encrypted Email Credit Reporting Giant Deploys Cloud Collaboration with DLP Controls Government-Owned Mortgage Backer Protect PII Data in the Cloud
  4. 4. © 2015 CipherCloud | All rights reserved 4 Changing IT Challenges Managing the proliferation of cloud services Protecting data instead of just infrastructure Complying with data protection and residency laws Using legacy tools against emerging cloud threats Disappearing network perimeter Surveillance and forced disclosure risks
  5. 5. © 2015 CipherCloud | All rights reserved 5© 2015 CipherCloud 5 Chile Law for the Protection of Private Life Argentina Personal Data Protection Law, Information Confidentiality Law New Zealand Privacy Act Philippines Propose Data Privacy Law Canada PIPEDA, FOIPPA, PIPA Taiwan Computer-Processed Personal Data Protection Hong Kong Personal Data Privacy Ordinance Japan Personal Information Protection Act South Korea Network Utilization and Data Protection Act European Union EU Data Protection Directive, State Data Protection Laws India Pending Laws under discussion United Kingdom ICO Privacy and Electronic Communications Regulations Australia National Privacy Principals, State Privacy Bills, Email Spam and Privacy Bills US States Breach notification in 48 states USA Federal CALEA, CCRA, CIPA, COPPA, EFTA, FACTA, ECPA, FCRA, FISMA, FERPA, GLBA, HIPAA, HITECH, PPA, RFPA, Safe Harbor, US PATRIOT Act Brazil Article 5 of ConstitutionColombia Data Privacy Law 1266 Mexico Personal Data Protection Law Morocco Data Protection Act Thailand Official Information Act B.E. 2540 Europe Privacy laws in 28 countries South Africa Electronic Communications and Transactions Act Singapore Personal & Financial Data Protection Acts Where Cloud Data Resides and What Laws Might Apply
  6. 6. © 2015 CipherCloud | All rights reserved 6© 2015 CipherCloud 6 Customer Example: GlobalTelco • Moving legacy CRM systems in 25 countries to Salesforce • Complying with dozens of privacy and data residency laws Challenge
  7. 7. © 2015 CipherCloud | All rights reserved 7 Legacy Compliance Models Don’tWork in the Cloud Legacy Protection Model • Location of data determines what laws apply • Legal sovereignty over physical media or files • Data owners control infrastructure security • Transfer and processing of data is controlled (in theory…) • Regulators focus on location, certification, perimeter security Reality in the Cloud • Data won’t and shouldn’t stay in one location • Distributed computing • Cross-region backups • Third-party processing • Many people can access the data • Remote command-and control • Support & services • Customer ask the wrong questions • Datacenter location • Infrastructure security
  8. 8. © 2015 CipherCloud | All rights reserved 8 Global Compliance Basics Data Owner/Controller – Always responsible, regardless of location Data Processors & Sub-Processors – Cloud providers with access to private data – Extensive contractual requirements for data owner Data Residency/Sovereignty – Must assure data doesn’t go to regions with weaker privacy protections Data Transfer – Strict requirements if data goes to a specific region with weaker controls
  9. 9. © 2015 CipherCloud | All rights reserved 9 Global Compliance Resource Center Details on data protection laws in 83 countries – Summaries of laws – National authorities and links – Security requirements – Definitions of personal and sensitive data – Data transfer restrictions – Breach notification requirements Content on industry-specific regulations – Financial services – Payment card industry (PCI) – Healthcare ciphercloud.com/global-compliance-resource-center – Dynamic interactive map – Downloadable book (PDF)
  10. 10. © 2015 CipherCloud | All rights reserved 10© 2015 CipherCloud 10 Overall Levels of Restrictions Strong Restrictions Moderate Restrictions Limited Restrictions
  11. 11. © 2015 CipherCloud | All rights reserved 11© 2015 CipherCloud 11 EEA and Safe Harbor EEA Countries Adequate protection US Safe Harbor • Austria • Belgium • Bulgaria • Croatia • Cyprus • Czech Republic • Denmark • Estonia • Finland • France • Germany • Greece • Hungary • Iceland • Ireland • Italy • Latvia • Liechtenstein • Lithuania • Luxembourg • Malta • Netherlands • Norway • Poland • Portugal • Romania • Slovakia • Slovenia • Spain • Sweden • United Kingdom EEA Countries • Andorra • Argentina • Canada • Faroe Islands • Guernsey • Isle of Man • Israel • Jersey • New Zealand • Switzerland • Uruguay Adequate Protection
  12. 12. © 2015 CipherCloud | All rights reserved 12© 2015 CipherCloud 12 Breach Notification Requirements Strong Requirements Limited Requirements Mandatory in 47 US States and Albertan, Canada Limited or not required in most other countries
  13. 13. © 2015 CipherCloud | All rights reserved 13 Does Data Residency = Data Sovereignty? Cloud providers control data across borders • Regional datacenters are rarely autonomous • Redundant backup data centers onlyin US • Central “command and control” can usually access data residing in any country SLAs are usually not binding on location • Data often spread across multiple datacenters • Best practices call forbackups in other regions US court rulings challenge data residency • Data “controlled” by US cloud providers can still be subject to US subpoenas • Microsoft ruled to release data stored in Ireland to US law enforcement Primary Microsoft datacenter locations
  14. 14. © 2015 CipherCloud | All rights reserved 14 The Microsoft / Ireland Case “They have total control of those records, can produce them here, and that’s all that matters.” - Federal prosecutor Serrin Turner “Warrant requires the company to provide documents it controls, regardless of location” -U.S. Justice Department “It is a question of control, not a question of the location of that information” - Judge Loretta Preska, chief of the US District Court in Manhattan
  15. 15. © 2015 CipherCloud | All rights reserved 15 Microsoft – standard SLAs for South American cloud customers Weak SLAs Don’t Help SharePoint Online, Exchange Online and Lync Online Datacenter locations for South American customers. SharePoint Online, Exchange Online and Lync Online Datacenter locations for Brazilian customers. Active Directory and Global Address Book Datacenter locations for all South American customers including Brazil.
  16. 16. © 2015 CipherCloud | All rights reserved 16 “The requirements of providing the services may mean that some data is moved to or accessed by Microsoft personnel or subcontractors outside the primary storage region. For instance, to address latency, routing data may need to be copied to different data centers in different regions. In addition, personnel who have the most technical expertise to troubleshoot specific service issues may be located in locations other than the primary location, and they may require access to systems or data for purposes of resolving an issue.” - Microsoft standard cloud SLAs Weak SLAs Don’t Help
  17. 17. © 2015 CipherCloud | All rights reserved 17 2. Ignore the problem • Your users will use cloud anyway • Hope (and pray) you’re not the next data breach time bomb What AreYour Practical Options? 1. Just say ‘NO’ to the Cloud • Not viable or recommended • Makes you less competitive • Limits access to latest technology 3. Focus on protecting data - not just infrastructure • Technology solutions exist • It’s possible to control sensitive data and benefit from the cloud
  18. 18. © 2015 CipherCloud | All rights reserved 18 Cloud Use is Inevitable The average global enterprise utilizes over 1,100 cloud applications“ “ NA EU 86% of cloud applications used by enterprises are unsanctioned Shadow IT“ “
  19. 19. © 2015 CipherCloud | All rights reserved 19© 2015 CipherCloud 19 Cloud Discovery Dashboard
  20. 20. © 2015 CipherCloud | All rights reserved 20 Where ShouldYou ProtectYour Data? Data in Transit Data at Rest * Top Threats Vulnerabilities • Account hijacking* • Forced disclosure • Data breaches* • Malicious insiders* • Insecure APIs* • Shared technology* Data in Use
  21. 21. © 2015 CipherCloud | All rights reserved 21 Encryption keys never leave the enterprise CipherCloud Encryption Model Encrypted data is indecipherable to unauthorized users Transparent to users Preserves application functionality • Encryption or tokenization at the enterprise gateway • Minimal latency • Integrated malware detection
  22. 22. © 2015 CipherCloud | All rights reserved 22 Unauthorized User CipherCloud Encryption Authorized User
  23. 23. © 2015 CipherCloud | All rights reserved 23 ©CipherCloud | All rights reserved | 23 Authorized User Unauthorized User Granular Field-Level Control ©CipherCloud | All rights reserved | 23
  24. 24. © 2015 CipherCloud | All rights reserved 24© 2015 CipherCloud 24 Customer Example: GlobalTelco • Moving legacy CRM systems in 25 countries to Salesforce • Complying with dozens of privacy and data residency laws Challenge • CipherCloud encryption for all personal information fields • Consistent global policy enforcement and compliance Solution Customer PII data Encrypted PII Cloud traffic
  25. 25. © 2015 CipherCloud | All rights reserved 25 Compliance Arguments for Cloud Encryption Prevents Cloud Providers from being Data Processors – Widely accepted for US and many global data protection laws – Still debated in Europe – especially Germany • Some believe any encryption to be “pseudo-anonymization” Improves Controller compliance even if Cloud Provider is not exempt – Important added layer of security – Widely accepted for US data protection laws Aligns with upcoming data privacy laws – Significantly stiffer penalties and legal enforcement – Important added layer of security – Widely accepted for US data protection laws
  26. 26. © 2015 CipherCloud | All rights reserved 26 Upcoming EU Data Protection Requirements Core principles all supported by advanced data protection – Data Minimization – Data Portability – Privacy by Design & Default – Privacy Impact Analysis Canada United Kingdom IrelandFrance
  27. 27. © 2015 CipherCloud | All rights reserved 27 Growing Consensus on Encryption Regulation Region Breach Notification Safe Harbor Exemptions Recommendations on Encryption PCI DSS   Encryption a “critical component” GLBA   Safe harbor “if encryption has been applied adequately” HIPAA, HITECH   Safe harbor “if encryption has been applied adequately” EU Directives Proposed Proposed Encryption likely to be recommended ICO Privacy Amendment   Notification not required if there are “measures in place which render the data unintelligible.” Privacy Amendment  Not specified Not specified but you should to “take adequate measures to prevent the unlawful disclosure” US State Privacy Laws  Generally Yes Typical breach definitions: - Personal Information: “data that is not encrypted” - Breach: “access to unencrypted data”
  28. 28. © 2015 CipherCloud | All rights reserved 28 The CipherCloud Platform Multi-Cloud Any Location Any Device Visibility & Monitoring Threat Prevention Data Security Privacy & Compliance Enterprise Requirements Visibility & Monitoring Threat Prevention Data Security Privacy & Compliance Platform Advanced Data Protection User & Data Monitoring Cloud Risk Intelligence CloudIntegrations EnterpriseIntegration Integrated Policy Controls On-Premises Hybrid Cloud
  29. 29. © 2015 CipherCloud | All rights reserved 29 Recommendations Avoiding the cloud is no longer viable, or desirable IT must move beyond the perimeter model to stay relevant – Focus needs to be on protecting data – not infrastructure Compliance requires more than cloud provider assurances – You’re responsible for the data – you must be proactive Security and privacy challenges are solvable – Strong encryption can assure exclusive access to data located anywhere – But keys must be retained by the data owner Encryption is becoming and established best practice – Not applying encryption is increasingly hard to justify Work with companies that understand data protection and have deep integration with cloud applications
  30. 30. © 2015 CipherCloud | All rights reserved 30 AboutCipherCloud Solutions Cloud Discovery Cloud DLP Strong Encryption Tokenization Activity Monitoring Anomaly Detection 525+ Employees Company 3.8+ Million Active Users 13 Industries 25 Countries 7 Languages P 13 Patents Customers 5 out of 10 Top US Banks 3 out of 5 Top Health Providers Top 2 Global Telecomm Company 40% of Global Mail Delivery Largest US Media Company 3 out of 5 Top Pharmaceuticals
  31. 31. © 2015 CipherCloud | All rights reserved 31 Visit our new Global Compliance Resource Center Online Map, Guide, Whitepapers & More: www.ciphercloud.com/resources/global-compliance-resource-center
  32. 32. © 2015 CipherCloud | All rights reserved 32 Questions? Click to Watch On-demand Webinar : Understanding Global Data Protection Laws For additional information : • Website: www.ciphercloud.com • Email: info@ciphercloud.com • Phone: +1 855-5CIPHER Willy Leichter Global Director, Cloud Security wleichter@ciphercloud.com Twitter: @WillyLeichter Twitter.com/ciphercloud Youtube.com/user/CipherCloudVideo Linkedin.com/company/ciphercloud Facebook.com/ciphercloud Connect with Us!
  • MaryHarris85

    Dec. 4, 2021
  • mmpasha

    Sep. 16, 2019
  • manishkumar2948

    Jan. 4, 2019
  • cssanjaysingh

    Mar. 12, 2018
  • choeungjin

    Jun. 1, 2015

Webinar discusses: Key takaways on global security requirements for countries with strong restrictions. Understanding restrictions on transferring data across country boundaries. Best practices to prepare your company to understand the diverse data protection laws

Views

Total views

3,475

On Slideshare

0

From embeds

0

Number of embeds

132

Actions

Downloads

158

Shares

0

Comments

0

Likes

5

×