Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Global security


Published on

  • Be the first to comment

Global security

  1. 1. Global Privacy and Security Personal Devices and Corporate Data CLE Seminar for In-House Counsel June 5, 2014 Chicago, Illinois Todd Daubert Partner Dentons Washington, DC T +1 202-408-6458 © 2014 Dentons. All rights reserved.
  2. 2. Prologue • 2
  3. 3. In the news… 3
  4. 4. Brands in the Headlines FTC hits Google with $22.5 million fine for Safari tracking 4
  5. 5. Global Data Landscape - Data Creation • More data from more places • Integration of digital into everyday life leaves interaction data residue • Better, cheaper, smaller sensors integrated into more things • Internet of things combines continuous data collection and communication with machine-driven decision making • Metadata (data about data) provides additional information and context 5
  6. 6. Global Data Landscape - Data Use 6 • Mobile devices becoming increasingly relied upon • Increasing Pressure for Bring Your Own Device (“BYOD”) Policies • Data and services increasingly moving to the “Cloud” • Access to the cloud is increasingly available through mobile devices • Demand for data and services everywhere all the time • Increased use of vendors and third parties for digital services • Sourced from around the world • Pressure growing to limit locations of vendors.
  7. 7. Global Data Landscape - Threats 7 • Static defenses – like anti-virus and firewalls – seem to be losing ground • "Antivirus is dead" - Brian Dye, Symantec SVP for Information Security • lMyQjAxMTA0MDAwNTEwNDUyWj • Advanced persistent threats are unique, targeted and sophisticated • Threats are varied in motivation, technique, targets and geography • Manipulation of employees – social engineering – and errors (or crimes) by employees is still the most common means for obtaining unauthorized access to data
  8. 8. Global Data Landscape – Motivations Behind Attacks 8 Source:
  9. 9. 9 Source: Global Data Landscape – Attack Techniques
  10. 10. Global Data Landscape – Targets 10 Source:
  11. 11. Global Data Landscape – Location of Threats 11 Source:
  12. 12. Keys to Protecting Company Data 12 • Identify the relevant risks • Risk Assessments (technical and legal) • Data Classification • Accept that security is not a destination, but rather a never-ending process of adapting to changing risks • Appreciate that security is not just IT's job • All stakeholders must commit to securing critical data and be accountable • Understand that good governance is key to success • Vendor management • Incident response • Continuous monitoring
  13. 13. What is the Relevance of Data Privacy? • Personal data is all about people and underpins most business processes. It can directly impact the value of a business • Data privacy compliance goes directly to: • Brand reputation • Commercial differentiation • Share price and profit (e.g. Sony) • Security is essential for privacy • Difficult to talk about one without talking about the other • Regulators are paying more attention to privacy and security • EU and other supervisory authorities (such as Information Commissioner’s Office) • US regulators at the federal and state level 13
  14. 14. Enforcement of Privacy Laws Is a Global Priority 14 • Global enforcement is high priority • Blackshades bust involved 19 countries and more than 90 arrests globally. • takedown/international-blackshades-malware-takedown • But still difficult to enforce laws across borders • Justice Department just indicted 5 members of the Chinese military on hacking charges. • Same individuals from Unit 61398 identified in Mandiant APT-1 report • China blasted charges. No extradition treaty with China so unlikely to get traction. • criminal-charges-against-foreign-country-for- cyberspying/2014/05/19/586c9992-df45-11e3-810f-764fe508b82d_story.html
  15. 15. But Global Perspectives on Privacy Vary Greatly 15 • US generally holds free speech above privacy and only specifically protects privacy in particular situations • Results in patchwork solutions and no general privacy right • Privacy based largely on reasonable expectations • EU protects privacy as independent and fundamental human right equal to or greater than that of free speech • Moral view of privacy • Supports general, broad rights • General privacy right that, from a US perspective, sometimes trumps common sense and practicality • Highly regulatory approach to Privacy • Data privacy regulation in Asia, Central America and South America generally is less mature, and the approaches to privacy are mixed
  16. 16. Global Privacy Laws Reflect Different Social Mores • United States: Sector specific laws • Europe: EU Data Protection Directive 1995 + 28 local privacy laws • Asia Pacific: APEC Privacy Framework + local privacy laws • Latin America: Local privacy laws • New Privacy Laws: Brazil, Singapore, Malaysia, South Africa, Kazakhstan… 16
  17. 17. Society in the US, as Reflected in the Law, Has Traditionally Focused on Expectations of Privacy 17
  18. 18. US Traditions Have Heavily Influenced Our Views of the Appropriate Use of Technologies 18
  19. 19. The US Approach to Privacy • The right to privacy was judicially created under other Constitutional rights • No explicit right to privacy in Constitution • “Zones of Privacy” under penumbra of 1st, 3rd, 4th, 5th and 9th Amendments • Regulation reflects a selective sector-based approach • Healthcare • Finance • Children • Free speech almost always trumps privacy • Emerging regulatory measures include the White House Consumer Bill of Rights, the FTC Multi-Stakeholder Process, and potential cyber security legislation 19
  20. 20. The European Approach to Privacy • In the European Union, privacy is a fundamental human right • Embodied in Article 8 of European Convention on Human Rights • Comprehensive Approach • Privacy Right Equal to Free Speech • Considered a Moral Issue 20
  21. 21. The Canadian Approach to Privacy • Privacy is not part of Constitution, but broad statutory approach is taken • National Law (PIPEDA) governs collection, use, and disclosure of personal information. • Similar provincial laws also apply • Individuals have rights similar to those in Europe • Accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; challenging compliance • Sector-specific legislation such as the federal Bank Act further covers certain sensitive information 21
  22. 22. The Asia-Pacific Approach to Privacy • Multiple International Frameworks • APEC: Asia-Pacific Economic Cooperation • ASEAN: Association of Southeast Asian Nations • APPA: Asia Pacific Privacy Authorities • National Legislation: Mix of broad EU-style and US-style approaches • New Chinese regulations – somewhere between US and EU • Hong Kong, New Zealand, Japan and Australia have comprehensive privacy laws • Korea’s laws regulate only certain industries • Taiwan’s law regulates computer-processed data 22
  23. 23. EU Data Protection Regulation The UK Example 23
  24. 24. UK Legal Background EU Data Protection Directive 1995 UK ICO: Christopher Graham Similar arrangements apply in each of the 28 member states in the EU. UK Data Protection Act 1998 24
  25. 25. When does the UK Data Protection Act Apply? • The Data Protection Act (DPA) applies when there is: • processing • of personal data • by a data controller • established in the UK (in the context of that establishment) or (where the data controller is established outside of the EEA) using equipment in the UK. 25
  26. 26. Personal Data Personal data means data which relate to an identifiable living individual  Personal data includes records stored electronically and in a physical filing system  Examples: name, address, date of birth 26
  27. 27. Sensitive Personal Data • Stricter rules apply for sensitive personal data • Sensitive personal data includes health data, criminal charges and convictions, racial or ethnic origin, sexual life, trade union records, religious and political beliefs • Possible sources: • HR Data • Background checks • Casting questionnaires • Contest entries (“Tell us about yourself”) • Requirements: • Explicit consent 27
  28. 28. Data Controllers and Data Processors Data Controller: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed Data Processor: Any person (other than an employee of the data controller) who processes data on behalf of the data controller Data Subject Data ProcessorData Controller 28
  29. 29. What Happens if the UK Data Protection Act Applies? • Compliance with the 8 Data Protection Principles is mandatory • The Rights of Data Subjects must be respected • Take the consequences if you fail to comply 29
  30. 30. The Eight Data Protection Principles 30
  31. 31. Data Protection Principles 1. Personal data must be processed transparently and lawfully 2. Personal data must only be used for specified purposes 3. Ensure that personal data is adequate, relevant and not excessive 4. Ensure that personal data is accurate and, where necessary, kept up to date 31 5. Personal data must not be retained for longer than necessary 6. Personal data must be processed in accordance with the data subject’s rights 7. Personal data must be kept securely 8. Personal data must not be transferred to any other country without adequate protection
  32. 32.  The Law: Principle 8 of the Data Protection Act 1998 says:  Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of data protection  Solutions include model contracts, Binding Corporate Rules and consent of users The Eighth Data Protection Principle 32
  33. 33. What happens if you get it wrong? • Privacy and consumer watchdogs can fine you • The Information Commissioner can: • issue fines of up to £500,000 • issue an information notice • issue an enforcement notice • seek to bring criminal proceedings • Compensation • Bad publicity and reputational harm • Personal liability for individuals who violate the rules 33
  34. 34. Headline Changes Proposed for EU Data Regulation • "One Stop Shop" for DP regulatory supervision (?) • New extra-territorial scope: for non EU-based organisations • Narrower gateway conditions: e.g. "legitimate interests" • Privacy compliance program: policies, procedures, privacy impact assessments and audits • Privacy by design, e.g. designing a new business process or procuring a new IT system with "privacy baked in". • Breach Notification to be legal duty (24 hours?) • Appointing a DPO • New risk for data processors • Fines (2%-5% of worldwide turnover) • Deadline: Now end 2014 with 2 year transition period 34
  35. 35. Data Privacy and Security for Businesses • Key points for businesses • Protecting reputation and business interests • Securing data transfers • Managing personnel and employment issues • Securing industrial systems • Pragmatism and preparation are crucial • The best plans are useless if business is unable or unwilling to implement or follow them • Not a question of whether an attack or accident will happen, but rather a question of when 35
  36. 36. Business Risks Are as Important as Compliance • The risk to reputation and business interests often outweighs the risk of regulatory fines • This may change with proposed EU regulations • A simplified global compliance plan can reduce costs, improve adoption of innovations • Requires focused and strategic consideration of multinational compliance issues • Development of flexible framework can address today’s requirements and adapt to future changes 36
  37. 37. Business Risks – Issue Spotting • Make sure your privacy policies and disclosures to consumers and employees match actual practice • Regulations are becoming more stringent • Build new systems with forward-looking approach to privacy • Avoid collection of unnecessary data • Take data security seriously, including independent audits and continuous risk management • Data security is not just a check-box • Data privacy officers with independence and authority are critical to ensuring compliance obligations are met 37
  38. 38. Challenges to Harmonization of Approaches • “One size fits all” approach may not be possible or desirable • Example: • UK requires detailed notice of how employees can be monitored that is not required in the US • US locations formally adopting “global” policy but informally ignoring it could result in liability exposure • Single framework adaptable to local circumstances • Typically a simpler and more manageable strategy than piecemeal approaches 38
  39. 39. Business Risks – Watch for PII • Despite the fragmented regulatory approaches, most regulatory regimes focus on PII or “personally identifiable information” (but may use a different term) • The Federal OMB has defined PII as “Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” • California has defined “personal information” as an “individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.” 39
  40. 40. Business Risks – Data Transfers • Many jurisdictions impose specific requirements before data from their jurisdiction can be transferred to another jurisdiction • Check applicable restrictions before implementing cloud solutions or permitting data to be transferred from one country to a server in another country • Take caution when transferring data to vendors or other third parties to ensure that you are not violating any restrictions imposed by law or contract, and that the transfer is consistent with your privacy policy • Transferees must be bound by appropriate protections so that they do not cause you to violate any obligations by their actions 40
  41. 41. International Data Transfers Asia Pacific Europe USA 41
  42. 42. EU to US Data Sharing Choices • EU/US safe harbors • Self-certification that privacy protections are in place and adhered to • Model clauses for data protection • Contractual provisions that ensure processors and sub-processors maintain privacy protections • Binding corporate rules • Allow multinational companies to make intra-organizational transfers in compliance with EU law 42
  43. 43. EU-US Data Transfer Frameworks: Safe Harbor Certification 43 • Safe Harbor Certification • Company attestation that it follows certain privacy principles • Requires internal or external assessment of governance and independent recourse mechanism (e.g., DPAs, TRUSTe) • Requires annual re-certification • Covers only receipt and processing of personal data; entities disclosed to must be independently permitted under EU framework • Broader coverage of personal data - do not have to specifically designate what data is included
  44. 44. EU-US Data Transfer Frameworks: Model Contracts 44 • Model Contracts • Agreement between two defined parties • Covers specific data designated at execution, additional types of data requires amendment • Two types: Controller-controller and controller-processor. • Can include disclosures and receipt as described in contract. • No specific internal governance requirements, though compliance with contract terms implies certain governance
  45. 45. EU-US Data Transfer Frameworks: Binding Corporate Rules 45 • Binding Corporate Rules • Bigger process, more involved, more expensive • Provides broader flexibility to use EU personal data
  46. 46. Data Privacy and Security – Data Breaches in the US • Notification requirements in at least 46 states • Triggered when “Personal Information” compromised • Personal information is generally a name combined with financial, health, or other nonpublic information • Different definitions and triggers for each state • Most states allow reasonable time to notify customers • Some require prompt notification of state officials • Critical takeaways • Breach notification is complex • Understand your data, what could trigger notification, and create a breach response plan 46
  47. 47. Managing Personnel and Employment Issues • Employee Data • Personal Information • Health-Related Information • Employee Monitoring • Mixing of business/personal communications • Policies/terms of employment • Mobile Devices • “BYOD” - Bring your own device • Location tracking 47
  48. 48. HR Data – Monitoring at Work • Requirements • Openness • Identify a clear and justifiable reason for the monitoring • Limit monitoring to absolute necessity • Practical Solutions • Ensure workers are aware that they are being monitored • Only use information obtained for the purpose of monitoring • Securely store the information and don’t keep for longer than is necessary • Avoid opening private/personal emails; monitor message heading only • Do not attempt a blanket approach, only monitor a targeted area 48
  49. 49. HR Data – Monitoring at work • Covert monitoring • Can rarely be justified • Requires high level authorization • There should be grounds for suspecting criminal activity or equal malpractice and telling people would make it difficult to prevent or detect the wrongdoing • May only be used in a specific investigation and stopped when investigation is completed 49
  50. 50. Employee Vulnerability • YOU ARE THE WEAKEST LINK • Studies consistently show that majority of data breaches can be traced back to employees • Lost or stolen laptop • Credentials disclosed through phishing or social engineering attacks 50
  51. 51. What is “phishing”? • A computing scam where the perpetrators try to get sensitive personal information by sending users to fake, but legitimate looking websites. • Often starts with a legitimate looking email asking the recipient to re-enter his or her login credentials, banking information, home address and phone number, credit card numbers, or other information that can be used to access accounts or computer systems. 51
  52. 52. Employee Vulnerability - Phishing Target breach likely started with a phishing email to one of Target’s contractors. 52
  53. 53. Phishing - Email 53
  54. 54. Phishing - Email 54
  55. 55. Phishing – Email 55 No name or eBay username Is not clearly taking you to
  56. 56. Phishing - Online 56
  57. 57. Phishing - Online 57
  58. 58. What is “Social Engineering”? • Using human interaction (social skills) to manipulate individuals into performing actions or divulging confidential information • Exploits human nature 58
  59. 59. Social Engineering Notorious hacker Kevin Mitnick Comments from his book The Art of Deception: • “people inherently want to be helpful and therefore are easily duped” • “They assume a level of trust in order to avoid conflict” • In more than half of his successful network exploits he gained information through social engineering. 59
  60. 60. Employee Vulnerabilities – Lost and Stolen Laptops • One laptop is stolen every 53 seconds (Gartner) • 97% of stolen laptops and computers are never recovered (FBI) • Nearly 12,000 laptops are lost or go missing at U.S. airports every week (Dell, Ponemon Institute) • 65-70% of lost laptops are never reclaimed (Dell, Ponemon Institute) • 53% of business travelers carry sensitive corporate information in their laptops (Dell, Ponemon Institute) 60
  61. 61. Laptop Encryption 61 • Under UK regulatory guidance and in many states in the US, a company that has encrypted all content on laptops and mobile devices would not be required to notify regulators or individuals whose data was stored on a stolen laptop or mobile devices. • HOWEVER, management and employees must take responsibility ensuring the security of laptops and mobile devices, as well as the data residing on it.
  62. 62. Cloud Computing • Clear advantages and clear risks • Do not sign up for cloud services with click-accept online terms and conditions - legal contracts need to be vetted through Legal. • – file storage and sharing • Can now access using SNI network ID and password via 62
  63. 63. Security in the Cloud 63 • If in the cloud, assume NSA and other intelligence agencies will see it and read it • Requires trusting third party to protect your data • Contracts, pre-agreement diligence and assessments • Indemnification or other remedies in case of breach • Security assurances should scale to match sensitivity of the data
  64. 64. Thank You! We are very interested in your feedback - please take a moment to leave a note about this class and presenter on the back side of your evaluation form. © 2014 Dentons. Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see for Legal Notices. Todd Daubert Partner Dentons Washington, DC T +1 202-408-6458