A security awareness presentation aimed at management, concerning privacy and the looming GDPR implementation deadline.
The slides will make more sense (hopefully) if you download the presentation and read the speaker notes. Some of them use animations: they are not as jumbled as LinkeDin makes them appear.
6. GDPR – an EU privacy law with global implications
Concerns personal data on Europeans etc.
Privacy by design and by default
Consent must be volunteered
People can request copies of their own personal data
Right to be forgotten
Data Protection Officers required
Breaches to be notified within 3 days of discovery
Penalties up to €20m or 4% of annual global turnover
6
13. Governance aspects
• What are our strategic and policy objectives for privacy?
• How do those relate to information risk & security, compliance and the
business in general?
• How to implement the strategy? When?
Privacy strategy
& policy
• Who is responsible for privacy, and who is accountable for the
organization’s overall approach to privacy?
• What is the scope and purpose of the privacy function?
• What about the organizational structure, reporting lines etc.?
Rôles &
responsibilities
• Are we doing enough on privacy? Do we have sufficient assurance?
• Can we align privacy, security, compliance and risk to take advantage of
synergies and minimize conflicts, overlaps and gaps?
• What metrics will help us monitor and enhance privacy?
Improvement
opportunities
13
15. Conclusion
Privacy involves …
• Compliance with a complex and dynamic mesh of privacy laws and
regulations e.g. GDPR (25th May 2018 is the implementation deadline)
• Strong leadership and management direction e.g.
• Governance arrangements, roles and responsibilities, and metrics
• Privacy is a compliance, business and ethical issue
• Fostering a security and privacy culture
• Suitable policies and procedures, plus awareness and training
• Active motivation and encouragement (e.g. the GDPR deadline)
• Compliance enforcement where appropriate (being firm but fair)
15
16. More info
Privacy Officer
Corporate intranet Security Zone
Policies, procedures & other security awareness materials
CISO/Information Security, Legal/Compliance, HR …
Discuss with colleagues & staff
Call the Help Desk to report issues … or seek help
16
17. Professional bias
17
Actual cause
of disruption
Perceived
significant
threat
Reality check
www.thebci.org/asset/9889734F-2AD5-49A5-B1C4D149A333E871/
Editor's Notes
This presentation forms part of the management stream of the information security awareness program. Although the seminar is designed to last about 30 minutes, we hope it will catch your imagination and spark an ongoing dialogue.
These speaker notes provide additional information and prompts for the presenter and audience, explaining and expanding on what is on the slides. To use them as handouts, select “Notes Pages” on PowerPoint’s print settings rather than “Full page slides”.
Privacy substantially overlaps with information risk and security and compliance. While it concerns all employees and much of the organization, those two areas are core because:
Privacy risks are information risks, hence information security controls are needed;
Legal and regulatory compliance obligations are unforgiving in this area, and if anything they are gradually being strengthened.
As usual, this is a generic probability-impact graph (PIG) comparing some of the risks relating to privacy, from the corporate perspective*.
<CLICK>
Most of the information risks in this area concern breaches – different types and sizes of breach, plus the consequences such as penalties imposed on the organization.
It’s hard to determine exactly where each of them should be on the graph, but arguably it doesn’t matter: clearly, we need to identify, assess and treat the risks relating to privacy breaches, ideally to avoid them, if not to minimize them and the adverse consequences.
* We have also developed an equivalent PIG taking the individual person’s perspective. The differences are quite interesting. Ask Information Security for more on that, if you like.
Despite the risks being “obvious” from the PIG, the figures on this slide are shocking: reportedly, personal information concerning more than 5 billion people had been compromised in the 3 years to the end of 2016.
<CLICK>
The figures today are even more depressing.
Privacy breaches are headline news. Major incidents (those involving large numbers of records concerning millions of people, or those involving highly sensitive personal information – see next slide) are reported globally.
At one level, this is “what’s going on in privacy”. Despite all the laws, regulations and focus on prevention, privacy incidents/breaches are still happening at an alarming rate.
With such an abysmal record, and almost inestimable global costs, you can understand the EU’s concerns that organizations are not taking privacy obligations seriously.
In case you missed it, here’s a recent example.
Equifax was all over the news in the US in September due to this breach “between May and July” involving “sensitive personal data of 145.5 million Americans, including social security numbers, names, home addresses, and driver's license numbers.”
Subsequent to the incident, the CEO resigned while the company, and those 145½ million people, and their banks and so on, are left picking up the pieces.
Articles such as the one in Motherboard claim that the security issues within Equifax were widespread – cultural you could say. Evidently management knew there were serious cybersecurity issues but, for whatever reason, failed to resolve them in time to avoid the devastating hack.
The EU General Data Protection Regulation (GDPR) comes into force in May 2018. In summary, GDPR:
Is global in scope in respect of anyone anywhere handling personal data on Europeans (and in time other nationals too e.g. Canadians, Australians and Kiwis);
Requires privacy to be an integral part of the design of IT systems and business processes, and the default option: it is no longer sufficient to bolt-on privacy as an afterthought;
Consent to use their personal data must be clearly requested from people, and [in most cases] is entirely voluntary (they are free to refuse, but they will probably have to forgo the benefits of processing);
People can check if their personal data is held by an organization, and may request copies (for free!) to check the details – this may be handled manually or systematically depending on the volume of requests;
People have the “Right to be forgotten”, in other words they can withdraw their consent (easily!) after the fact, and their personal data must then be erased;
Data Protection or Privacy Officers must be formally nominated by management;
Privacy breaches should be notified to the authorities within 3 days of discovery. This leaves precious little time to investigate suspected breaches and prepare the notification;
Fines for noncompliance can reach the greater of €20m or 4% of annual global turnover (gulp!). GDPR has sharp teeth! The authorities will be looking to make examples of noncompliant organizations, especially around May 2018.
Given the legal and regulatory compliance obligations relating to privacy, and the likelihood of publicity as a result, it is important that ‘privacy breaches’ (whether confirmed incidents or close-shaves) are handled in a structured, pre-planned manner. This is a fairly simple but important process, given:
The involvement of internal and external people/functions
Information flowing between them in various forms, online and offline
Their responsibilities/obligations, competencies and interests
Management oversight and clear direction is necessary, implying the need to document and practice/rehearse the process.
<CLICK>
GDPR clause 33 imposes a 72 hour reporting deadline, from the point of identification that a breach has occurred to notification to the regulator “where feasible”. The lawyers are already sharpening their pencils! It probably makes sense to develop a fast-track process for (initial, suitably-worded) notification, with escalation to Legal/Compliance and release authority from senior management.
Back to the Equifax breach. According to the journalist, “a security researcher” warned them about their privacy issues months before the big breach occurred, but allegedly they failed to act. There are several possible explanations for this apparent failure:
The “security researcher” didn’t alert anyone but is now claiming bragging rights, or appeared inept and untrustworthy and was basically ignored, or was mistaken (perhaps he had fallen for a honeypot trap designed to mislead hackers probing the network), or exploited the vulnerabilities himself or disclosed the information to someone else who took advantage
The informed person did not take it further e.g. they simply forgot, perhaps too busy with other priorities, were incompetent, or had malicious intent, perhaps exploiting it themselves
Management, at some level, misjudged the risks and chose not to act on the information, at least not well enough to mitigate the risks, or investigated ineptly with no issues found, or were in the process of being addressed (eventually, slowly!)
The reported issues were confirmed but were ignored for some other reason (e.g. infighting, incompetence, contention for resources), or were supposed to have been resolved but were not in fact (perhaps due to the scale and complexities involved), or were fully resolved … but the controls later failed, or were partially resolved but the controls were weak or incomplete or insiders broke or disabled the controls, whether intentionally or by accident (e.g. some other change reverted the fix)
Something else led to the breach, unrelated to the “security researcher’s” claims
….. (there are other equally credible scenarios – enough for a privacy workshop maybe?)
Returning to the incident management process, especially the time-critical notification of the authorities, do you think Equifax would have been able to notify the regulator within 3 days, even if they wanted to?
Wat about us: could we realistically do what is necessary to receive, escalate, investigate and evaluate breaches, including suspected breaches, false alarms and perhaps deliberate false reports, all within 3 days?
Here we’ve laid out (some of) the privacy risks in sequence, and identified (some of) the security controls that would mitigate the risks.
Clearly, there’s a quite a lot to think about here, most of which is down to the specialists … but what about the governance and management aspects?
Hopefully earlier you spotted the red-zone risk that we didn’t include as part of the reportable security breach group: we feel this is an important issue in its own right. The risk relates to the business value of personal information: it is used for various business activities, such as:
Linking people to activities, for accountability and security purposes
Communicating with and paying our people (including us!)
Invoicing and paying our suppliers
Paying the correct taxes
Taking care of workers’ health and wellbeing
Contacting suppliers, partners, customers and others, including prospects
Conducting credit and background checks on people
Deciding how to handle or deal with people, and dealing appropriately with them
Investigating incidents, frauds etc.
Imagine the business consequences if the information was lost, stolen, corrupted, outdated, incomplete, inaccurate, fraudulently manipulated, unsound, untrustworthy etc. For example, if we couldn’t pay people correctly due to losing their personal details, bank account numbers etc., would they continue working for us? If a competitor stole details of our customers and prospective customers, could they lure them away? Fortunately, the controls against privacy breaches also work against this risk too, with a few wrinkles of their own.
Given that privacy largely falls within information security, “ISO27k” information security management systems and similar structured and systematic approaches to information risk and security management can fulfil most if not all of the requirements of GDPR and other privacy laws and regulations, plus the remaining business requirements for information security.
[There’s a professionals’ awareness briefing on this subject if you’d like more details on the alignment between GDPR and ISO27k.]
By the way, there are several other ISO and non-ISO standards concerning privacy. We’re not short of advice in this area!
We have a little time if you want to discuss these points now …or we can leave you to think about them, perhaps in a workshop later?
The appointment of someone competent, willing and able to take the lead on privacy matters is a baseline control.
Some privacy laws and regulations require this under specified circumstances (e.g. it typically applies to medium-to-large organizations and government/public service departments).
The job titles, rôles and responsibilities vary. “Data Protection Officers” may be preferred in Europe, reflecting the term used in EU privacy laws, while “Privacy Officer” is arguably the better term.
Large organizations may have enough privacy work to justify departments or teams of specialists, while small organizations typically make do with a part-timer.
[This model job description is included in the NoticeBored awareness materials, for consideration by organizations that don’t already have one.]
In a nutshell, compliance is necessary but not sufficient, and not easy to achieve either.
Further awareness presentations, briefings, glossaries etc. are available on Information Security’s intranet Security Zone.
The Data Protection or Privacy Officer, or experts from information risk and security, IT, compliance and other functions, would be pleased to provide further information or discuss the points we have discussed today. Just ask.
Please find opportunities to discuss this topic with colleagues. The security awareness program depends on widespread involvement to establish a corporate security culture. Please help us set employees thinking and talking about information security in a positive frame of mind.
This BCI survey revealed that although nearly half of business continuity professionals thought “Data breach (i.e. loss or theft of confidential information)” was a significant concern, only 15% had actually experienced significant business disruption due to such incidents.
In other words, BC professionals should relax a bit! Serious breaches are not as bad as they think!