Data Protection Rules are Changing: What Can You Do to Prepare?

821 views

Published on

The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent.

But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies.

This presentation will:

- Review the current EU laws, and contrast them with laws in other parts of the world;
- Examine the arguments for strengthening data protection in Europe, and the likely outcomes;
- Look at what security teams should already be doing to put themselves ahead of legislative changes;
- Outline strategies and technologies organisations need to meet current and future data protection requirements
- Help infosecurity teams to explain the changes – and their consequences – to their boards

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
821
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • FFW> “Disclosure isn't yet found in our legislation, but it is still part of the law nonetheless. This point is generally misunderstood. Disclosure for the purpose of PCI DSS is a contractual matter.”NWA example - In February 2007 a well known UK financial institution, the Nationwide Building Society, had a laptop stolen from an employee‘s home. The incident led to a fine of £980K, which may seem excessive until you look at the underlying judgement. This focussed more on poor practice around data security at Nationwide and the delays in doing anything about the theft of the PC and the 11 million customer records stored on it. The theft was almost certainly opportunistic and there is no evidence that data was ever compromised, but for Nationwide the damage was done—the direct cost of the fine and the indirect cost of reputational damage.
  • Talk about lost businessHacktivismSovereign state
  • Data Protection Rules are Changing: What Can You Do to Prepare?

    1. 1. Data Protection Rules are Changing: What Can You Do to Prepare? Moderator: Stephen Pritchard, Infosecurity magazine Sponsored by: Lumension
    2. 2. The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent. But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies. This webinar will: - Review the current EU laws, and contrast them with laws in other parts of the world; - Examine the arguments for strengthening data protection in Europe, and the likely outcomes; - Look at what security teams should already be doing to put themselves ahead of legislative changes; - Outline strategies and technologies organisations need to meet current and future data protection requirements Help infosecurity teams to explain the changes – and their consequences – to their boards
    3. 3. Speakers: Bob Tarzey Analyst and Director, Quocirca Dr. Alea Fairchild Director, The Constantia Institute Sibylle Gierschmann Partner, Taylor Wessing Chris Merritt Director, Solution Marketing, Lumension
    4. 4. Poll: Is your organisation compliant with the following regulations, or do you plan to be compliant within the next 24 months? 1. UK Data Protection Act 2. Financial Services Authority (FSA) 3. EU Privacy Directives 4. PCI DSS 5. Data Privacy Laws
    5. 5. Bob Tarzey Analyst and Director, Quocirca
    6. 6. Clive Longbottom, Service Director, Quocirca Ltd EU Data Protection Don’t wait for the Eurocrats Bob Tarzey, Analyst and Director, Quocirca Ltd August 8th 2013 © Quocirca 2012
    7. 7. EU Data Protection Regulation • Jan 2012 proposed regulation will eventually replace 1995 directive • When? 2014 to 2016 – depending on when EU gets its act together • In the mean time other rules still apply and will do so in the future • This include local in country law such as UK DPA
    8. 8. NEW EU Data Protection Regulation EU DPR will trump UK DPA versus OLD EU Data Protection Directive UK DPA trumps EU DPD
    9. 9. Example – breach disclosure UK DPA guidance says: “There is no legal obligation in the DPA for data controllers to report breaches of security which result in loss, release or corruption of personal data, the information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA.”
    10. 10. Draft “European General Data Protection Regulation” - Jan 2012 Article 31: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority”
    11. 11. Beyond DP law • Other laws may require disclosure indirectly • E.g. European Human Rights Act, article 8 (provides a right to respect for one's "private and family life” • Some businesses are governed by specific disclosure requirements • E.g. Financial Services Authority (FSA) arguably obliges firms it regulates to notify data breaches as part of their general reporting duties • Other regulations and standards already require it; one area effecting many is PCI-DSS
    12. 12. PCI-DSS - is disclosure required? • Disclosure for the purpose of PCI DSS is a contractual matter • Actions following compromise (VISA) – Contact law enforcement – Contact bank – Contact VISA fraud control – Preserve logs – Make note of all these actions VISA “Make sure you have a written policy with an incident response plan and make sure all employees are aware of it” Taken from:
    13. 13. Why SHOULD we disclose? • The VISA advice makes sense • Early disclosure will mean you have control of issues faster • It may be needed to satisfy insurers • Should we inform the police? – A crime may need investigating – Insurers may require it • Should we tell the media? – Perhaps better to be pro-active than on the back- foot – Media may be the best way to quickly inform “data subjects” – Keep media on side
    14. 14. Source: LogRhythm, survey 2011 of 2,000 UK consumers If in doubt here is what consumers think…..
    15. 15. So, why wait for the EU? • Many of the rules make sense or are required for other reasons • Most business recognise many of the dangers – Through hearing of the travails of others – Through bitter experience • Only with good DP in place can businesses be confident to benefit from: – Cloud based services – Mobility, consumerisation and social media
    16. 16. 16 We should be protecting data regardless of what the EU say and does! Concern about the impacts of cyber-attacks Source – Quocirca 2013 – The trouble heading for you business http://www.quocirca.com/reports/797/the-trouble-heading-for-your-business
    17. 17. Actual impacts your as a results of the attacks? (of the 30% who reported a “significant impact”) 17 Source – Quocirca 2013 – The trouble heading for you business http://www.quocirca.com/reports/797/the-trouble-heading-for-your-business
    18. 18. Top five barriers to cloud adoption Source – Quocirca 2013 – The adoption of cloud-based services https://www.ca.com/us/register/forms/collateral/the-adoption-of-cloud-based-services-increasing- confidence-through-effective-security.aspx
    19. 19. Biggest barriers to adoption? By industry Source – Quocirca 2013 – The adoption of cloud-based services https://www.ca.com/us/register/forms/collateral/the-adoption-of-cloud-based-services-increasing- confidence-through-effective-security.aspx
    20. 20. How important are the following security technologies for providing secure access to cloud-based services? Europe Overall – enthusiasts versus avoiders Source – Quocirca 2013 – The adoption of cloud-based services https://www.ca.com/us/register/forms/collateral/the-adoption-of-cloud-based-services-increasing- confidence-through-effective-security.aspx
    21. 21. Conclusion • Make sure you have in place a compliance oriented architecture today • It is the only way to ensure your organisation is well positioned to: – Meet all the relevant regulatory requirements – Mitigate real business risk • Make sure the architecture adapts to: – Changing patterns of IT use – The changing threat landscape – ….and the new EU regulations when ever they become a reality
    22. 22. Thank you bobtarzey@quocirca.com This presentation will be available on www.quocirca.com
    23. 23. Dr. Alea Fairchild Director, The Constantia Institute
    24. 24. Roll the dice: Risk and EU Data Protection Dr. Alea Fairchild The Constantia Institute bvba
    25. 25. EU Data Protection - 2013 • EU has designed their proposal to generate growth by harmonising the EU’s “patchwork” of national rules, generate trust through up- to-date legislation and address the data privacy concerns of citizens. • Number of issues (such as hiring a data protection officer (DPO) have financial impact.
    26. 26. DP Policy: What is this going to cost you?
    27. 27. Three sides of the same situation The “security” angle The “Customer is king” angle The “What Marketing wants” angle
    28. 28. Customer is King • Transparency and notification • Right to be forgotten • Rights and obligations • Trust and relationship management
    29. 29. What Marketing Wants • Access and analysis, big data and mining • Granular data for prolonged periods of time • Control of communication to prospects
    30. 30. Security - Acting as a Responsible Business • Consolidate your role in the value chain – First face to customer, they do not care who did it, you did it • Compliance and notification of breaches – To consumers, partners and suppliers • Consumer protection and corporate liability
    31. 31. DP Recommendations for the CISO and the Security team 1. Define your DP privacy policies and document them. 2. Structure your DP governance group, appoint a DPO. 3. Design and develop your data breach notification process.
    32. 32. DP Recommendations for the CISO and the Security team (2) 4. Prepare your organisation to fulfil the "rights” of the consumer. 5. Understand how you communicate these “rights” to the customers. 6. Focus on privacy by design, and what is appropriate for your organisation and industry.
    33. 33. 33 Thank you Dr. Alea Fairchild Twitter: @AFairch Skype: alea.fairchild Website: www.constantiainstitute.org
    34. 34. Sibylle Gierschmann Partner, Taylor Wessing
    35. 35. EU General Data Protection Regulation (GDPR) Sibylle Gierschmann August 8, 2013 Bild einfügen (Cover Small) zur Image Library Data Protection Rules are Changing: What can you do to prepare?
    36. 36. 36 Agenda 01 > Why should it interest me? 02 > What„s new? - „Highlights“ 03 > What can I do to prepare? Bild einfügen (Right Hand Banner Small)
    37. 37. Why should it interest me? > Regulation -> directly enforceable (vs. Data Protection Directive 1995/56/EC) > Applies – to processing of „personal data“ – of data subjects residing in the EU, i.e. company seat NOT relevant; > Applies NOT to – Electronic communications (Directive 2002/58/EC – e.g. Cookies) – Employee data -> As mostly national rules are relevant > Timeline: May enter into force in 2014; applied beginning 2016 – Draft January 25th, 2012; still debated in parliament (over 3,000 change requests) – „triologue“, i.e. negotiations between EU parliamant, council and commission may start in autumn 2013 37
    38. 38. What‘s new? - „Highlights“ > For your company in general – Data breach notification – Sanctions of up to 2% of annual world-wide turnover – Binding corporate rules facilitated – Written processor agreements > For your organization – Data protection officer/representative – Documention all processing operations > For your IT processing – Right to be forgotten – Right to data portability – Privacy by design and default – Data protection impact assessment 38
    39. 39. Changes for the company in general > Data breach notification, Artt. 31, 32 – under discussion – Any personal data breach – Notice to DPA within 24hrs – Communication to data subjects „without undue delay“ (responsible disclosure?) > Transfer of personal data to third countries, Artt. 40 et. al. – Stays as is: EU Commission adequacy decision/Standard data protection clauses/Ad hoc agreements (require approval) – Binding corporate rules – quicker approval b/c of rules on co-operation and consistency > Written processor agreements, Art. 26.2 – under discussion – E.g. Document instructions/approval of sub-processors/technical and organizational requirements 39
    40. 40. Changes for your organization > Data protection officer (DPO), Art. 35 – under discussion – Mandatory if more than 250 employees; or if core activity concerns regular monitoring of data subjects – Group DPO possible; external or internal person; must have expert knowledge; appointed for at least 2 years – Acts independantly and reports directly to management > If no establishment in the EU exists: Designate representative, Art. 25 – Duty to co-operate with DPA -> enforceability? > Documentation of all processing operations, Art. 28 – under discussion – No notification of DPA necessary – Content similar to exisiting Art. 19 EU Directive 1995/46/EC 40
    41. 41. Changes for your IT processing (1/2) > Right to be forgotten, Art. 17 – under discussion – Data needs to be deleted if  No longer necessary in relation to the purpose  Consent withdrawn  Data subject legitimately objects to the processing  Processing does not comply with regulation – Data made public: take all reasonable steps to inform third parties of erasure – Unless: Retention periods apply -> Work on data retention policies! > Right to data portability, Art. 18 – under discussion – Right to obtain copy of data in a commonly used format > Privacy by design and default, Art. 23 41
    42. 42. Changes for your IT processing (2/2) > Data protection impact assessment, Art. 33 – under discussion – Specific risks to the rights and freedoms of data subject, in particular  Analyzing or predicting behaviour  Sensitive data  Video surveillance  Data on children, genetic data or biometric data  DPA deems it necessary to carry out a prior consultation b/c of specific risks of processing operation (list of processing operations) – In this case:  Prior consultation of DPA if „high degree“ of specific risk  Authorization required  Might require consistency procedure if more than one member state is involved (involvement of the European Data Protection Board and Commission) 42
    43. 43. What can I do to prepare? > Ensure reporting mechanisms for data breaches – Internally – Externally, e.g. in your service/processor agreements > Consider binding corporate rules now (if you are a large organization) > Is your data protection organization up to speed? – Do you have internal data protection know how? – Are your processing operations documented?  IT landscape  Access rights  Per Application: What kind of data /for what purposes/legal grounds – Do you have a data retention policy? – Keep in mind when setting up new processing operations: Privacy by design/default 43
    44. 44. 44 Foto einfügen Presenter Dr. Sibylle Gierschmann Partner, Munich > Technology, Media & Telecoms > Litigation & Dispute Resolution Sibylle is a German and U.S. qualified lawyer and partner at Taylor Wessing law firm. She is a trusted advisor in the fields of IT, media and data protection law and heads Taylor Wessing‟s industry group “Technology, Communication & Media”. Her clients often are IT, Telco and media companies, but also companies from other industries who seek her advice on technology- related issues. Part of her technology focus is a long-standing data protection expertise. The German Lawyer's Guide "JUVE" lists Sibylle as a “leading name” in data protection law. Sibylle is member of the data protection works council at the German Association for Information Technology, Telecommunications and New Media (Bitkom e.V.) which is an important stakeholder and standard setter in Germany. She also is an accredited data protection auditor (TÜV). Sibylle studied law at the University of Hamburg where she earned a Doctor of Jurisprudence (Dr. jur.). She also studied in the U.S., where she earned a Master of Law (LL.M.) degree at Duke University, North Carolina (USA). In 2001 Sibylle passed the New York State bar exam. In Germany, she practices since 1999 and is an accredited specialist lawyer in the field of copyright and media law (“Fachanwalt für Urheber- und Medienrecht”). Sibylle is a frequent writer, speaker and commentator on legal issues from her practice. She teaches “media law” at Ludwig-Maximilian University in Munich and regularly trains data protection officers. She was the founding president of the Duke Club of Germany e.V. and now acts as vice president for this non-profit organization. She is fluent in German (native speaker) and English. . Contact details T: +49 (0)89 21038 - 138 E: s.gierschmann@taylorwessing.com
    45. 45. Chris Merritt Director, Solution Marketing, Lumension
    46. 46. PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Data Protection: Getting Ahead of Regulations
    47. 47. Data Breach Causes 47 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Source: 2013 Cost of Data Breach Study: Global Analysis (May 2013) Conducted by Ponemon Institute
    48. 48. Data Breach Costs 48 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Source: 2013 Cost of Data Breach Study: Global Analysis (May 2013) Conducted by Ponemon Institute
    49. 49. Data Loss / Theft 49 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Hacking Attacks Malicious Insider Negligent Insider
    50. 50. Endpoint Attack Vectors The Endpoint is the New Attack Vector 50 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Browser, Apps and OS all have known vulnerabilities • 2/3 of all apps have known vulnerabilities • Time-to-Patch with change control is long, resulting in a lack of security and visibility Rogue USB • Transport method for injecting malware (e.g., Conficker, Stuxnet) • Easiest and most common means of data loss / theft Virus / Malware • Best capture rate for day one with AV is 33%. After 30 days it is 93% • 70,000 pieces of malware a month remain undetected
    51. 51. Defense-in-Depth Strategy PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Successful risk mitigation requires a layered defensive strategy which includes: » Patch Management » Configuration Control » Application Whitelisting » Memory Protection » Data Encryption » Port / Device Control » Antivirus Patch and Configuration Management Application Control Memory Protection Device Control AV Hard Drive and Media Encryption 51
    52. 52. A Model for Data Protection Maturity 52
    53. 53. Rising to the Challenge 53 Creating Policies • Ad Hoc: Minimal or No Security Policies • Optimal: Comprehensive & Exhaustive Educating Staff • Ad Hoc: One-Time or No Training • Optimal: On-Going, Formal Training Enforcing Policies • Ad Hoc: Limited Technical Controls • Optimal: Robust Technical Controls
    54. 54. More Resources • Free Security Scanner Tools » Vulnerability Scanner – discover all OS and application vulnerabilities on your network » Application Scanner – discover all the apps being used in your network » Device Scanner – discover all the devices being used in your network http://www.lumension.com/Resources/ Security-Tools.aspx • Java Resource Center http://www.lumension.com/Resources/ Resource-Center/Java-Resource-Center.aspx 54
    55. 55. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 info@lumension.com http://blog.lumension.com
    56. 56. Poll: Which of these proposed changes are the biggest issue for your organisation ? • The right to be forgotten • Compulsory breach notification • Mandatory appointment of a DPO • The right to data portability
    57. 57. Panel discussion
    58. 58. Audience Questions
    59. 59. Thank you for attending

    ×