The path to navigating data protection risks is often filled with uncertainty. Overestimating the risks stifles growth, and underestimating them can derail the business. To be able to measure data protection risks, security teams need to view them from both a technical and legal lens. This talk is about enabling security teams to right-size their risk profile, and to identify controls correlated with reducing data protection risks and the liability exposure of the organization.
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
BSidesSF talk: Silver lining for security teams in data protection clouds
1. Rafae Bhatti
Director of Security and Compliance, Mode
LinkedIn: rafaebhatti
Twitter: @privacyphd
When GDPR and CCPA strike:
Silver lining for security teams in data protection clouds
2. Who
Am I?
I build security programs at startups
I am also a recently licensed CA attorney
14. Scenario 1
A company’s vendor launches an email campaign
using the personal data of the company’s users.
The data belongs to consumers in CA.
Can a CA consumer sue the company for a CCPA
violation?
16. Vendor
Data Use
Takeaway
● Audit data use for vendor with PII,
including cookie scan
● In addition to legal commitments, use
tools (such as plug-ins) to protect
personal data
● Tie vendor security to business
consequences
17. Scenario 2
A company accidentally shares a report belonging
to organization A with organization B.
The data belongs to consumers in the EU.
Is the company required to notify the consumers of
a data breach?
19. Clarity in
Uncertainty
Flight#1549 had a unique risk profile
1. Speed was too high to avoid hitting the
birds
2. Altitude was too low to be able to land
on any ground
3. Decision had to be made quickly
Find your unique profile to calibrate risks
1. Exposed data included personal data
2. Exposed data was not encrypted
3. The source of breach has not been
addressed
Under CCPA -> Enough to decide
Under GDPR -> Consider high risk
21. Data
Processing
Risk
Takeaway
● Degree of risk is a matter of data
subject expectation
● Mandatory code review when high level
of risk in processing data
● Tie risk of disclosure to business
consequences
Different analysis for CA and EU
22. Scenario 3
A company’s vendor leaks personal data about its customers.
The data belongs to consumers in CA.
Can a CA consumer sue the company for a data breach?
23. Clarity in
Uncertainty
Find your unique profile to calibrate risks
1. Exposed data included personal data
2. Exposed data was not encrypted
3. The breach has not been cured
Under CCPA -> If NOT reasonable
Under GDPR -> No private right
26. Takeaways
● Audit vendor use of PII when doing vendor
security reviews
● Focus on data processing risk to guide breach
mitigation and response
● Invest in operational effectiveness of
cybersecurity program