Data Privacy Micc Presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Privacy Micc Presentation

  1. 1. DATA PRIVACY Ashish S. Joshi, Esq. Lorandos & Associates Trial Lawyers Michigan – New York – Washington, D.C. – India
  2. 2. <ul><li>Businesses collect and store sensitive information: social security numbers, credit card and bank account information, medical and personal data. </li></ul><ul><li>Businesses have a legal obligation to protect this information. </li></ul><ul><li>Failure to exercise due diligence in protecting sensitive data could lead to fraud and identify theft – and expose a business to serious legal liability. </li></ul>
  3. 3. Exposure to Legal Liability <ul><li>Federal Law : The Federal Trade Commission (FTC) enforces several laws that have information security requirements: The Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act. </li></ul><ul><li>State Law : Michigan law requires immediate notification of a security breach with ancillary measures. Failure to provide a required notice may subject a person to a civil fine up to $750,000 and/or a prosecution by the State Attorney General. Majority of states have similar laws. </li></ul><ul><li>Private Lawsuits : Lawsuits filed by victims of identity theft and/or fraud can involve a business in a long and expensive litigation. </li></ul>
  4. 4. Peer-To-Peer File Sharing <ul><li>P2P technology is a way to share music, video and documents, play games, and facilitate online telephone conversations. </li></ul><ul><li>Popular P2P programs: BearShare, LimeWire, KaZaa, eMule, Vuze, uTorrent and BitTorrent. </li></ul>
  5. 5. P2P Security Risk <ul><li>If P2P software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network. </li></ul><ul><li>Employees using P2P programs may inadvertently share files. </li></ul><ul><li>Instead of just sharing music on a lunch break, an employee may end up “sharing” his or her company’s highly sensitive information. </li></ul><ul><li>Once a user on a P2P network downloads someone else’s files, the files cannot be retrieved or deleted. </li></ul>
  6. 6. Create a Policy and Enforce It. <ul><li>The decision to ban or allow P2P file sharing programs on your company’s network involves a number of factors. </li></ul><ul><li>Whether you decide to ban P2P file sharing programs or allow them, it’s important to (a) create a policy, (b) implement it, and (c) enforce it. </li></ul><ul><li>Prepare a plan that you can implement – effectively and efficiently - in case of a security breach. </li></ul>
  7. 7. If You Decide to Ban P2P Programs…. <ul><li>Block access from your network to sites used to download P2P programs – especially, the sites that offer free software. </li></ul><ul><li>Use scanning tools to find P2P file sharing programs and remove them. </li></ul><ul><li>Install tools that create records of file transfers to detect P2P traffic. </li></ul><ul><li>Review activity logs on your network to identify traffic volume spikes that may indicate big files (or a large number of small files) are being shared. </li></ul><ul><li>Install data loss prevention tools that inspect outgoing files for sensitive information. </li></ul>
  8. 8. If You Decide to Allow P2P Programs… <ul><li>Review various P2P programs, and select one that is appropriate for your company. </li></ul><ul><li>Permit only the approved program. </li></ul><ul><li>Provide the approved program directly to authorized users from an internal server, not from a public download site. </li></ul><ul><li>Update the approved P2P program from an authorized source to incorporate the latest security patches. </li></ul>
  9. 9. If You Allow Remote Access… <ul><li>Provide dedicated company computers to employees who work remotely. </li></ul><ul><li>These computers should have the same security measures that you use at work. </li></ul><ul><li>Remote access should be allowed only through secure connections like VPN or SSL. </li></ul><ul><li>Exercise due diligence in permitting who you allow to access your network remotely. </li></ul>
  10. 10. Train Your Employees <ul><li>Keeping sensitive information secure is responsibility of every employee. </li></ul><ul><li>Every employee who has access to sensitive information should be trained about the security risks. </li></ul><ul><li>If you allow P2P programs, train your employees on how to limit what other P2P users can view on your network. </li></ul><ul><li>Consider what disciplinary measures are appropriate for violation of your company’s policies about data security. </li></ul><ul><li>And, most important: make sure that policies have teeth - discipline the rogue employees. </li></ul>
  11. 11. In Case of a Security Breach <ul><li>Immediately consult an attorney who is an expert in the area of data privacy laws. </li></ul><ul><li>Get together a team: attorneys, computer forensic experts, in-house I.T. staff, and Chief of Human Resources. </li></ul><ul><li>Take swift action to comply with the state notification laws. </li></ul><ul><li>Evaluate potential civil and/or criminal remedies. </li></ul><ul><li>Evaluate a possibility of obtaining preliminary relief / injunction. </li></ul><ul><li>Media / Public Relations </li></ul>
  12. 12. Sources: The Federal Trade Commission Ashish S. Joshi, Esq. Lorandos & Associates