The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent. But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies. This presentation will: - Review the current EU laws, and contrast them with laws in other parts of the world; - Examine the arguments for strengthening data protection in Europe, and the likely outcomes; - Look at what security teams should already be doing to put themselves ahead of legislative changes; - Outline strategies and technologies organisations need to meet current and future data protection requirements - Help infosecurity teams to explain the changes – and their consequences – to their boards

1. Data Protection Rules are Changing: What Can You Do
to Prepare?
Moderator:
Stephen Pritchard, Infosecurity magazine
Sponsored by: Lumension

2. The European Union’s proposed new data protection regulation aims to update Europe’s
data protection laws and to provide a more consistent data protection framework across
the Continent.
But the new regulation, which replaces the EU’s existing data protection directive and
member states’ data protection laws, will put some new demands on organisations holding
personal data. Breach disclosure and “the right to be forgotten” will force businesses to
update their data protection and retention policies.
This webinar will:
- Review the current EU laws, and contrast them with laws in other parts of the world;
- Examine the arguments for strengthening data protection in Europe, and the likely
outcomes;
- Look at what security teams should already be doing to put themselves ahead of
legislative changes;
- Outline strategies and technologies organisations need to meet current and future data
protection requirements
Help infosecurity teams to explain the changes – and their consequences – to their boards

3. Speakers:
Bob Tarzey
Analyst and Director, Quocirca
Dr. Alea Fairchild
Director, The Constantia Institute
Sibylle Gierschmann
Partner, Taylor Wessing
Chris Merritt
Director, Solution Marketing, Lumension

4. Poll: Is your organisation compliant with the following
regulations, or do you plan to be compliant within the next
24 months?
1. UK Data Protection Act
2. Financial Services Authority (FSA)
3. EU Privacy Directives
4. PCI DSS
5. Data Privacy Laws

5. Bob Tarzey
Analyst and Director,
Quocirca

6. Clive Longbottom,
Service Director, Quocirca Ltd
EU Data Protection
Don’t wait for the Eurocrats
Bob Tarzey,
Analyst and Director, Quocirca Ltd
August 8th 2013
© Quocirca 2012

7. EU Data Protection Regulation
• Jan 2012 proposed regulation will
eventually replace 1995 directive
• When? 2014 to 2016 – depending
on when EU gets its act together
• In the mean time other rules still
apply and will do so in the future
• This include local in country law
such as UK DPA

8. NEW EU Data Protection Regulation
EU DPR will trump UK DPA
versus
OLD EU Data Protection Directive
UK DPA trumps EU DPD

9. Example – breach disclosure
UK DPA guidance says:
“There is no legal obligation in the DPA for data
controllers to report breaches of security which
result in loss, release or corruption of personal data,
the information Commissioner believes serious
breaches should be brought to the attention of his
Office. The nature of the breach or loss can then be
considered together with whether the data controller
is properly meeting his responsibilities under the
DPA.”

10. Draft “European General Data
Protection Regulation” - Jan 2012
Article 31: “In the case of a personal data
breach, the controller shall without undue
delay and, where feasible, not later than 24
hours after having become aware of it, notify
the personal data breach to the supervisory
authority”

11. Beyond DP law
• Other laws may require disclosure indirectly
• E.g. European Human Rights Act, article 8 (provides a
right to respect for one's "private and family life”
• Some businesses are governed by specific disclosure
requirements
• E.g. Financial Services Authority (FSA) arguably obliges
firms it regulates to notify data breaches as part of their
general reporting duties
• Other regulations and standards already require it; one
area effecting many is PCI-DSS

12. PCI-DSS - is disclosure required?
• Disclosure for the purpose of PCI DSS is a
contractual matter
• Actions following compromise (VISA)
– Contact law enforcement
– Contact bank
– Contact VISA fraud control
– Preserve logs
– Make note of all these actions
VISA “Make sure you have a written
policy with an incident response plan and
make sure all employees are aware of it”
Taken from:

13. Why SHOULD we disclose?
• The VISA advice makes sense
• Early disclosure will mean you have control of issues
faster
• It may be needed to satisfy insurers
• Should we inform the police?
– A crime may need investigating
– Insurers may require it
• Should we tell the media?
– Perhaps better to be pro-active than on the back-
foot
– Media may be the best way to quickly inform
“data subjects”
– Keep media on side

14. Source: LogRhythm, survey 2011 of 2,000 UK consumers
If in doubt here is what consumers think…..

15. So, why wait for the EU?
• Many of the rules make sense or are
required for other reasons
• Most business recognise many of the
dangers
– Through hearing of the travails of others
– Through bitter experience
• Only with good DP in place can businesses
be confident to benefit from:
– Cloud based services
– Mobility, consumerisation and social media

16. 16
We should be protecting data regardless of what the
EU say and does!
Concern about the impacts of cyber-attacks
Source – Quocirca 2013 – The trouble heading for you business
http://www.quocirca.com/reports/797/the-trouble-heading-for-your-business

17. Actual impacts your as a results of the attacks?
(of the 30% who reported a “significant impact”)
17
Source – Quocirca 2013 – The trouble heading for you business
http://www.quocirca.com/reports/797/the-trouble-heading-for-your-business

18. Top five barriers to cloud adoption
Source – Quocirca 2013 – The adoption of cloud-based services
https://www.ca.com/us/register/forms/collateral/the-adoption-of-cloud-based-services-increasing-
confidence-through-effective-security.aspx

19. Biggest barriers to adoption?
By industry
Source – Quocirca 2013 – The adoption of cloud-based services
https://www.ca.com/us/register/forms/collateral/the-adoption-of-cloud-based-services-increasing-
confidence-through-effective-security.aspx

20. How important are the following security technologies
for providing secure access to cloud-based services?
Europe Overall – enthusiasts versus avoiders
Source – Quocirca 2013 – The adoption of cloud-based services
https://www.ca.com/us/register/forms/collateral/the-adoption-of-cloud-based-services-increasing-
confidence-through-effective-security.aspx

21. Conclusion
• Make sure you have in place a compliance
oriented architecture today
• It is the only way to ensure your
organisation is well positioned to:
– Meet all the relevant regulatory requirements
– Mitigate real business risk
• Make sure the architecture adapts to:
– Changing patterns of IT use
– The changing threat landscape
– ….and the new EU regulations when ever they
become a reality

22. Thank you
bobtarzey@quocirca.com
This presentation will be available on
www.quocirca.com

23. Dr. Alea Fairchild
Director,
The Constantia Institute

24. Roll the dice: Risk and EU Data
Protection
Dr. Alea Fairchild
The Constantia Institute bvba

25. EU Data Protection - 2013
• EU has designed their proposal to generate
growth by harmonising the EU’s “patchwork”
of national rules, generate trust through up-
to-date legislation and address the data
privacy concerns of citizens.
• Number of issues (such as hiring a data
protection officer (DPO) have financial impact.

26. DP Policy: What is this going to cost
you?

27. Three sides of the same situation
The “security” angle
The “Customer is king” angle
The “What Marketing
wants” angle

28. Customer is King
• Transparency and notification
• Right to be forgotten
• Rights and obligations
• Trust and relationship management

29. What Marketing Wants
• Access and analysis, big data and mining
• Granular data for prolonged periods of time
• Control of communication to prospects

30. Security -
Acting as a Responsible Business
• Consolidate your role in the value chain
– First face to customer, they do not care who did it, you did it
• Compliance and notification of breaches
– To consumers, partners and suppliers
• Consumer protection and corporate liability

31. DP Recommendations for the CISO and
the Security team
1. Define your DP privacy policies and
document them.
2. Structure your DP governance group, appoint
a DPO.
3. Design and develop your data breach
notification process.

32. DP Recommendations for the CISO and
the Security team (2)
4. Prepare your organisation to fulfil the
"rights” of the consumer.
5. Understand how you communicate these
“rights” to the customers.
6. Focus on privacy by design, and what is
appropriate for your organisation and
industry.

33. 33
Thank you
Dr. Alea Fairchild
Twitter: @AFairch
Skype: alea.fairchild
Website: www.constantiainstitute.org

34. Sibylle Gierschmann
Partner,
Taylor Wessing

35. EU General Data Protection Regulation (GDPR)
Sibylle Gierschmann
August 8, 2013
Bild einfügen
(Cover Small)
zur Image Library
Data Protection Rules are Changing:
What can you do to prepare?

36. 36
Agenda
01 > Why should it interest me?
02 > What‘s new? - „Highlights“
03 > What can I do to prepare?
Bild einfügen
(Right Hand Banner Small)

37. Why should it interest me?
> Regulation -> directly enforceable (vs. Data Protection Directive
1995/56/EC)
> Applies
– to processing of „personal data“
– of data subjects residing in the EU, i.e. company seat NOT relevant;
> Applies NOT to
– Electronic communications (Directive 2002/58/EC – e.g. Cookies)
– Employee data -> As mostly national rules are relevant
> Timeline: May enter into force in 2014; applied beginning 2016
– Draft January 25th, 2012; still debated in parliament (over 3,000
change requests)
– „triologue“, i.e. negotiations between EU parliamant, council and
commission may start in autumn 2013
37

38. What‘s new? - „Highlights“
> For your company in general
– Data breach notification
– Sanctions of up to 2% of annual world-wide turnover
– Binding corporate rules facilitated
– Written processor agreements
> For your organization
– Data protection officer/representative
– Documention all processing operations
> For your IT processing
– Right to be forgotten
– Right to data portability
– Privacy by design and default
– Data protection impact assessment
38

39. Changes for the company in general
> Data breach notification, Artt. 31, 32 – under discussion
– Any personal data breach
– Notice to DPA within 24hrs
– Communication to data subjects „without undue delay“ (responsible
disclosure?)
> Transfer of personal data to third countries, Artt. 40 et. al.
– Stays as is: EU Commission adequacy decision/Standard data
protection clauses/Ad hoc agreements (require approval)
– Binding corporate rules – quicker approval b/c of rules on co-operation
and consistency
> Written processor agreements, Art. 26.2 – under discussion
– E.g. Document instructions/approval of sub-processors/technical and
organizational requirements
39

40. Changes for your organization
> Data protection officer (DPO), Art. 35 – under discussion
– Mandatory if more than 250 employees; or if core activity concerns
regular monitoring of data subjects
– Group DPO possible; external or internal person; must have expert
knowledge; appointed for at least 2 years
– Acts independantly and reports directly to management
> If no establishment in the EU exists: Designate representative, Art.
25
– Duty to co-operate with DPA -> enforceability?
> Documentation of all processing operations, Art. 28 – under
discussion
– No notification of DPA necessary
– Content similar to exisiting Art. 19 EU Directive 1995/46/EC
40

41. Changes for your IT processing (1/2)
> Right to be forgotten, Art. 17 – under discussion
– Data needs to be deleted if
 No longer necessary in relation to the purpose
 Consent withdrawn
 Data subject legitimately objects to the processing
 Processing does not comply with regulation
– Data made public: take all reasonable steps to inform third parties of
erasure
– Unless: Retention periods apply -> Work on data retention policies!
> Right to data portability, Art. 18 – under discussion
– Right to obtain copy of data in a commonly used format
> Privacy by design and default, Art. 23
41

42. Changes for your IT processing (2/2)
> Data protection impact assessment, Art. 33 – under discussion
– Specific risks to the rights and freedoms of data subject, in particular
 Analyzing or predicting behaviour
 Sensitive data
 Video surveillance
 Data on children, genetic data or biometric data
 DPA deems it necessary to carry out a prior consultation b/c of specific risks
of processing operation (list of processing operations)
– In this case:
 Prior consultation of DPA if „high degree“ of specific risk
 Authorization required
 Might require consistency procedure if more than one member state is
involved (involvement of the European Data Protection Board and
Commission)
42

43. What can I do to prepare?
> Ensure reporting mechanisms for data breaches
– Internally
– Externally, e.g. in your service/processor agreements
> Consider binding corporate rules now (if you are a large organization)
> Is your data protection organization up to speed?
– Do you have internal data protection know how?
– Are your processing operations documented?
 IT landscape
 Access rights
 Per Application: What kind of data /for what purposes/legal grounds
– Do you have a data retention policy?
– Keep in mind when setting up new processing operations: Privacy by
design/default
43

44. 44
Foto einfügen
Presenter
Dr. Sibylle Gierschmann
Partner, Munich
> Technology, Media & Telecoms
> Litigation & Dispute Resolution
Sibylle is a German and U.S. qualified lawyer and partner at Taylor
Wessing law firm. She is a trusted advisor in the fields of IT, media and
data protection law and heads Taylor Wessing’s industry group
“Technology, Communication & Media”.
Her clients often are IT, Telco and media companies, but also
companies from other industries who seek her advice on technology-
related issues. Part of her technology focus is a long-standing data
protection expertise. The German Lawyer's Guide "JUVE" lists Sibylle
as a “leading name” in data protection law. Sibylle is member of the data
protection works council at the German Association for Information
Technology, Telecommunications and New Media (Bitkom e.V.) which is
an important stakeholder and standard setter in Germany. She also is
an accredited data protection auditor (TÜV).
Sibylle studied law at the University of Hamburg where she earned a
Doctor of Jurisprudence (Dr. jur.). She also studied in the U.S., where
she earned a Master of Law (LL.M.) degree at Duke University, North
Carolina (USA). In 2001 Sibylle passed the New York State bar exam. In
Germany, she practices since 1999 and is an accredited specialist
lawyer in the field of copyright and media law (“Fachanwalt für Urheber-
und Medienrecht”).
Sibylle is a frequent writer, speaker and commentator on legal issues
from her practice. She teaches “media law” at Ludwig-Maximilian
University in Munich and regularly trains data protection officers. She
was the founding president of the Duke Club of Germany e.V. and now
acts as vice president for this non-profit organization.
She is fluent in German (native speaker) and English.
.
Contact details
T: +49 (0)89 21038 - 138 E: s.gierschmann@taylorwessing.com

45. Chris Merritt
Director, Solution Marketing,
Lumension

46. PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Protection:
Getting Ahead of
Regulations

47. Data Breach Causes
47
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Source:
2013 Cost of Data Breach Study: Global Analysis (May 2013)
Conducted by Ponemon Institute

48. Data Breach Costs
48
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Source:
2013 Cost of Data Breach Study: Global Analysis (May 2013)
Conducted by Ponemon Institute

49. Data Loss / Theft
49
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Hacking Attacks Malicious Insider Negligent Insider

50. Endpoint Attack Vectors
The Endpoint is the
New Attack Vector
50
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Browser, Apps and OS all have
known vulnerabilities
• 2/3 of all apps have known
vulnerabilities
• Time-to-Patch with change control is
long, resulting in a lack of security
and visibility
Rogue USB
• Transport method for injecting
malware (e.g., Conficker, Stuxnet)
• Easiest and most common means
of data loss / theft
Virus / Malware
• Best capture rate for day one
with AV is 33%. After 30 days
it is 93%
• 70,000 pieces of malware a
month remain undetected

51. Defense-in-Depth Strategy
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Successful risk mitigation requires a layered
defensive strategy which includes:
» Patch Management
» Configuration Control
» Application Whitelisting
» Memory Protection
» Data Encryption
» Port / Device Control
» Antivirus
Patch and Configuration Management
Application Control
Memory Protection
Device
Control
AV
Hard Drive and
Media Encryption
51

52. A Model for Data Protection Maturity
52

53. Rising to the Challenge
53
Creating Policies
• Ad Hoc: Minimal or No Security Policies
• Optimal: Comprehensive & Exhaustive
Educating Staff
• Ad Hoc: One-Time or No Training
• Optimal: On-Going, Formal Training
Enforcing Policies
• Ad Hoc: Limited Technical Controls
• Optimal: Robust Technical Controls

54. More Resources
• Free Security Scanner Tools
» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/Resources/
Security-Tools.aspx
• Java Resource Center
http://www.lumension.com/Resources/
Resource-Center/Java-Resource-Center.aspx
54

55. Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com
http://blog.lumension.com

56. Poll: Which of these proposed changes are the biggest
issue for your organisation ?
• The right to be forgotten
• Compulsory breach notification
• Mandatory appointment of a DPO
• The right to data portability

57. Panel discussion

58. Audience Questions

59. Thank you for attending