1. Regulatory agencies are required to follow a defined rulemaking process when creating new regulations. This includes publishing proposed regulations for public comment and allowing time for feedback before finalizing rules.
2. Many companies do not properly protect customer data, with over half admitting to data breaches. However, customers believe they have a right to control their personal information. This disconnect has eroded trust between organizations and consumers.
3. Regulators are increasingly focused on enforcing data breach notification laws and requiring organizations to take reasonable security measures to prevent breaches. Non-compliance can result in penalties, while implementing best practices helps build a "culture of caring" and regulatory confidence.
This document discusses the emerging risks of data security and cyber liability. It notes that virtually every business handles sensitive data and can face risks from data breaches or cyber attacks. The costs of a small data breach involving 1,000 records is estimated at $210,000 on average. It also notes that 40% of small businesses with less than 500 employees have experienced a data breach. Data security and cyber liability risks can result in both first-party losses for a company as well as third-party liabilities.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
The document discusses the growing importance of proactive log management in the insurance industry due to its increasing reliance on technology. It outlines several reasons why data breaches commonly occur in insurance, including carelessness, outsourced data, hacking for profit, and employee retribution. The industry should care because data breaches are very costly to fix, can damage a company's brand, expose intellectual property, and violate numerous regulations and laws. Vigilant log monitoring of servers and applications is crucial to detect and prevent breaches, but many insurance IT teams are inhibited from doing so by the tedious nature of the work and lack of time and resources.
Cyber risk represents both risk and opportunity for insurance companies. While cyberattacks can result in multi-billion dollar losses, there is growing demand from companies for cyber insurance coverage. Actuaries can help develop sustainable cyber insurance products by analyzing available breach data, determining appropriate policy terms, and encouraging policyholders to strengthen cybersecurity. Offering generous policy limits alongside strict security requirements and high deductibles allows insurers to expand in this area while properly managing risk. The increasing need for cyber coverage represents a chance for actuaries to add value and for insurers to generate new revenue streams.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
The document discusses preparing for and responding to cybersecurity incidents and data breaches. It provides an overview of Breach Education Alliance, an integrated team approach for responding to breaches. It then discusses best practices for security investigations, including establishing goals and understanding common causes of incidents. Potential mistakes in investigations and security are outlined. The document emphasizes training employees, understanding your environment and business risks, and having the proper resources in place before, during and after a security incident.
This document summarizes a paper about increasing data breaches and the need for legislation to address the problem. It notes that over 233 million US records have been exposed due to breaches since 2005. The document discusses the costs of breaches to companies and common causes, such as lost or stolen devices. It argues that while some states have breach notification laws, federal legislation is needed to standardize security practices and privacy protections across industries. The paper aims to examine if legislation is needed to reduce breaches, when people should be notified of breaches, and if compensation should be required.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
This document discusses the emerging risks of data security and cyber liability. It notes that virtually every business handles sensitive data and can face risks from data breaches or cyber attacks. The costs of a small data breach involving 1,000 records is estimated at $210,000 on average. It also notes that 40% of small businesses with less than 500 employees have experienced a data breach. Data security and cyber liability risks can result in both first-party losses for a company as well as third-party liabilities.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
The document discusses the growing importance of proactive log management in the insurance industry due to its increasing reliance on technology. It outlines several reasons why data breaches commonly occur in insurance, including carelessness, outsourced data, hacking for profit, and employee retribution. The industry should care because data breaches are very costly to fix, can damage a company's brand, expose intellectual property, and violate numerous regulations and laws. Vigilant log monitoring of servers and applications is crucial to detect and prevent breaches, but many insurance IT teams are inhibited from doing so by the tedious nature of the work and lack of time and resources.
Cyber risk represents both risk and opportunity for insurance companies. While cyberattacks can result in multi-billion dollar losses, there is growing demand from companies for cyber insurance coverage. Actuaries can help develop sustainable cyber insurance products by analyzing available breach data, determining appropriate policy terms, and encouraging policyholders to strengthen cybersecurity. Offering generous policy limits alongside strict security requirements and high deductibles allows insurers to expand in this area while properly managing risk. The increasing need for cyber coverage represents a chance for actuaries to add value and for insurers to generate new revenue streams.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
The document discusses preparing for and responding to cybersecurity incidents and data breaches. It provides an overview of Breach Education Alliance, an integrated team approach for responding to breaches. It then discusses best practices for security investigations, including establishing goals and understanding common causes of incidents. Potential mistakes in investigations and security are outlined. The document emphasizes training employees, understanding your environment and business risks, and having the proper resources in place before, during and after a security incident.
This document summarizes a paper about increasing data breaches and the need for legislation to address the problem. It notes that over 233 million US records have been exposed due to breaches since 2005. The document discusses the costs of breaches to companies and common causes, such as lost or stolen devices. It argues that while some states have breach notification laws, federal legislation is needed to standardize security practices and privacy protections across industries. The paper aims to examine if legislation is needed to reduce breaches, when people should be notified of breaches, and if compensation should be required.
“Cyber Liability & Cyber Insurance” - A discussion on best practices around Prevention, Detection, and Response!
Sponsored by Datto and Webster Bank
Series brought to you by the Connecticut Technology Council.
____________
TOPIC FOCUS:
1. Evolution and acceptance of Cybersecurity insurance
a. Understanding risk & effect on businesses
i. Used to be major brands, now widespread.
ii. Risk recognized, business leaders looking to minimize risk
b. Describing changes in cybersecurity insurance
How coverages have evolved - not just for biggest companies
i. Insurers are working with (tech) companies to get it right
ii. Where is it going from here? Trends, specialty insurance
2. Describe insurance types/ specifics and how they perform when needed
. Not all policies are the same
a. What to look for
b. How they vary by type of business (Healthcare vs. Retail vs. Software Co.)
c. What gaps still remain (What can’t get covered?)
3. How to minimize cost, get most value for your company
. Some protections on your current policies
a. Gating elements - What the insurance companies want to see - how that might help costs
4. Best practices generally
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
This document discusses the importance of protecting personally identifiable information (PII) and complying with relevant laws and regulations. It covers what constitutes PII, why protection is critical to avoid identity theft, financial penalties, and reputational damage. Key aspects of PII management discussed include the storage, sensitivity, encryption of data, multi-jurisdictional issues, data ownership, procedures, and system needs across the data lifecycle. Major US privacy laws like FCRA and GLBA that regulate how PII is collected and used are also summarized.
Leading Practices in Information Security & PrivacyDonny Shimamoto
Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.
Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.
Cyber crimes are growing rapidly and cyber liability insurance is the safest way for companies to stay harmless. Information security is expected by all the customers and loss of these information could cost a company loyal customers and financial crisis.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
The document discusses various topics related to cyber insurance and cyber risks. It reports on startling cybercrime numbers from Australia's cybercrime reporting network, and how Lloyd's is appealing to brokers to help standardize cyber risk data collection. It also discusses how the Australian and US governments will strengthen their partnership to combat cybercrime, and predictions that cyber insurance in Asia will significantly increase in the next few years.
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
Managing Personally Identifiable Information (PII)KP Naidu
This document discusses personally identifiable information (PII) and provides guidance on managing PII. It defines PII as information that can be used to identify an individual. The document notes that data breaches involving PII are common and outlines legal issues related to PII. It recommends assessing the confidentiality impact of PII and implementing appropriate controls based on the impact level. Specific steps are outlined to help organizations properly manage PII.
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, at the January 27, 2017 meeting of (ISC)² Dallas Fort Worth Chapter.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
This document provides information about Shawn Tuma, a cybersecurity partner at Scheef & Stone, L.L.P. It includes his contact information, areas of expertise, industry affiliations, and qualifications. The document highlights that Tuma serves on several boards and committees related to cybersecurity, data privacy, and technology law. It also lists some of the awards and recognitions he has received for his work in these fields.
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
This document discusses 4 steps that financial service organizations can take to achieve compliance with data security regulations:
1) Secure data in motion by encrypting network traffic over WANs using high-speed encryption.
2) Protect data at rest by encrypting data on devices using disk and file encryption.
3) Control access using strong authentication solutions.
4) Protect encryption keys using hardware security modules to ensure data integrity.
Implementing encryption technologies across these four areas provides comprehensive protection of data assets and facilitates secure access, helping organizations comply with various data security laws.
This document discusses protecting businesses from identity theft and fraud, which is described as the greatest threat of the 21st century. It notes that identity theft directly impacts businesses through their customers and employees. Businesses must comply with various federal and state regulations regarding privacy and security of personal and financial information. The document outlines how identity theft can occur and have devastating consequences for businesses through lost customers, damaged reputation, stolen money, and high costs of recovery. It recommends businesses take administrative, technical, and policy measures to protect against threats and comply with relevant laws.
This document discusses the importance of cybersecurity for law firms. It notes that law firms have traditionally lagged behind other industries in implementing cybersecurity measures, despite increasingly becoming targets. It provides several recommendations for best practices including implementing information security policies, employee training, testing systems for vulnerabilities, and utilizing IT professionals for guidance. The document emphasizes that cybersecurity is about managing risks, and that as technology continues to change, firms must remain vigilant and adapt their strategies to new threats. People within a firm are also noted as one of the biggest security risks if not properly trained on cybersecurity practices.
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
Shawn Tuma is a cybersecurity lawyer with expertise in data privacy law. He is a partner at Scheef & Stone LLP, a commercial law firm in Texas. Tuma has extensive experience advising businesses on cybersecurity issues and data breaches. He serves on several boards and committees related to cybersecurity law and policy. The document provides an overview of Tuma's background and experience in cybersecurity law.
This document lists several potential holiday destinations and activities including a new beach in Japan, visiting the Grand Canyon's new Skywalk, going to a theme park in Las Vegas, watching a tennis match in Dubai, doing mountain activities, or going cycling. It concludes by wishing the reader to have a nice holiday regardless of their choice.
Hotel Villaitana Wellnes Golf & Business Sun****Bookaris
Este documento promociona el Hotel Villaitana Wellness Golf & Business Sun en Benidorm, España. El hotel ofrece facilidades como spa, golf y negocios. Los clientes pueden reservar habitaciones en el hotel a través de ofertas de última hora en el enlace proporcionado.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
This document discusses the importance of protecting personally identifiable information (PII) and complying with relevant laws and regulations. It covers what constitutes PII, why protection is critical to avoid identity theft, financial penalties, and reputational damage. Key aspects of PII management discussed include the storage, sensitivity, encryption of data, multi-jurisdictional issues, data ownership, procedures, and system needs across the data lifecycle. Major US privacy laws like FCRA and GLBA that regulate how PII is collected and used are also summarized.
Leading Practices in Information Security & PrivacyDonny Shimamoto
Many not-for-profits are operating in an environment in which there is a tremendous amount of electronic documents, communications, and confidential data sits on computers and networks that are connected to the Internet. Privacy and security threats are also increasing, putting Internet communications and computer data at risk at an alarming rate. At the same time, laws and regulations with significant penalties have been passed or are being passed by states, the Federal government, and industry groups (e.g. PCI DSS) increasing the consequences of data breaches and privacy violations.
Whether you’re an executive director, program manager, or IT manager, this non-technical presentation will help you learn about the threats, requirements, and leading practices related to information security you need to help protect your donors and constituents.
Cyber crimes are growing rapidly and cyber liability insurance is the safest way for companies to stay harmless. Information security is expected by all the customers and loss of these information could cost a company loyal customers and financial crisis.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
The document discusses various topics related to cyber insurance and cyber risks. It reports on startling cybercrime numbers from Australia's cybercrime reporting network, and how Lloyd's is appealing to brokers to help standardize cyber risk data collection. It also discusses how the Australian and US governments will strengthen their partnership to combat cybercrime, and predictions that cyber insurance in Asia will significantly increase in the next few years.
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
Managing Personally Identifiable Information (PII)KP Naidu
This document discusses personally identifiable information (PII) and provides guidance on managing PII. It defines PII as information that can be used to identify an individual. The document notes that data breaches involving PII are common and outlines legal issues related to PII. It recommends assessing the confidentiality impact of PII and implementing appropriate controls based on the impact level. Specific steps are outlined to help organizations properly manage PII.
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, at the January 27, 2017 meeting of (ISC)² Dallas Fort Worth Chapter.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
This document provides information about Shawn Tuma, a cybersecurity partner at Scheef & Stone, L.L.P. It includes his contact information, areas of expertise, industry affiliations, and qualifications. The document highlights that Tuma serves on several boards and committees related to cybersecurity, data privacy, and technology law. It also lists some of the awards and recognitions he has received for his work in these fields.
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
This document discusses 4 steps that financial service organizations can take to achieve compliance with data security regulations:
1) Secure data in motion by encrypting network traffic over WANs using high-speed encryption.
2) Protect data at rest by encrypting data on devices using disk and file encryption.
3) Control access using strong authentication solutions.
4) Protect encryption keys using hardware security modules to ensure data integrity.
Implementing encryption technologies across these four areas provides comprehensive protection of data assets and facilitates secure access, helping organizations comply with various data security laws.
This document discusses protecting businesses from identity theft and fraud, which is described as the greatest threat of the 21st century. It notes that identity theft directly impacts businesses through their customers and employees. Businesses must comply with various federal and state regulations regarding privacy and security of personal and financial information. The document outlines how identity theft can occur and have devastating consequences for businesses through lost customers, damaged reputation, stolen money, and high costs of recovery. It recommends businesses take administrative, technical, and policy measures to protect against threats and comply with relevant laws.
This document discusses the importance of cybersecurity for law firms. It notes that law firms have traditionally lagged behind other industries in implementing cybersecurity measures, despite increasingly becoming targets. It provides several recommendations for best practices including implementing information security policies, employee training, testing systems for vulnerabilities, and utilizing IT professionals for guidance. The document emphasizes that cybersecurity is about managing risks, and that as technology continues to change, firms must remain vigilant and adapt their strategies to new threats. People within a firm are also noted as one of the biggest security risks if not properly trained on cybersecurity practices.
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
Shawn Tuma is a cybersecurity lawyer with expertise in data privacy law. He is a partner at Scheef & Stone LLP, a commercial law firm in Texas. Tuma has extensive experience advising businesses on cybersecurity issues and data breaches. He serves on several boards and committees related to cybersecurity law and policy. The document provides an overview of Tuma's background and experience in cybersecurity law.
This document lists several potential holiday destinations and activities including a new beach in Japan, visiting the Grand Canyon's new Skywalk, going to a theme park in Las Vegas, watching a tennis match in Dubai, doing mountain activities, or going cycling. It concludes by wishing the reader to have a nice holiday regardless of their choice.
Hotel Villaitana Wellnes Golf & Business Sun****Bookaris
Este documento promociona el Hotel Villaitana Wellness Golf & Business Sun en Benidorm, España. El hotel ofrece facilidades como spa, golf y negocios. Los clientes pueden reservar habitaciones en el hotel a través de ofertas de última hora en el enlace proporcionado.
The document discusses the short sale process, including what a short sale is, who qualifies, the required paperwork and steps involved. A short sale allows a homeowner who is underwater or facing foreclosure to sell their home for less than the outstanding mortgage balance if the lender agrees. It involves listing the home, submitting paperwork including financial documents, and negotiating with the lender, with the goal of avoiding a foreclosure on the homeowner's record. The process can take 3-4 months or longer to complete.
The document discusses the pre-foreclosure process, including:
1) A pre-foreclosure (also called a short sale) occurs when a home sells for less than the amount owed on the mortgage with the lender's approval. It typically takes 120 days to close due to third party approval requirements.
2) The potential seller must submit documentation like financial statements and hardship letters to lenders to request pre-foreclosure approval.
3) The pre-foreclosure process involves communicating with lenders, preparing documentation packages, and meeting lender timeframes, which can take 90-120 days to get approval. There may be tax implications for the forgiven debt.
This document analyzes data from the Privacy Rights Clearinghouse database on data breach incidents reported from 2005 to 2015. Some key findings include:
- Hacking or malware were behind 25% of breaches, while insider leaks accounted for 12% and unintended disclosures 17.4%.
- Payment card data breaches increased substantially after 2010 likely due to malware targeting point-of-sale systems.
- The healthcare sector experienced the most breaches followed by government and retail. Personally identifiable information and financial data were the most commonly stolen records.
- While credit card and bank account information is frequently dumped online, accounts for services like Uber, PayPal and poker saw increased dumping.
- Organizations must strengthen
Lost laptops, misplaced paper records, cyber theft - breaches are a fact of life. But they don't have to be a disaster. Breach veterans know that the impact of a data loss event is substantially determined by what happens in the 48 hours after you find out about it. Get things right, and even a substantial and public breach can be weathered gracefully. Mess things up, and a small breach can turn into a nightmare.
This webinar will review critical steps organizations can take in the wake of a breach. Our featured speaker will be privacy and compliance expert, Deb Hampson who is an AVP & Assistant General Counsel at The Hartford. Don't miss this opportunity to learn best practices from a proven professional.
The document discusses risk management in companies. It provides questions for senior executives and IT executives about risks to the business from data security, regulatory compliance, and technological issues. It also summarizes statistics about the high costs of data breaches for companies and discusses how outsourcing some risk management functions can help companies focus on compliance in today's complex regulatory environment.
The document analyzes data breach records from 2005-2015 to examine trends by industry. It finds that healthcare, education, government, retail, and finance were most commonly affected, accounting for over 80% of breaches. Personal information was the most frequently stolen record type, compromised through various methods like device loss, insider leaks, and hacking. The analysis also looks specifically at breach trends in the healthcare industry, where loss of portable devices like laptops was a primary source of compromises.
The pre-conference workshop entitled 'Trust is a Terrible Thing to Waste' from the 2010 International Association of Privacy Professionals conference in Washington, D.C. The session reviewed why trust is important, how to handle crisis communications, and how to build trust before a crisis hits.
This document summarizes a presentation on data breaches. It discusses the current breach landscape, with billions of records compromised annually worldwide. It provides tips for responding to breaches, including assembling a response team, conducting investigations, and effecting notices. It also covers developments in US and foreign data privacy laws, including the Massachusetts Data Security Requirements and new rules in India. Litigation and insurance issues related to data breaches are also summarized.
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including:
1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency.
2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully.
3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
This document summarizes a presentation on cybersecurity legal issues for companies. It discusses the growing costs and impacts of cyberattacks like data breaches and ransomware. Bug bounty programs that hire security researchers are presented as a way for companies to find vulnerabilities, but they may also increase legal obligations to notify breaches. The role of legal counsel in addressing these issues is examined, including maintaining technical competence. Elements of effective cybersecurity programs and incident response planning are outlined to help mitigate risks and consequences.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
1) Many businesses are not properly leveraging IT controls and compliance, which could help mitigate financial risks from data loss or theft. Only 1 in 10 firms have strong IT controls in place.
2) Those with strong controls experience fewer disruptions to their business and data losses than companies with weak controls. Companies with weak controls can face declines in revenue, customers, and stock price due to data breaches.
3) Implementing proper IT controls is important for protecting a company's reputation and limiting liability. Controls can help prevent data theft and the high costs associated with it.
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
Mr. Keelan T. Stewart gave a presentation on cybersecurity law and risk management. He has extensive education and experience in information security. In his presentation, he discussed identifying applicable laws and regulations, creating an information security register, reviewing key cybersecurity laws including HIPAA and Dodd-Frank, as well as important state breach notification laws and industry regulations. He emphasized integrating cybersecurity requirements into a risk-based security program using the NIST Risk Management Framework to ensure cost-effective and compliant protection of information.
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
This document discusses cybersecurity threats facing accounting firms and their clients. It provides examples of major data breaches in recent years that impacted millions of customer accounts. While many firms believe they are protected, the document cites statistics showing that most have no formal cybersecurity or internet use policies. It also discusses new regulations and standards, like the HIPAA Omnibus Rules and a recent Executive Order, that require firms to improve their cybersecurity practices to safeguard sensitive data. The role of a Virtual Chief Security Officer is introduced to help firms address these growing risks and compliance requirements.
This document provides an overview of data privacy for governmental organizations. It discusses what data privacy is, the risks associated with it such as identity theft, and common laws around data privacy including California state laws. It recommends that organizations take an inventory of their data, develop privacy policies and training, and ensure proper system monitoring and controls. The document emphasizes being proactive on data privacy issues.
Breaches happen to the best of us. Occasionally they're large, headline grabbers with significant financial impact. For example, last week a payments processor revealed that it took an $84.4 million charge related to a breach it disclosed earlier this year. As a result of this charge, the firm's quarterly profit fell 90%. But even small breaches can be incredibly painful. Last year a local newsstand suffered a small breach. The resulting $22,000 in expenses cut profits in half.
Though we can't prevent breaches, we can certainly prepare for them to minimize the damage and stress. In fact, breach management pros are so good at this that a breach situation doesn't bring the organization to it's knees - they take them in stride.
This webinar will reveal how you can do the same. Based on time in the trenches at a major retailer, our featured speaker will share with you a breach preparation process with specific tactics for its implementation. You'll learn what team members you'll need, how to recruit them, what data you'll need to collect, how to put together a communication plan, and more.
Our featured speaker for this timely Webinar is:
Bob Siegel, Privacy Strategist & Principal, Privacy Ref
formerly Sr. Mgr of WW Privacy & Compliance at Staples
CIPP/US, CIPP/IT
Blogs at: http://privacyref.com/
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
Most companies do not adequately manage information risk until a crisis occurs. With vast amounts of data being created and stored in various locations, it is difficult for companies to understand all the data they hold and the associated risks. A framework is proposed to help companies better understand their data by categorizing it based on risk level and access needs. This would allow companies to prioritize higher risk data and focus security investments more effectively.
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
Reports of data security breaches conjure up images of anonymous computer hackers sitting in a darkened room,
fingers flying over a key board in an effort to hack into a computer system to find valuable information to exploit.
Not long ago, most of us considered these breaches to be infrequent and likely targeted at information much more
commercially unique than the average consumer data stored by most businesses.
Similar to Data Security Regulatory Lansdcape (20)
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
8. Sources
Achieving Data Privacy in the Enterprise, Safenet Derek Tumulak, April 8, 2010
Regulatory Information Architecture, Steven Alder, IBM, 2010
The source of much of my research, Sue Hammer, IBM, 2010
California Data Privacy Laws: Is Compliance Good Enough?, Lumension, Chris Merritt, May 2010
Privacy Law & Financial Advisors, Proskauer, Brendon M. Tavelli, Nov 20, 2009
Medical Records on the Run: Protecting Patient Data with Device Control and Encryption, Sept 2009
2010 Data Breach Report, Verizon
Five Countries: Cost of Data Breach Sponsored by PGP Corporation, Dr. Larry Ponemon, April 19, 2010
How secure is your confidential data?, By Alastair MacWillson, ACCENTURE
The Leaking Vault, Five Years of Data Breaches, Suzanne Widup, Digital Forensics, July 2010
Top 10 Big Brother Companies: Ranking the Worst Consumer Privacy Infringers, Focus Editors
First Annual Cost of Cyber Crime Study, Ponemon, July 2010
States failing to secure personal data, By Kavan Peterson, Stateline.org
National Archives & Records Administration in Washington
2010 Annual Identity Protection Services Scorecard, Javelin Strategy & Research
A New Era of Compliance - Raising the Bar for Organizations Worldwide, RSA, Oct12, 2010
Evolve or Die, Bunger & Robertson, 2010
Compliance With Clouds: Caveat Emptor, by Chenxi Wang, Ph.D. , August 26, 2010
Obscured by Clouds, Ross Cooney, 2010
Digital Trust in the Cloud, Liquid Security in Cloudy Places, CSC, 2010
Making Data Governance as simple as possible, but not simpler, Dalton Servo
9. Let me be crystal clear,
Brian is NOT a lawyer
DISCLAIMER
13. Business is concerned with RISK
Risk from Regulation,
Organized Crime,
Reduced Staffing,
Sloppy Performance,
Lack of Training,
New Technologies,
and even ...
Clients/Customers
... is creating an EROSION in TRUST!
17. Loss of data is one of the biggest regulator concerns
Loss, theft, mistakes, under protected, ...
... a Breach of Trust – Over 500,000,000 U.S. records since 2005
18. 90% from external sources
48% insider help
85% from organized criminals
94% targeted financial data or sector
98% of records stolen produced by hack
96% of Trojans found were: "Crimeware-as-a-Service."
19. We can do better
96% avoidable by simple controls
86% had evidence in log files
66% on devices NOT aware contain SPI
5% loss to shareholders after breach
43% higher breach cost in U.S.
20. Financial Service
providers have a
39% confidence factor
for their ability to protect
your data from
Insider Threats
vs.
71% for External Threats
Deloitte – 2010 Financial Services Global Security Study – the faceless threat
21. A reputation is easy to lose, not so easy to recover
- 60% of companies that lose their data will shut down within 6 months of the disaster.
- 93% of companies that lost their data center for 10 days or more due to a disaster
filed for bankruptcy within one year of the disaster.
- 50% of businesses that found themselves without data management for this same
time period filed for bankruptcy immediately.
22. What can business do?
Restrict and monitor privileged users
Watch for 'Minor' Policy Violations
Implement Measures to Thwart Stolen Credentials
Monitor and Filter Outbound Traffic
Change Your Approach to Event Monitoring and Log Analysis
Share Incident Information
23. What is the Customer's view?
...what is causing this Erosion of Trust
24. Identity Theft #1 Consumer Complaint - FTC
10M Victims in the U.S.
$5K loss per business, $50B total
$500 loss per victim, $5B total
30 hours to recovery, 297M hours
all numbers are approximate or rounded up
26. Riskiest places for SSN#
Universities and colleges
Banking and financial institutions
Hospitals
State governments
Local government
Federal government
Medical (supply) businesses
Non-profit organizations
Technology companies
Health insurers and medical offices
Symantec – Nov, 2010
27. 45% of businesses disagree to customer data control
47% of businesses disagree the customer has a right to control
50% of businesses did not see need to limit distribution of PII
>50% of customers believe they have a right to control their data
Trust Me – I'm lying?
1 There is a notable difference between organizations’ intentions regarding
data privacy and how they actually protect it.
North Carolina attempting to get 50M records from Amazon on citizens
28. <-Diverse
Deliberate->
Accountability – who's is looking out for me?
2 A majority (58%) of companies have lost sensitive personal information...
Insider involved in over 48% of data breaches
29. 3 Regulatory compliance – No confidence they can keep pace
Many organizations believe complying with existing regulations is sufficient to protect their data.
31. 1 Top 10 Big Brother Companies
Ranking the Worst Consumer Privacy Infringers, Focus Editors
32. 48% of breaches caused by insiders
48% involved privileged misuse
61% were discovered by a 3rd party
Third parties – you sent my data to who?
4 Companies should be careful about the company they keep. It is crucial they
understand the perspective on and approach to data protection and privacy taken by
their third-party partners.
33. 5 Culture
Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely
to experience security breaches.
34. How to reverse the spin?
Build a Data Protection
and Privacy Strategy
Assign ownership
Develop comprehensive governance program
Evaluate data protection and privacy technologies
Build a culture
Reexamine investments
Choose business partners with care
35. You own some of this – Giving away your PRIVACY
Google
Social networking
RFID tags/loyalty cards
The Patriot Act
GPS
The Kindle
37. Privacy
Which comes 1st?
Breach Data
Notification Protection
38. Protect the consumer
Punish the breach
If the
Carrot
isn't working Promote compliance
it's time to ....
39. U.S. Breach
Notification
Laws
46 States,
the District of
Columbia,
Puerto Rico and
the Virgin
Islands
States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota
.http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx
44. The “Rules” of Rulemaking – Kings have rules
Regulatory agencies create regulations according to rules and processes defined by another law
known as the Administration Procedure Act (APA).
The APA defines a "rule" or "regulation" as...
”[T]he whole or a part of an agency statement of general or particular applicability and future effect
designed to implement, interpret, or prescribe law or policy or describing the organization, procedure,
or practice requirements of an agency.
The APA defines “rulemaking” as…
“[A]gency action which regulates the future conduct of either groups of persons or a single person; it
is essentially legislative in nature, not only because it operates in the future but because it is primarily
concerned with policy considerations.”
Under the APA, the agencies must publish all proposed new regulations in the Federal Register at
least 30 days before they take effect, and they must provide a way for interested parties to
comment, offer amendments, or to object to the regulation.
Once a regulation takes effect, it becomes a "final rule" and is printed in the Federal Register, the
Code of Federal Regulations (CFR) and usually posted on the Web site of the regulatory
agency.
(c)Tomo.Yun (www.yunphoto.net/en/)"
67. More Regulator Activity & more to Come
45 states have enacted anti-bullying laws - http://www.bullypolice.org/
Without: Hawaii, South Dakota, Michigan, New York, Montana, North Dakota and Missouri
(SEC), and (FINRA), issued guidance on use of social media sites
Securities and Exchange Commission, Financial Industry Regulatory Authority
UK (ASA), issued guidance on social media marketing
Advertising Standard Authority
FTC, Final Guides governing social media endorsements
Federal Trade Commission
Maryland leads the way in social media campaign regulations
CA – (FPPC), “regulate the same as traditional media”
Fair Political Practices Commission
68. Future Regulatory Focus
Amateur Data Controllers
Right to not be over-regulated
Right to demand co-operation
Privacy Policies
Right to be better informed
Right to be forgotten
Right to have policies monitored
Right to Data Portability
End of online anonymity
Processing of data by 3rd parties
Duties for data controllers
Behavioral advertising
Right to opt-in vs. have to opt-out
The rights of minors
71. What is Data Governance?
An operating discipline for managing data and information as a key enterprise
assets
Organization, processes and tools for establishing and exercising decision rights
regarding valuation and management of data
Elements of data governance
Decision making authority
Compliance
Policies and standards
Data inventories
Full life-cycle management
Content management
Records management,
Preservation and disposal
Data quality
Data classification
Data security and access
Data risk management
Data valuation
74. Bitmap83
Why is Data Governance important?
Regulator shift
OLD NEW
Principles Rule
Based Based
UK FSA, has proposed a “Data Accuracy Scorecard”
Financial Services Authority
Regulators will punish inadequate Data Governance
Breach Notification laws create demand to govern data
75. Ensure that the Right People
have the Right Access
to the Right Data
Restore
doing the Right Things Trust
Efficiently
and Productively
79. Laws & Regulations
• Data Protection Act
• Gambling Act 2005
• Protection from Harassment Act 1997
• Racial, sexual and age discrimination
legislation
• Obscenity Publications Act 1959
• “…obscene if it is intended to corrupt or
deprave persons exposed to it”
Laws & Regulations
• The Terrorism Acts 2000 & 2006
• Money Laundering Regulations
• CAP Codes & the ASA
• Transparency and Honesty
• Careful with trans-national campaigns
• Consumer Protection from Unfair
Commercial Practices Regulations
2008 (CPR’s)
• Contempt of Court
80. High-level International
Overview
• New Basel Capital Accord (Basel-II)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Society for Worldwide Interback Funds Transfer (SWIFT)
• Personal Information Protection Act (PIPA) – Canada
• Personal Information and Electronic Documents Act (PIPEDA) – Canada
• Personal Information Privacy Act (JPIPA) – Japan
• SafeSecure ISP – Japan
• Federal Consumer Protection Code, E-Commerce Act – Mexico
• Privacy and Electronic Communications (EC Directive) Regulations 2003
• Directive 95/46/EC Directive on Privacy and Electronic Communications –
European Union
• Central Information System Security Division (DCSSI) Encryption – France
• Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of
2001 – Germany
• Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany
• US Department of Commerce “Safe Harbor”
81. Relevant Laws and
Regulations
• Sarbanes-Oxley Act • Federal Trade Commission (FTC)
• PCAOB Rel. 2004-001 Audit Section • CC1798 (SB1386)
• SAS94 • Federal Information Security Management Act
• Fair Credit Reporting Act (FCRA) (FISMA)
• AICPA Suitability Trust Services Criteria • USA PATRIOT
• SEC CFR 17: 240.15d-15 Controls and • Community Choice Aggregation (CCA)
Procedures • Federal Information System Controls Audit
• NASD/NYSE 240.17Ad-7 Transfer Agent Manual (FISCAM)
Record Retention • General Accounting Office (GAO)
• GLBA (15 USC Sec 6801-6809) 16 CFR 314 • FDA 510(k)
• Appendix: 12 CFR 30, 208, 225, 364 & 570 • Federal Energy Regulatory Commission (FERC)
• Federal Financial Institutions Examination • Nuclear Regulatory Commission (NRC) 10CFR
Council (FFIEC) Information Security Part 95
• FFIEC Business Continuity Planning • Critical Energy Infrastructure Information (CEII)
• FFIEC Audit • Communications Assistance for Law
• FFIEC Operations Enforcement Act (CALEA)
• Health Insurance Portability and Accountability • Digital Millennium Copyright Act (DMCA)
Act (HIPAA) § 164 • Business Software Alliance (BSA)
• 21 CFR Part 11 – FDA Regulation of Electronic • New Basel Capital Accord (Basel-II)
Records and Electronic Signatures • Customs-Trade Partnership Against Terrorism
• Payment Card Industry Data Security Standard (C-TPAT)
(PCI-DSS) • Video Privacy Protection Act of 1988 (codified at
18 U.S.C. § 2710 (2002))
82. US Federal Privacy Laws and US Federal Breach Laws (USA is a member, OECD and a member, CPEA. The
US has also ratified CE ETS 185)
1. Children’s Online Privacy Protection Act (COPPA)
1. Federal Trade Commission's Final COPPA Rule (PDF)
2. Communications Assistance for Law Enforcement Act (CALEA)
3. Depart of Defense Directive 5400.11.R - Privacy Program (May 14, 2007 edition) (PDF)
1. Defense Privacy Office
4. Electronic Communications Privacy Act (ECPA)
5. Fair Credit Reporting Act (FCRA, PDF)
1. As Amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT)
2. Federal Trade Commission's Red Flag Rule (PDF) (DELAYED UNTIL NOVEMBER 1st 2009)
6. Family Educational Rights and Privacy Act (FERPA, The Buckley Amendment)
1. US Department of Education Final Rule (PDF)
2. Protection of Pupil Rights Amendment (PPRA)
3. No Child Left Behind Act (PDF)
7. Genetic Information Nondiscrimination Act 2008 (GINA, PDF)
1. Proposed rule making genetic information covered under PII, HIPAA, and HITECH (PDF)
8. Gramm-Leach-Bliley Act (GLBA)
1. Federal Trade Commission's Final Financial Privacy Rule (PDF)
2. Federal Trade Commission's Final Safeguards Rule (PDF)
9. Health Insurance Portability and Accountability Act (HIPAA, PDF)
10. HITECH Act (Notice: I could not find it consolidated and called out anywhere, so had to create it myself,
PDF)
1. HITECH Breach Notification Guidance and Request for Public Comment (From the US Department of
Health and Human Services, PDF)
11. Federal Trade Commission's Health Breach Notification FINAL Rule (PDF)
12. Safe Harbor Guidelines from the US Department of Commerce