The document discusses data breaches and relevant laws. It notes an increasing number of data breaches and introduces key laws around data security - the GDPR and NISD. The GDPR requires organizations to implement appropriate security measures to protect personal data and report breaches. It applies broadly to any group processing EU citizens' data or offering goods/services to them. The NISD focuses on essential services and digital service providers, requiring security and reporting of significant incidents. Non-compliance can result in large fines and litigation. Proper precautions such as response planning and legal advice are recommended.
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys
At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, mandating that data about consumers be protected against a breach. If your IBM i system contains data for consumers from the state of California, the time to prepare is now.
In this webinar featuring well-known IBM i encryption expert Patrick Townsend, we share information that will help you prepare for CCPA compliance, including:
• Consumer rights granted by CCPA
• Hardening systems to prevent a breach
• Obscuring data to prevent exposure
• How Syncsort can help
CCPA is almost here. View this webinar on-demand and get started down the path to compliance!
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys
At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, mandating that data about consumers be protected against a breach. If your IBM i system contains data for consumers from the state of California, the time to prepare is now.
In this webinar featuring well-known IBM i encryption expert Patrick Townsend, we share information that will help you prepare for CCPA compliance, including:
• Consumer rights granted by CCPA
• Hardening systems to prevent a breach
• Obscuring data to prevent exposure
• How Syncsort can help
CCPA is almost here. View this webinar on-demand and get started down the path to compliance!
Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors” on Thursday, October 3, 2013. This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority. The discussion included:
- Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
- Planned changes to procurement requirements based on independent agency actions;
- Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes.
To view the webinar, visit:
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
The SEC Office of Compliance Inspections and Examinations (OCIE) issues risk alerts on cybersecurity to keep registered broker-dealers, investment advisers, and investment companies up to date regarding SEC focus areas for cyber.
OCIE examinations have focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.
This presentation was prepared by Greg Michaels and Terry Mason for the Duff & Phelps Alternative Investments conference.
Protecting Your Business from Unauthorized IBM i AccessPrecisely
Understanding and controlling all the points of access to IBM i systems
IBM i is securable BUT not secured by default. To comply with increasingly strict IT security regulations, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing risks and taking control of logon security, powerful authorities, and system access.
With the right tools and process, you can ensure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise on your IBM i systems.
View this webcast on-demand to learn:
• How to secure network access and communication port
• How to implement different authentication options and tradeoffs
• How to limit the number of privileged user accounts
• How Syncsort’s security solutions can help
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
With a dramatic increase in high-profile receiverships, regulatory fact finding, and class action lawsuits, it’s clear that cases involving blockchain technology are on the rise—and so is the risk these engagements bring to your firm. Learn what you can do to recognize when digital assets (such as Bitcoin and Ethereum) are involved in an engagement, how to reduce your exposure to risk with proper collection and review processes, and how to uncover and understand all the relevant information.
Presented by Josh McDougall, Director, Cyber Risk at Kroll during RelativityFest 2018
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
95% of cybersecurity breaches are due to human error. That’s what Cybint’s facts and stats article shows.
Seeing this high percentage of risk that might lead to greater loss, organizations should be well aware of their processes and procedures in place. Decisive for avoiding breaches is that everyone in the organization is able to understand and detect potential threats beforehand and react in a quick and effective way.
The webinar will cover:
• The most recent attacks such as the supply chain attacks
• Trends, and statistics
• The impacts of the pandemic on cybersecurity landscapes, closing the gaps on remote workforce security,
• How to improve your organization’s cybersecurity posture by asking the right questions and implementing a tiered approach
Recorded Webinar: https://youtu.be/Q5_2rYjAE8E
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
Digital forensics is the use of analytical and investigative techniques to identify, collect, examine and report on digital evidence or information. Digital evidence can provide valuable insights during investigations of theft of intellectual property involving multi-party collusion and the misappropriation of organizational assets and resources.
During this session participants will learn various methods of mitigating the “insider threats” to an organization’s digital data and methods of investigating digital evidence contained on computer and mobile systems during internal investigations.
Main points covered:
• Learn how to mitigate and investigate the theft of Intellectual Property from your company by adding digital forensic components into your Risk Management and Compliance programs.
• Learn and understand how Digital Forensics can augment your internal investigations.
• Learn where you and your organization fit into the Digital Forensic workflow, and when to call for help.
Presenter:
Our presenter for this webinar, Ryan Duquette is a seasoned digital forensic examiner with many years of experience in law enforcement and the private sector. He took his zest for “focusing on the facts” from his days in Law Enforcement and founded Hexigent Consulting, a firm focusing on digital investigations, cyber security consulting services and litigation support.
Ryan works closely with clients involved in workplace investigations and civil litigation matters including intellectual property theft, HR investigation and data breaches. During his days in Law Enforcement, he conducted digital investigations on a variety of criminal cases including homicide, child pornography, fraud, missing persons, and sexual assault cases.
He is a Sessional Lecturer at the University of Toronto teaching digital forensics, holds a Master of Science degree in Digital Forensics Management, and several digital forensics and fraud certifications.
Ryan is a Director for the Toronto chapter of the Association of Certified Fraud Examiners, has been qualified as an “expert witness” on numerous occasions, and is a frequent presenter at fraud, digital forensics, cybersecurity and investigative conferences worldwide.
Link of recorded webinar:
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Cyber Risk in e-Discovery: What You Need to KnowkCura_Relativity
From an April 2018 webinar, check out these insights on cybersecurity and its influence on e-discovery from John DeCraen of Alvarez & Marsal LLC and Nik Balepur of Relativity.
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.
New Security Legislation & Its Implications for OSS Management Jerika Phelps
As legislators continue to expand the scope of the laws governing information security, we will take a look at some of the new European-level laws in this area from an open source perspective, and consider their impact on OSS management practices. The session will focus on the General Data Protection Regulation, not only because it applies to everyone, but also because its requirements are in many ways the most detailed and prescriptive. During the session we will also touch on some industry-specific developments like the Network and Information Services Directive and the Electronic Identification Regulation. Dan will cover what the new laws say (and perhaps more importantly what they don’t say), how to go about applying them to your OSS management regime, and what you might need to think about changing as a result.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
The SEC Office of Compliance Inspections and Examinations (OCIE) issues risk alerts on cybersecurity to keep registered broker-dealers, investment advisers, and investment companies up to date regarding SEC focus areas for cyber.
OCIE examinations have focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.
This presentation was prepared by Greg Michaels and Terry Mason for the Duff & Phelps Alternative Investments conference.
Protecting Your Business from Unauthorized IBM i AccessPrecisely
Understanding and controlling all the points of access to IBM i systems
IBM i is securable BUT not secured by default. To comply with increasingly strict IT security regulations, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing risks and taking control of logon security, powerful authorities, and system access.
With the right tools and process, you can ensure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise on your IBM i systems.
View this webcast on-demand to learn:
• How to secure network access and communication port
• How to implement different authentication options and tradeoffs
• How to limit the number of privileged user accounts
• How Syncsort’s security solutions can help
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
With a dramatic increase in high-profile receiverships, regulatory fact finding, and class action lawsuits, it’s clear that cases involving blockchain technology are on the rise—and so is the risk these engagements bring to your firm. Learn what you can do to recognize when digital assets (such as Bitcoin and Ethereum) are involved in an engagement, how to reduce your exposure to risk with proper collection and review processes, and how to uncover and understand all the relevant information.
Presented by Josh McDougall, Director, Cyber Risk at Kroll during RelativityFest 2018
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: Cybersecurity for Government Contractors
Presenter: Robert Nichols, Partner, Covington & Burling LLP
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
Part 1 of this webinar series provided an overview of cybersecurity and explained the cyber risks and legislation affecting nonprofits. In part 2 of the series, Imran Ahmad of Miller Thomson, LLP returns to answer your questions on cybersecurity and to delve deeper into cybersecurity maintenance and best practices to avoid data breaches. This includes the implementation of measures to prevent data breaches in the pre-attack phase, to the implementation of security best practices in the event of a cyber attack or breach.
What you will learn:
· How to develop key cybersecurity-related documents;
· How to maintain an internal matrix of when to notify affected individuals;
· How to review contracts from a cybersecurity compliance perspective.
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
95% of cybersecurity breaches are due to human error. That’s what Cybint’s facts and stats article shows.
Seeing this high percentage of risk that might lead to greater loss, organizations should be well aware of their processes and procedures in place. Decisive for avoiding breaches is that everyone in the organization is able to understand and detect potential threats beforehand and react in a quick and effective way.
The webinar will cover:
• The most recent attacks such as the supply chain attacks
• Trends, and statistics
• The impacts of the pandemic on cybersecurity landscapes, closing the gaps on remote workforce security,
• How to improve your organization’s cybersecurity posture by asking the right questions and implementing a tiered approach
Recorded Webinar: https://youtu.be/Q5_2rYjAE8E
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
Digital forensics is the use of analytical and investigative techniques to identify, collect, examine and report on digital evidence or information. Digital evidence can provide valuable insights during investigations of theft of intellectual property involving multi-party collusion and the misappropriation of organizational assets and resources.
During this session participants will learn various methods of mitigating the “insider threats” to an organization’s digital data and methods of investigating digital evidence contained on computer and mobile systems during internal investigations.
Main points covered:
• Learn how to mitigate and investigate the theft of Intellectual Property from your company by adding digital forensic components into your Risk Management and Compliance programs.
• Learn and understand how Digital Forensics can augment your internal investigations.
• Learn where you and your organization fit into the Digital Forensic workflow, and when to call for help.
Presenter:
Our presenter for this webinar, Ryan Duquette is a seasoned digital forensic examiner with many years of experience in law enforcement and the private sector. He took his zest for “focusing on the facts” from his days in Law Enforcement and founded Hexigent Consulting, a firm focusing on digital investigations, cyber security consulting services and litigation support.
Ryan works closely with clients involved in workplace investigations and civil litigation matters including intellectual property theft, HR investigation and data breaches. During his days in Law Enforcement, he conducted digital investigations on a variety of criminal cases including homicide, child pornography, fraud, missing persons, and sexual assault cases.
He is a Sessional Lecturer at the University of Toronto teaching digital forensics, holds a Master of Science degree in Digital Forensics Management, and several digital forensics and fraud certifications.
Ryan is a Director for the Toronto chapter of the Association of Certified Fraud Examiners, has been qualified as an “expert witness” on numerous occasions, and is a frequent presenter at fraud, digital forensics, cybersecurity and investigative conferences worldwide.
Link of recorded webinar:
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: David Knox, Vice President of National Security Solutions, Oracle
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Cyber Risk in e-Discovery: What You Need to KnowkCura_Relativity
From an April 2018 webinar, check out these insights on cybersecurity and its influence on e-discovery from John DeCraen of Alvarez & Marsal LLC and Nik Balepur of Relativity.
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
Presentation about insider threat ways of working, their impact on organizations and how technical and human indicators can be monitored to detect and neutralize insider threats. Professionals working in security operations should monitor these indicators to create profile of possible insider going rogue.
New Security Legislation & Its Implications for OSS Management Jerika Phelps
As legislators continue to expand the scope of the laws governing information security, we will take a look at some of the new European-level laws in this area from an open source perspective, and consider their impact on OSS management practices. The session will focus on the General Data Protection Regulation, not only because it applies to everyone, but also because its requirements are in many ways the most detailed and prescriptive. During the session we will also touch on some industry-specific developments like the Network and Information Services Directive and the Electronic Identification Regulation. Dan will cover what the new laws say (and perhaps more importantly what they don’t say), how to go about applying them to your OSS management regime, and what you might need to think about changing as a result.
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
As legislators continue to expand the scope of the laws governing information security, we will take a look at some of the new European-level laws in this area from an open source perspective, and consider their impact on OSS management practices. The session will focus on the General Data Protection Regulation, not only because it applies to everyone, but also because its requirements are in many ways the most detailed and prescriptive. During the session we will also touch on some industry-specific developments like the Network and Information Services Directive and the Electronic Identification Regulation. Dan will cover what the new laws say (and perhaps more importantly what they don’t say), how to go about applying them to your OSS management regime, and what you might need to think about changing as a result.
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
This webinar covers:
- An overview of the General Data Protection Regulation (GPDR) and the Data Security and Protection (DSP) Toolkit and their impact on the healthcare sector.
-Accountability frameworks that support GDPR compliance, and the role of senior management in ensuring compliance and cyber resilience is a strategic focus.
-Embedding data protection by design and by default, and a holistic approach to achieving a cyber resilient posture.
-The practical steps that healthcare organisations need to take when looking at GDPR compliance.
-The role of a robust staff awareness programme in supporting a culture of cyber resilience and compliance.
A recording of the webinar can be found here: https://www.youtube.com/watch?v=xFEkkkwAdl4
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced data privacy and security solutions has become even more critical. French regulators cited GDPR in fining Google $57 million and the U.K.'s Information Commissioner's Office is seeking a $230 million fine against British Airways and seeking $124 million from Marriott. Facebook is setting aside $3 billion to cover the costs of a privacy investigation launched by US regulators.
This session will take a practical approach to address guidance and standards from the Federal Financial Institutions Examination Council (FFIEC), EU GDPR, California CCPA, NIST Risk Management Framework, COBIT and the ISO 31000 Risk management Principles and Guidelines.
Learn how new data privacy and security techniques can help with compliance and data breaches, on-premises, and in public and private clouds.
Presentation to the Texas Bar CLE program on Contract Drafting, Review and Negotiation on December 5, 2017 in Austin, Texas, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
While information governance has been a best practice in cybersecurity, outside of the Federal government and Sarbanes-Oxley financial reporting requirements, for the most part, regulations have not required information governance. That is rapidly changing. The New York Department of Financial Services new cybersecurity regulation has intensive information governance requirements that go beyond personal information. the European Global Data Protection Regulation also has significant information governance requirements. This session will discuss some of these regulatory requirements and where regulation is going in these areas.
EU cybersecurity requirements under current and future medical devices regula...Erik Vollebregt
Presentation delivered at Q1 MEDICAL DEVICE CYBERSECURITY RISK MITIGATION conference in Washington on 25 July 2016 concerning EU cybersecurity requirements under current and future medical devices regulation
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered the presentation Legal Issues Associated with Third-Party Risk at the ISACA CSX 2017 North America conference in Washington, DC.
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
Multiple security regulations became effective across the globe in 2018, most notably the European Union’s General Data Protection Regulation (GDPR), and additional regulations are on their heels. The California Consumer Privacy Act, with its GDPR-like requirements, is just one of the regulations that requires planning and preparation today.
If you need to implement security policies for IBM i systems and data that will meet today’s compliance requirements and prepare you for those that are on the way, this webinar will help you get on the right track.
Dovetail Software (hr.dovetailsoftware.com) sponsors this informative and important webinar hosting experts Grant D. Petersen (ogletree.com/) and Estella Cohen (trustarc.com/) who shared information with HR practitioners and Organizations that need to be GDPR compliant by May 25, 2018.
Here's the link to view the recording: http://hr.dovetailsoftware.com/dsadmin/2018/01/31/hr-gdpr-preparing-2018-compliance/
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
When GDPR becomes law in a few months, it will be the most wide-ranging and stringent data protection initiative in history. To prepare for this sea change, most organizations have streamlined and detailed their information security policies; however, many are unaware that immature application security programs arguably pose the biggest threat of a data breach. This oft-forgotten piece of data protection puts organizations at risk of GDPR fines.
Attend this joint webinar with Security Innovation and Smarttech247 to learn practical tips on incorporating application security best practices into an InfoSec program to achieve GDPR compliance.
Topics include:
* Summary of GDPR key concepts
* Security of data processing in software and the CIA triad
* The people and process problem of GDPR: Governance
* Using Data Protection by Design for secure design and business logic
* Assessments to verify the security of processing
Presenters:
Roman Garber, Security Innovation
Edward Skraba, Smarttech247
GDPR is bringing the biggest change to Data Protection Law in Europe, ClicQA as an Independent Software Testing company with is security testing services wants to help organizations in journey of data protection and be compliant with GDPR.
Similar to FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide (20)
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys
Utsav Sanghani, Product Manager, Integrations and Alliance at Synopsys presented on how to "Black Duck your Code Faster with Black Duck Integrations." For more information, please visit www.blackducksoftware.com
Black Duck On-Demand-Audits von über 1.100
kommerziellen Anwendungen im Jahr 2017
verdeutlichen die ständigen Herausforderungen, vor
denen Unternehmen stehen, um Open Source effektiv
zu erkennen und zu sichern.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
2018 is the Open Source Rookies report’s 10th anniversary, brought to you by Black Duck by Synopsys. This infographic shows the impressive number of projects started in 2017 and the distribution across the world and a wide range of categories. Narrowing them down was hard! The open source community continues to produce innovative and influential open source projects.
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys
This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions.
Read on for all the open source security and cybersecurity news you need to know this week.
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk.
Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
Principal engineer at MITRE, Bob Martin, examines the potential security issues introduced by the Internet of Things and proactive measures you can take to address those issues.
Open Source Insight:IoT Security, Tech Due Diligence, and Software Security ...Black Duck by Synopsys
A grab-bag of open source security and cybersecurity news is in this week’s edition of Open Source Insight. Is “many eyeballs” not enough? Some security researchers think Linus’ Law doesn’t work anymore. Black Duck by Synopsys kicks off a new video series with MITRE IoT expert, Bob Martin. Learn how open source tech due diligence helped one company close a deal securely. Should “Privacy Day” be renamed to “Lack of Privacy” day? Plus, an eye-catching infographic on how too little software security training is putting many companies at risk.
Open Source Insight:Banking and Open Source, 2018 CISO Report, GDPR LoomingBlack Duck by Synopsys
Cybercriminals are expected to extend their threat deeper into ransomware and IoT. In a just-released report, Synopsys examines the four “tribes” of CISOs, and the characteristics of each. A link to the complimentary report is below. And with the GDPR going into force in just four months, businesses are scrambling for compliance.
All these cybersecurity stories and more in the January 19th edition of Open Source Insight.
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs. Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack. And why you should think like your attackers when developing your cybersecurity portfolio.
Read on for this week’s cybersecurity and open source security news in Open Source Insight!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
1. Data breaches and the law
A practical guide
Georgie Collins and Dan Hedley, Irwin Mitchell LLP
2. Background
• Incidence of data breaches appears to be increasing
• UK ICO reported 19% increase between Q2 and Q3 (Q4 stats coming)
• British govt annual “Cyber Security Breaches Survey” 2018 show up to 4 in 10
businesses suffering some kind of breach or attack in the 12 months leading up to April
2018
• Roughly 20 million personal records leaked in March 2018 alone
• Including the employees of the Dutch Data Protection Authority!
• Troy Hunt’s “Have I Been Pwned” has a database of 1.7 billion compromised
usernames across hundreds of sites
• OSS vulnerabilities often play a significant role
• Apache Struts (Equifax), OpenSSH (Heartbleed), Exim (CVE-2018-6789)
3. Who it applies to What it applies to
GDPR Anyone with establishment in EU
Anyone offering goods or services to
people in EU
Anyone monitoring the behaviour of
people in the EU
“Personal data” i.e. information relating
in some way to identifiable living
people
NISD “Operators of essential services”
“Digital Service Providers”
All network and information systems
Why this matters – the law
Preventing and reporting security breaches been mandatory for a while in some sectors, but two new laws apply
much more widely
4. • “Personal data” must be kept secure
• Breaches of security must be reported
• Extra-territorial effect
• Applies directly to data processors too
• Pushed through supply chain contractually
GDPR, security and breach reporting
5. “personal data” = “any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person”
• NOT the same thing as “PII” – PII is a subset of personal data
• Includes pseudonymised data like info associated with retargeting cookies
• Includes e.g. Windows 10 telemetry, IMEI number of mobile phone, IP addresses
(sometimes)
GDPR – what we mean by “personal data”
6. • Applies if processing takes place in the context of the activities of an
establishment in a member state (regardless of data or data subject
location).
• ALSO applies if NO establishment in a member state BUT:
• Offering goods or services to data subjects located in member states
(no payment required)
• Monitoring behaviour of data subjects in member states
• Applies directly to processor too
• Subset of controller obligations, incl. security and breach reporting
GDPR – who it applies to
7. The principle:
• “Personal data shall be processed in a manner that ensures appropriate
security of the personal data, including protection against unauthorised
or unlawful processing and against accidental loss, destruction or
damage, using appropriate technical or organisational measures”
The detail is in article 32 (next slides)
GDPR – security obligation
8. Article 32:
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the
controller and the processor shall implement appropriate technical and organisational measures to ensure a level of
security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or
technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by
processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to
personal data transmitted, stored or otherwise processed.
GDPR – security obligation
9. ICO “Checklist” for article 32:
GDPR – security obligation
We undertake an analysis of the risks presented by our processing, and use this to
assess the appropriate level of security we need to put in place.
When deciding what measures to implement, we take account of the state of the art
and costs of implementation.
We have an information security policy (or equivalent) and take steps to make sure the
policy is implemented.
Where necessary, we have additional policies and ensure that controls are in place to
enforce them.
We make sure that we regularly review our information security policies and measures
and, where necessary, improve them.
We have put in place basic technical controls such as those specified by established
frameworks like Cyber Essentials.
We understand that we may also need to put other technical measures in place
depending on our circumstances and the type of personal data we process.
We use encryption and/or pseudonymisation where it is appropriate to do so.
We understand the requirements of confidentiality, integrity and availability for the
personal data we process.
We make sure that we can restore access to personal data in the event of any incidents,
such as by establishing an appropriate backup process.
We conduct regular testing and reviews of our measures to ensure they remain
effective, and act on the results of those tests where they highlight areas for
improvement.
Where appropriate, we implement measures that adhere to an approved code of
conduct or certification mechanism.
We ensure that any data processor we use also implements appropriate technical and
organisational measures.
10. • From 2014 guidance published by the ICO, the UK data privacy regulator (emphasis added):
“It is ... important that any software you use to process personal data is subject to an appropriate security
updates policy ... you must also ensure that no relevant components are ignored. This is a common risk
where responsibility for updates is split between multiple people, or where third-party libraries or
frameworks are used.”
• The UK ICO at least has fined people specifically for failure to do this.
• E.g. Gloucester City Council, Equifax (ongoing)
• & under GDPR, fines potentially get much much bigger …
• Reminder: 67% of applications scanned by Black Duck in 2016 contained unpatched OSS vulnerabilities.
GDPR – security and patch management
11. • Controller – to regulator UNLESS unlikely to result in a risk to rights and freedoms
• 72 hours unless not “feasible” (basically, have a v good reason)
• Time runs from “awareness” that a breach has occurred “with a reasonable degree of certainty
• WP29 guidance – controller’s time runs from when processor tells it
• Processor – to controller
• Without undue delay – means “as soon as possible”
• Controller – to data subjects IF high risk to rights and freedoms
• Without undue delay
• This is “going public” – not always required but requires careful planning
• Information to be provided to regulator includes
• Nature of the breach (i.e. how it happened, who affected etc.)
• Likely consequences of the breach
• Mitigation and remediation measures
GDPR – breach response
12. • From a security perspective, covers a lot of the same ground
• BUT it applies based on activities and characteristics of ENTITY, not characteristics of
affected DATA
• “Operators of Essential Services”
• “Digital Service Providers”
• If GDPR-compliant, prob. most of the way there BUT devil is in the detail esp. notification
requirements
• Micro and small business exception for digital service providers
• Additional regulators – to be determined by member states
• OES – by sector
• DSPs - ICO
NISD – What does it add to GDPR?
13. • By sector and threshold
• Sectors and entity types specified in the directive – energy, transport, banking and finance, healthcare, water, digital
infrastructure (TLD registries, DNS providers, IXPs)
• Importance thresholds left to individual member states
• If you’re not designated, doesn’t apply
• But not limited to own systems, DSPs services OESs also caught & guidance is that OESs should push through their supply
chain more generally
• Security – outcome-based, similar to GDPR language
• “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network
and information systems which they use in their operations”
• “appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and
information systems used for the provision of such essential services”
• Govts issuing guidance e.g. the “14 principles” in the UK – draft published as annex to NIS implementation consultation
response.
• Reporting of incidents – “without undue delay” for incidents “having a significant impact on the continuity of essential services”
• Expectation is that sector regulators will issue guidance on reporting thresholds
Operators of essential services
14. • Not brilliantly defined in the directive!
• “Online marketplace”
• “a digital service that allows consumers and/or traders … to conclude online sales or
service contracts … that uses computing services provided by the online marketplace”
• “Online search engine”
• “a digital service that allows users to perform searches of, in principle, all websites or
websites in a particular language on the basis of a query on any subject … and returns
links in which … related … content can be found
• “Cloud computing service”
• “a digital service that enables access to a scalable and elastic pool of shareable computing
resources”
Digital service providers - definitions
15. • Security again similar to GDPR
• “identify and take appropriate and proportionate technical and organisational measures to
manage the risks posed to the security of network and information systems which they use in the
context of offering [digital services as defined previously]”
• Must take into account security of systems and facilities, incident handling, BCDR, monitoring,
auditing and testing, and “compliance with international standards” (ISO27001?)
• “measures to prevent and minimise the impact of incidents affecting the security of their network
and information systems on the [digital services as defined previously] offered within the Union,
with a view to ensuring continuity of those services”
• Must notify competent authority “without undue delay” of “any incident having a substantial impact on
the provision of [their service]”
• There is a draft implementing act kicking around the Commission giving more detail
Digital service providers – security and incident notification
16. • Legislation is technology neutral
• OSS is not a special case and is not treated differently
• Regulators don’t care whether you got pwned because of a vuln in your £multi-
million SAP application, or in some random free MIT-licensed library.
• Compliance is self-assessed at the time, retrospectively re-assessed by regulators post
breach
• They will ask: Was the vuln known? Was a patch available? Should you have patched it?
Why didn’t you?
• It is for the breached party to show that its security was compliant
• “My vendor screwed up!” / “But it was free!” will not fly
• Unlikely that 3P vendors will take much if any liability for OSS
Relevance to OSS management
17. How does it get into org:
• From vendor, due diligence and ongoing dialog as to patch and
security management
• Contractual? Sometimes. Starting to see in regulated industries e.g. finance
• Clarity as to who is responsible for what is key
• Patching reporting and SLA?
• COOPERATION ON BREACH
• From own code base, check-in processes and scanning tools
• Other sessions covering this in some detail!
Relevance to OSS management
18. UK ICO
• Largest fines - Talk Talk fined £400,000 & £100,000, Carphone Warehouse £400,000
• Marketing campaigns and cold calling low level fines
• Imposition of undertakings eg WhatsApp
• Uber investigation
France DPA (CNIL)
• WhatsApp investigation
• Facebook Inc and Facebook Ireland fine €150,000
Netherlands DPA
• Airbnb ceased processing BSN’s (unique numbers used to identify individuals).
Approach of EU authorities to Data Breach
19. Right to claim compensation
GDPR makes it considerably easier for individuals to bring private claims against data controllers and
processors. In particular:
• any person who has suffered "material or non-material damage" as a result of a breach of GDPR has the
right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-
material” damage means that individuals will be able to claim compensation for distress and hurt feelings
even where they are not able to prove financial loss.
• data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on
their behalf (Article 80). Although this falls someway short of a US style class action right, it certainly
increases the risk of group privacy claims against consumer businesses. Employee group actions are also
more likely under GDPR.
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
The new landscape
20. • Potential for very large fines, maximums assessed by turnover, get used to fines in the
millions not thousands
• NB turnover of “undertaking” - in EU law tends to mean an economic unit, not legal
person, so potential for measurement by reference to whole group
• The importance of mitigation
• Consider how Equifax and Uber would be dealt with under GDPR
• Reputational damage and impact on share price (e.g. Equifax, Uber, TalkTalk)
• Class actions by data subjects and shareholders (e.g. Morrisons and Cambridge
Analytica)
• Prospect of class actions led by charities and campaign groups
• Regulatory intervention (e.g. Cambridge Analytica)
The GDPR litigation landscape
21. • Regulated industries - sanctions and enforcement
• Negligence claims – against organisation and/or individuals
• Liability of Directors – breach of duties
• Vicarious liability of organisations for acts of employees
• Breach of contract
• Breach of confidence
Other legal risks arising from a data breach
22. The old adage: “It’s not a question of ‘if’ but ‘when’. Bad things happen.
• Revisit Article 32
• Anticipate worst case scenario, not a mildly inconvenient scenario
• Breach response plan: review, test and repeat (again and again)
• The importance of appointing external advisors now not when you are up against a
72 hour breach notification deadline
• Make legal privilege and confidentiality part of your plan (including with advisors);
keep an inner circle
• Prepare standard notifications and comms (internal and external) to adapt to an
incident
Being ready for a breach and its aftermath