Despite efforts to implement information risk management systems, data breaches still occur frequently, especially internally. This is likely due to issues at both the systems and people levels. At the systems level, there are often too many different management systems that are not integrated, resulting in overlapping controls. At the people level, under-awareness of risks and demotivation from inefficient controls can undermine protection efforts. A successful information risk management approach requires addressing both technical and human aspects through coordinated strategies around governance, culture, procedures and technology.

1. Information Risk Management August 2008 Elvin Chan Marsh Risk Consulting – Asia

2. Recent Concerns about Personal Data Privacy Year Location Case 2008 Hong Kong A no. of cases of losing personal data in various government departments and NGOs 2007 UK Lost CDs with 25M child benefit data when mailing to National Audit Office 2007 UK Driver and Vehicle Licensing Agency lost CDs with car owners’ details 2007 UK Leeds Building Society lost employees’ data after office move 2006 US Iron Mountain Inc. lost backup tapes of client (Long Island Rail Road) containing 17k employees’ data 2006 Hong Kong A database of Independent Police Complaints Council containing 20k complainants’ data was posted to web 2005 US Time Warner Inc., lost computer tapes containing 60,000 employees’ data 2005 US Bank of America Corp lost information on about 1.2M federal government charge-card accounts

3. Some Statistics about Personal Data Privacy # of internal personally identifiable information violations per year >65% of survey respondents reported that there were 6 to 20 internal personally identifiable information violations More than one-third of respondents reported that there were at least 100 records lost, and up to over 25,000, in a single most significant data breach Source: 2007 Privacy and Data Protection Survey, DTT # of records lost in a single most significant data breach

4. Some Statistics about Personal Data Privacy Elements implemented in the information risk management system Over two-third of respondents reported that there were governance and documented policies implemented More than half of the respondents reported that controls are implemented in operational processes Source: 2007 Privacy and Data Protection Survey, DTT

5. Question? Despite the effort spent in different elements of the information risk management system, there are still a significant number of data breach, especially internally WHY?

6. Personal Data (Privacy) Ordinance Overview Section 2 of the Ordinance: ‘ personal data ’ means any data: relating directly or indirectly to a living individual; from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable ‘ data user ’ in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data ‘ data subject ’ in relation to personal data, means the individual who is the subject of the data Section 4 : A data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under this Ordinance Schedule 1 set out Six Data Protection Principles that govern: the purpose and manner of collection of personal data; accuracy and duration of retention of personal data; use of personal data; security of personal data; information to be generally available; and access to personal data

7. Personal Data (Privacy) Ordinance Implications of some judgments Obiter dictum about definition of ‘personal data’ Shi Tao v Privacy Commissioner for Personal Data [2008] 1 HKC 287 “… Neither the email address nor the IP address ex facie revealed the identity of the appellant . The information provided only disclosed that the email was sent from a computer located at the address of a business entity, and the date and time of the transaction. It was not reasonably practicable from such information to ascertain that it was actually the appellant who used the computer identified by the IP address to send out the relevant email at the relevant time…” Eastweek Publisher Ltd & Anor v Privacy Commissioner for Personal Data [2000] 1 HKC 692 “… In this case there was no act of personal data collection, as the data user must be compiling information about an identified person or about a person whom the data user intended to identify to engage the data protection principles. Here the data gatherer was indifferent to the identity of the complainant …” Obiter dictum about ‘data access request’ Wu Kit Ping v Administrative Appeals Board [2007] 5 HKC 450 “… if in the course of complying with a request by a data subject for the disclosure of that data subject’s personal data, the personal data of some other individual must be disclosed , then, unless that other individual has consented to the disclosure of his personal data, the request must be refused …”

8. Information Risk vs Information Risk Management Beyond Information Technology and Cyber Risks: Systems & People COMPLIANCE PROTECTION TECHNOLOGY MANAGEMENT SYSTEM CULTURE PRACTICES & PROCEDURES EFFICIENCY GROWTH INFORAMTION LEAKAGE INTELLECTUAL PROPERTY THEFT UNAUTHORIZED ACCESS IDENTITY THEFT

9. Information Risk Management Core Issues – Systems and People Common issues identified among Systems Too many different management systems in place, but they are not linked or synchronized Too many overlapping controls in the process Performance of controls are not measurable, thus not adequately monitored Common issues identified among People Under-awareness about the consequence Demotivators, e.g. overlapping controls, which hurt their performance (less efficient) Too many initiatives originated from different management systems which may cause confusion at frontline operations

10. Information Risk Management The Four Pillars Growth vs Management System Growth is always one of the prime concerns for any organization Any Governance, Risk & Compliance (GRC) controls have to be in line with organizational growth objectives Management system should be integrated with business processes so that it aligns with the objectives Management system should be: Supported by top management and is everyone’s responsibility Communicated thoroughly throughout the organization Aligned with and measurable against organizational objectives Engineered to be integrated into processes to maximize efficiency

11. Information Risk Management The Four Pillars Protection vs Culture Controls alone cannot provide protection against risks, since there is human element – Culture Culture is the most efficient and yet the most difficult element to handle, in maximizing the protection against risks Unspoken yet not measurable directly, but it can be observed in daily activities Culture that is effective in protection against risks can be cultivated: Initiated & lead by role model by top management Embedded in performance management system, down to individual level Develop trust between teams and individuals by cross-departmental / functional initiatives Establish bottom-up channels for communications

12. Information Risk Management The Four Pillars Efficiency vs Practices & Procedures Control is definitely needed to manage processes, but it can be inefficient if there are too many, possibly overlapping controls Controls should be built into existing work practices & procedures in order to minimize changes, i.e. maximize acceptance to change Best practices are not necessarily the “Best” for any organization, It is the “Best” for an organization only when the balance of strengths and efficiency of existing practices & procedures and controls is achieved: Diagnose existing practices & procedures and identify the critical control points Balance efficiency and control, yet fulfilling organizational protection and growth objectives Design the roadmap for change to maximize acceptance

13. Information Risk Management The Four Pillars Compliance vs Technology In HK, compliance matters in IRM would principally related to Personal Data (Privacy) Ordinance, which set out Six Data Protection Principles (“the Principles”) in Schedule 1 Apart from manual frontline operations, most of personal data may be processed and stored in IT systems Principles related to IT system are Accuracy & duration of retention, Security and Access, which go beyond IT security Approach to integrate controls into IT systems and manual process: Identify critical control points and assess risks at activity level Diagnose practices & procedures particularly at points of human-computer interface Establish early alert indicators to spot potential breaches

14. An Illustrative Example Consumer Credit Data PCPD issued a code of practice for consumer credit data handling Highlights for Credit Providers: Notification to customer by credit provider Upon application, default or account termination Providing consumer credit data to CRA Access of consumer credit data held by CRA No access to direct marketing Notification to individual of access to consumer credit data Request to CRA to delete data upon account termination Providing consumer credit data to DCA Data security & system integrity safeguards by credit provider Also covers CRA and DCA

15. An Illustrative Example Issues at activity level Collection Purpose Informed? Standard script / statement? Type of information to be collected Processing Hardcopies temporary & permanent storage IT systems and operations Practices & procedures in handling the data Report Retention and Disposal Period Method Security issues

16. An Illustrative Example Issues at process and organizational levels Awareness & Standard Standardized staff training Communicated policy, practices and procedures Integration with existing processes Culture Top management emphasise and commitment Individual responsibility Bottom-up suggestion / reporting channels Incident Management Incident reporting Crisis communication & media management Incident review Continuous Improvement Performance monitoring Changes in environment

17. www.marsh.com.hk