Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
Properly Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)"
I have noticed that there is a growing wave of discontent and disenchantment from information security and compliance practitioners around the PCI DSS. Josh Corman has been an effective voice for these concerns, providing an intellectually honest and earnest analysis in his talk “Is PCI The No Child Left Behind Act For Infosec?”
The problem are well-known and significant: too much ambiguity in the PCI DSS, Qualified Security Assessors (QSAs) and consultant using subjective interpretations, existing guidance either too prescriptive or too vague, scope missing critical systems that could risk cardholder data, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches, and so forth.
For years, I have been studying the PCI DSS compliance problem, as well. I have noticed many similarities to the PCI compliance challenges and the “SOX-404 Is The Biggest IT Time Waster” wars in 2005. I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified inability to accurately scope the IT portions of SOX-404 as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.
I propose to present the two-year success story of the IIA GAIT project and how we changed the state of the IT audit practice in support of SOX-404 financial reporting audits. We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404. We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 big CPA firms (e.g, Big Four and other firms doing SOX advisory work). In short, we made a difference, in a highly political process that involved many constituencies.
I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group). My personal goal is to find a “third way” to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.
My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts, and work with those practitioners to catalyze a similar movement to achieve the spirit and intent of PCI DSS.
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
Reviewing cases ranging in size from your neighborhood bar to the massive TJX case, an ex-QIRA will discuss the dirty inside secrets of the card associations and QSA's. Reviewing lessons learned from dozens of past forensic cases, this presentation will highlight how to prepare for a PCI mandated forensics investigation including; what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.
Data Breach Response: Before and After the BreachFinancial Poise
You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series: Cybersecurity & Data Privacy 2021
See more at https://www.financialpoise.com/webinars/
Oracle ACE Director Dan Morgan and Performance Tuning Corporation (PTC) Chief Strategy Officer Mark Swanholm present data security and the choices ahead for your organization. For more information about Performance Tuning Corporation, visit our website www.perftuning.com .
What is discussed in this presentation?
Security breaches and data theft have made big news headlines in recent months, from Target, to Home Depot and most recently Sony and Chick-Fil-A. Data is one of the most valuable assets in your business and organizations like yours need to be confident they are prepared for future security threats or risk loss of trust from customers and, possibly, unrecoverable financial losses.
But how do you approach security in your environment?
How confident are you that your data is secure?
And what are the objectives and right level of investment needed for the regulatory environment that exists today?
What about tomorrow – will the Security Wars leave your company devastated?
Oracle ACE Director Dan Morgan, an internationally recognized expert in database technology and former University of Washington lecturer, and Mark Swanholm, PTC’s Chief Strategy Officer and 22 year IT Veteran, address the issue of data security from the standpoint of what it is, how to approach it, and what is actually required to avoid being the next victim of hackers.
This Performance Tuning Corporation presentation is focusing on strategy, management, planning, and budgeting, and provides you and your management team the information they need to plan make the best possible decision with respect to an investment to secure your data.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
2010 07 BSidesLV Mobilizing The PCI Resistance 1cGene Kim
Properly Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)"
I have noticed that there is a growing wave of discontent and disenchantment from information security and compliance practitioners around the PCI DSS. Josh Corman has been an effective voice for these concerns, providing an intellectually honest and earnest analysis in his talk “Is PCI The No Child Left Behind Act For Infosec?”
The problem are well-known and significant: too much ambiguity in the PCI DSS, Qualified Security Assessors (QSAs) and consultant using subjective interpretations, existing guidance either too prescriptive or too vague, scope missing critical systems that could risk cardholder data, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches, and so forth.
For years, I have been studying the PCI DSS compliance problem, as well. I have noticed many similarities to the PCI compliance challenges and the “SOX-404 Is The Biggest IT Time Waster” wars in 2005. I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified inability to accurately scope the IT portions of SOX-404 as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.
I propose to present the two-year success story of the IIA GAIT project and how we changed the state of the IT audit practice in support of SOX-404 financial reporting audits. We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404. We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 big CPA firms (e.g, Big Four and other firms doing SOX advisory work). In short, we made a difference, in a highly political process that involved many constituencies.
I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group). My personal goal is to find a “third way” to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.
My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts, and work with those practitioners to catalyze a similar movement to achieve the spirit and intent of PCI DSS.
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
Reviewing cases ranging in size from your neighborhood bar to the massive TJX case, an ex-QIRA will discuss the dirty inside secrets of the card associations and QSA's. Reviewing lessons learned from dozens of past forensic cases, this presentation will highlight how to prepare for a PCI mandated forensics investigation including; what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.
Data Breach Response: Before and After the BreachFinancial Poise
You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series: Cybersecurity & Data Privacy 2021
See more at https://www.financialpoise.com/webinars/
Oracle ACE Director Dan Morgan and Performance Tuning Corporation (PTC) Chief Strategy Officer Mark Swanholm present data security and the choices ahead for your organization. For more information about Performance Tuning Corporation, visit our website www.perftuning.com .
What is discussed in this presentation?
Security breaches and data theft have made big news headlines in recent months, from Target, to Home Depot and most recently Sony and Chick-Fil-A. Data is one of the most valuable assets in your business and organizations like yours need to be confident they are prepared for future security threats or risk loss of trust from customers and, possibly, unrecoverable financial losses.
But how do you approach security in your environment?
How confident are you that your data is secure?
And what are the objectives and right level of investment needed for the regulatory environment that exists today?
What about tomorrow – will the Security Wars leave your company devastated?
Oracle ACE Director Dan Morgan, an internationally recognized expert in database technology and former University of Washington lecturer, and Mark Swanholm, PTC’s Chief Strategy Officer and 22 year IT Veteran, address the issue of data security from the standpoint of what it is, how to approach it, and what is actually required to avoid being the next victim of hackers.
This Performance Tuning Corporation presentation is focusing on strategy, management, planning, and budgeting, and provides you and your management team the information they need to plan make the best possible decision with respect to an investment to secure your data.
Fasken Law firm discusses the legal rights and responsibilities of Mid Size commercial businesses with respect to Data Privacy and Data Security laws in Canada
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
Tim Johnson, a Cyber Insurance specialist from Browne Jacobson, looks in detail at what Cyber Insurance will cover businesses for and gave some tips on what to consider when deciding on a policy. Given as part of the East Midlands Cyber Security Forum on 21st May. More details at https://www.nexor.com/iisp-east-midlands/may-2015.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Best Practices Regarding Technology (Series: Legal Ethics - Best Practices)Financial Poise
Technology is rapidly changing the way lawyers provide services. This is so especially in light of the Covid-19 pandemic, which creates new and different ethical challenges to confidentiality, cyber fraud and securing data, marketing and advertising concerns, and client communications. This webinar will address a myriad of new problems lawyers are facing and some practical suggestions and solutions that arise out of the changing manner and pace of the practice of law. This webinar will also cover several ABA Model Rules of Professional Conduct.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/best-practices-regarding-technology-2021/
Hot Off the Press - Recent Cases & Decisions 2019Financial Poise
Webinar Series: LEGAL ETHICS – BEST PRACTICES 2019 - WINTER/SPRING
This webinar is for the lawyer- or anyone else- who wants to brush up on legal ethics in the business context. The panelists discuss recent and important case law in the area and explain how those decisions can have real word impact on the situations you may be involved in. Among others, the following ethical model rules are discussed: Rule 1.2-Scope of Representation and Allocation of Authority Between Client and Lawyer; Rule 1.7-Conflict of Interest: Current Clients; Rule 1.8-Conflict of Interest: Current Clients: Specific Rules; Rule 1.9-Duties to Former Client; and Rule 1.13-Organization as Client.
View On Demand Webinar: https://www.financialpoise.com/financial-poise-webinars/recent-cases-decisions-2019/
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
A presentation on managing whistleblowing. This presentation was given by Moorhead James LLP as part of the Sport and Recreation Alliance's, Sport and the Law Conference 2015.
Leveraging Jurisdictional Differences in Copyright Litigationcanadianlawyer
Discussion of differences between copyright law in Canada and the United States and when plainitff should consider parallel actions to encourage settlement.
Fasken Law firm discusses the legal rights and responsibilities of Mid Size commercial businesses with respect to Data Privacy and Data Security laws in Canada
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
Tim Johnson, a Cyber Insurance specialist from Browne Jacobson, looks in detail at what Cyber Insurance will cover businesses for and gave some tips on what to consider when deciding on a policy. Given as part of the East Midlands Cyber Security Forum on 21st May. More details at https://www.nexor.com/iisp-east-midlands/may-2015.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Best Practices Regarding Technology (Series: Legal Ethics - Best Practices)Financial Poise
Technology is rapidly changing the way lawyers provide services. This is so especially in light of the Covid-19 pandemic, which creates new and different ethical challenges to confidentiality, cyber fraud and securing data, marketing and advertising concerns, and client communications. This webinar will address a myriad of new problems lawyers are facing and some practical suggestions and solutions that arise out of the changing manner and pace of the practice of law. This webinar will also cover several ABA Model Rules of Professional Conduct.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/best-practices-regarding-technology-2021/
Hot Off the Press - Recent Cases & Decisions 2019Financial Poise
Webinar Series: LEGAL ETHICS – BEST PRACTICES 2019 - WINTER/SPRING
This webinar is for the lawyer- or anyone else- who wants to brush up on legal ethics in the business context. The panelists discuss recent and important case law in the area and explain how those decisions can have real word impact on the situations you may be involved in. Among others, the following ethical model rules are discussed: Rule 1.2-Scope of Representation and Allocation of Authority Between Client and Lawyer; Rule 1.7-Conflict of Interest: Current Clients; Rule 1.8-Conflict of Interest: Current Clients: Specific Rules; Rule 1.9-Duties to Former Client; and Rule 1.13-Organization as Client.
View On Demand Webinar: https://www.financialpoise.com/financial-poise-webinars/recent-cases-decisions-2019/
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
A presentation on managing whistleblowing. This presentation was given by Moorhead James LLP as part of the Sport and Recreation Alliance's, Sport and the Law Conference 2015.
Leveraging Jurisdictional Differences in Copyright Litigationcanadianlawyer
Discussion of differences between copyright law in Canada and the United States and when plainitff should consider parallel actions to encourage settlement.
International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).
USA and Europe (EU) do have a different way of looking into privacy. This PPT is about who is responsible and what kind of rules are in place. This is a A Medved Consultants LLC Presentation. This may not be considered as a legal advice.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
Critical Issues in School Board Cyber SecurityDan Michaluk
An hour presentation to school board officials in Ontario on cyber security issues, covering the threat environment, defense, incident response, threat information sharing and vendor issues.
How to Build and Implement your Company's Information Security ProgramFinancial Poise
Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure?
An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place.
This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/how-to-build-and-implement-your-companys-information-security-program-2021/
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.
Presentación del Webinar de nuestra hermana Mind Your Privacy y Cardinal Path
En el actual escenario digital, más que nunca los analistas, marketeros y demás profesionales de datos deben conocer los cambios en las normativas nacionales e internacionales así como una serie de principios básicos para respetar la privacidad y la protección de los que sus datos recogen.
Digital Marketing meets Privacy
GDPR: Data Breach Notification and CommunicationsCharlie Pownall
An introduction to data breach notification and communications requirements under the EU's GDPR, and what it means for communicators and reputation managers
In this presentation, we walk through the WHAT - what are the FTC's Red Flag Rules; the HOW - how to become compliant using the idBUSINESS Red Flag Compliance Module; and most importantly, the WHY - why is this a good idea for my business?
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
Similar to Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background) (20)
Privacy, Privilege And Confidentiality For Lawyerscanadianlawyer
This slide show was part of a presentation by mark Hayes at the 2011 Canadian Bar Association Annual Meeting in Halifax, Nova Scotia on August 16, 2011.
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
Discusses issues that arise in organizations when faced with a privacy breach. Compares attitude and approach of organizations with those of privacy regulators.
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
1. Privacy Breaches in Canada –
Some Legal and Practical
Considerations
Mark Hayes
LSUC/IT.Can Spring Training
Toronto, May 1, 2009
2. Privacy Breaches
• Not news that privacy breaches are
increasingly a big deal
– much media attention
– politicians are interested
– public is concerned
• For organizations, costs are significant
– financial costs in the millions
– reputational cost may be even higher
3. The Questions Everyone Asks
1. Do we have to tell anyone about this?
2. What the heck should I do about this?
3. Can we be liable for this?
• Some caveats
– there are no “one size fits all” answers
– specific facts are very important
– must use judgment and common sense
4. Q1: Do We Have To Tell Anyone
About This?
• Privacy breach notification is a hot button
issue
• Most US states have passed legislation
requiring notification
– sometimes to individual directly
– sometimes to regulator
5. Compulsory Notification
– Arguments for:
• autonomy of individual
• may be some steps that can be taken to minimize
risk and potential damage to individual
• satisfies demands to “do something”
– Arguments against:
• high costs with little demonstrated benefit
• recent studies found little or no reduction in ID theft
• over-notification and “notice fatigue”
6. Ontario PHIPA
• Only Canadian privacy statute with
compulsory notification requirement
• Section12(2):
– “... a health information custodian that has
custody or control of personal health
information about an individual shall notify the
individual at the first reasonable opportunity if
the information is stolen, lost, or accessed by
unauthorized persons. .. .”
7. Ontario PHIPA
• Despite unqualified language of section
12(2)
– notification does not have to be sent in every
case of a “privacy breach”
– individual notification is not necessary in
every case
8. Order HO-004
• Researcher from Sick Kids had laptop
stolen
– simple password on laptop; no encryption
– some information very sensitive
• OIPC reviewed privacy procedures of Sick
Kids and found some significant gaps
9. Order HO-004
• Two important findings
– notification not necessary if information is
encrypted
• did not discuss particular standards, but today 128
bit is required
– in certain circumstances, alternatives to
individual notices may be sufficient
(newspaper ads, notices on web site, etc.)
10. Notification And General Security
Obligations
• Most Canadian privacy statutes do not
deal explicitly with notification
• All of them have security obligation
– e.g. PIPEDA Principle 4.7: “personal
information shall be protected by security
safeguards appropriate to the sensitivity of the
information”
• Does this create notification obligation?
11. BC Investigation Report F06-01
• March 2006
• Government computer tape sold at scrap
auction, but was not erased
• Buyer discovered error and notified media
• Notification not presumed or compulsory
• Should consider notification as one way to
minimize the impact of a privacy breach on
affected individuals
12. Other Notification Requirements
• Specific laws, regulations, industry codes of
conduct or other rules applicable to organization
• Contractual requirements that require disclosure
• Nature of relationship between the organization
and individual may require disclosure of privacy
breach
– e.g. where organization is fiduciary or agent for
individual
13. Proposals for Reform
• PIPEDA five-year (?) review ongoing
• Standing Committee on Access to Information, Privacy
and Ethics Report released May 2007
• Committee proposed requiring notification to
Commissioner of some, but not all, privacy breaches
– Commissioner to have discretion to decide whether individual
notices were warranted and what form should be
• Government proposal
• Privacy Commissioner be notified of major breach
• Individuals notified when there is a high risk of significant harm
• PIPEDA will at some point have notification requirement
14. Strategies Surrounding Notification
• Doing nothing is not a viable alternative
– unexpected disclosure of privacy breach more
damaging than fact of breach itself
– periodic financial audit and reporting
– internal “whistleblowers”
– unrelated regulatory audits or investigations
• Must approach as risk-management
exercise
15. Breach Notification Assessment
Tool
• Published by B.C. and Ontario IPCs in
December, 2006
• Steps to be taken by organization in
deciding whether to notify individuals or
regulators about privacy breach
• Presumes that notification will be required
in some, but not all, circumstances
16. Tool’s Four Steps
• Step 1: Notify Affected Individuals?
• Step 2: When and How to Notify
• Step 3: What to Include in the Notification
• Step 4: Others to Contact
• Only deals with notification
– other responses to privacy breach considered
later
17. 1. Notify Affected Individuals?
• Statutory, regulatory or contractual
requirements?
• Assess risks to affected individuals
– identity theft
– physical harm (e.g. stalking)
– hurt, humiliation, damage to reputation
– loss of business or employment opportunities
• Note no consideration of risks to organization
18. 2. When to Notify
• Notification should be as soon as possible
– limited circumstances where delay is
appropriate (e.g. ongoing police investigation)
• Often should wait until reasonably sure
that data breach has in fact occurred
– sending notices to individuals prematurely
may in fact cause more harm than good
19. 2. How to Notify
• Direct notification by letter or email is
preferred
• Alternatives may be justified where:
– direct notification could cause further harm
– direct notification is prohibitive in cost
– contact information is missing or likely to be
inaccurate
20. 3. What to Include in Notification
• Date and description of breach and what
information inappropriately accessed, collected,
used or disclosed
• Summary of steps to control or reduce harm
• Steps planned to prevent further breaches
• How individuals can protect themselves
• How to complain to appropriate privacy regulator
• Contact information for person who can provide
additional information and assistance and
answer questions
21. 4. Others to Contact
• Law enforcement (if it appears breach
resulted from criminal act)
• Commissioner’s office
• Appropriate professional or regulatory
bodies
• Technical suppliers (if the breach resulted
from technical failure or underlying
vulnerability)
22. Caveats About Tool
• Written from the point of view of the IPC
• Ignores concerns that organization may have in
dealing with these issues
– e.g. how to deal with the media and other
stakeholders
• Does not give guidance about drafting
notification letters or notices
• Useful resources and guidelines from U.S.
states that have implemented breach notification
obligations
23. Q2: What The Heck Should I Do
About This?
• Each individual situation may require
different strategies
– impossible to generalize - requirements differ
• Response will depend on many factors:
– nature of breach
– nature of organization
• Should consider creating privacy breach
protocol before incident occurs
24. Privacy Breach Protocol
• So why doesn’t everyone have one?
– cost (or perceived cost)
– lack of privacy coordinator with skills or
authority to ensure that protocol is established
and implemented
– competitors have not developed protocol
– general attitude that “it won’t happen to us.”
25. Key Steps In Breach Response
1. Containment
2. Risk Assessment
3. Notification
4. Remediation and Review
• All steps may not apply to every breach
response
26. 4. Remediation and Review
• May be most important step
• Thoroughly investigate the cause of the
breach
• What steps, if any, needed to prevent
future incidents?
• Extent of review largely based on
preparedness before incident occurred
27. Remediation Steps
• Privacy audit
– analyze information that is collected, used
and disclosed by organization
– identify issues of non-compliance with
applicable privacy laws, industry guidelines,
contractual obligations
– update existing privacy audit and assess its
continuing viability
28. Remediation Steps
• Review and update privacy policies and
procedures
– reflect the “lessons learned” from breach
investigation
• Plan scheduled audit to ensure changes
are implemented
• Implement privacy breach protocol or
review existing protocol’s effectiveness
29. Remediation Steps
• Train employees
– must understand organization’s privacy
obligations
– knowledge of privacy breach protocol
– consider refreshers of previous training
– changes or additions to training program
30. Can We Be Liable For This?
• Potentially many sources of liability for
personal information breach
– private sector personal information privacy
statutes
– general purpose privacy legislation
– common law
• No clarity yet in any of these areas
• Some class actions have been commenced,
but none certified
31. International Breach Issues
• Many foreign jurisdictions have more draconian
penalties (financial and otherwise) than under
Canadian laws
• In some jurisdictions, penalties can be applied
against officers and directors
• Foreign privacy laws may require
– notification to regulators, consumers and other
entities
– specific remediation and risk reduction techniques
• credit monitoring and counselling services
32. International Breach Issues
• Consider both proactive and reactive steps
• Assess nature of personal information in
possession or control
– significant amount of information about foreign
residents or citizens?
– Is personal information stored or processed in a
foreign jurisdiction?
• Compile list of jurisdictions where privacy breach
could engage application of local privacy laws
• Get summary of applicable laws in event of breach
• Adjust breach response protocol
33. Bottom Line
• Privacy breaches have potential to be
expensive, embarrassing and damaging to
organizations and affected individuals
• Information security and procedures will
not prevent all breaches
• Organizations must prepare for the worst –
and hope for the best!
34. Thank You!
For a copy of these slides, just
ask!
mark@hayeselaw.com